U.S. flag

An official website of the United States government, Department of Justice.


Global Justice Information Sharing Initiative
gonin / shutterstock.com (see reuse policy).

The process section of the Privacy and Civil Liberties Policy Development Guide and Implementation Templates describes the substantive activities that will provide the foundation of the privacy and civil liberties policy. These activities are presented in progressing order as stages, or steps, that build upon each preceding stage. They begin with the task of understanding what information exchanges the privacy and civil liberties policy will be applied to, proceed through a guided legal analysis of laws and constraints regarding the specified exchanges, and conclude with the identification of unresolved critical issues and gaps that may require agency policymaking, agency rule making, or legislation.

Understanding Information Exchanges

Understanding the information exchanges—that is, determining what personally identifiable information the agency collects, manages, and protects—helps to define the scope of the project. This section outlines the four specific inquiry categories—information collection, information dissemination and access, information use, and information maintenance and retention—and provides the project team with lists of questions to ask regarding the information the agency gathers from within and outside the agency.

Understanding information exchanges will not only distinguish information that should be the subject of the policy development effort but will also pinpoint where that information is positioned along the continuum of a justice process.

Tools to Assist With Understanding the Flow of Information

The following tools or resources are provided to assist the project team in accomplishing this task.

1) Justice System Sequence of Events Flowchart
The U.S. Department of Justice (DOJ), Bureau of Justice Statistics (BJS), has produced a useful flowchart that depicts the sequence of events in the criminal justice system. This chart and a discussion of the events in the criminal justice system are included in Appendix B of this Guide and are also available online at https://www.bjs.gov/content/largechart.cfm. BJS updated this version from the original chart prepared by the President's Commission on Law Enforcement and the Administration of Justice in 1967. The chart portrays the most common sequence of events in the criminal and juvenile justice systems in response to serious criminal behavior, including entry into the criminal justice system, prosecution and pretrial services, adjudication, sentencing and sanctions, and corrections.

2) Justice Information Privacy Guideline
This comprehensive guide, the Justice Information Privacy Guideline: Developing, Drafting, and Assessing Privacy Policy for Justice Information Systems, published by the National Criminal Justice Association (NCJA), provides detailed information on the development and history of privacy policies, analysis of current widely accepted privacy guidelines, and specific tools for mapping information flows and conducting Privacy Impact Assessments.

3) Justice Information Exchange Model (JIEM) Tool
Developed by SEARCH, The National Consortium for Justice Information and Statistics, the Justice Information Exchange Model (JIEM) is a useful tool in planning and implementing justice integration projects. JIEM is a conceptual framework that defines the dimensions of information exchange; a research and planning methodology for modeling the operational dynamics of this information exchange; and a Web-based software application—the JIEM Modeling Tool—that enables data collection, analysis, and reporting by users and researchers. Although originally designed to aid the systems development process, the JIEM tool is also valuable for breaking down criminal justice processes into key decision points and identifying critical points where the justice community shares and accesses information electronically.

4) Privacy Impact Assessment (PIA)
The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, Internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems. Privacy Impact Assessment (PIA) is a comprehensive process designed to assist organizations in determining the effects of information services and sharing initiatives on individual privacy. Similar to a risk management approach, the fundamental components include project analysis, data analysis, privacy analysis, and a Privacy Impact Assessment report. PIAs analyze and describe:

  • The information that is to be collected.
  • Why the information is being collected.
  • Intended use of the information.
  • With whom the information will be shared.
  • What opportunities individuals will have to provide information or to consent to particular uses
    of the information.
  • How information will be secured.
  • Whether a system of records is being created under the privacy policy.

In order to achieve the goals of effectiveness, comprehensiveness, and legitimacy, a privacy and civil liberties policy must comply with the law. The project team must conduct an analysis of the applicable laws to provide guidance to the agency about what information may or may not be collected, how the information can or cannot be collected, and with whom it may be shared. The objective of the legal analysis is to produce a policy that complies with both the letter and the intent of all applicable local, state, tribal, and federal laws.

There is no universal privacy and civil liberties policy that an agency can simply adopt as is. Thus, this Guide provides the project team with suggestions on how to approach the legal analysis; potential sources of legal authority and limitations; and a list of typical events, transactions, and information exchanges that might be involved in this project, as well as an outline approach of the typical steps in the information gathering and use process along with potential subjects to be researched. Referenced with the information gathering and use steps are summaries of the related Organisation for Economic Co-operation and Development's (OECD) Fair Information Principles (FIPs). Included in this section is a listing of specific laws to examine that may apply to the local jurisdiction and will serve as a checklist for the privacy and civil liberties policy development effort.

Identifying Critical Issues and Policy Gaps

Once most of the legal research has been completed, the project team will understand the policy choices that have already been made for the jurisdiction and the body responsible for making those policy choices. The legal research should identify the jurisdiction’s laws or policies that are enacting requirements mandated by federal law and should also identify those laws and policies that reflect choices made by the jurisdiction that were not mandated by federal law. As a result of performing this research, the project team should be well equipped to identify those gaps in the jurisdiction’s laws or policies that remain to be addressed, where the current laws and regulations do not address an issue. For these gaps, the team should deliberate based upon the issue’s similarity to other resolved issues.