Chicago Police DepartmentGeneral Order G09-01-01
Access to Computerized Data, Dissemination and Retention of Computer Data
Issue Date:03 February 2012Effective Date:03 February 2012
Rescinds:02 December 2011version; G98-07-04A
Index Category:Information Management
I.Purpose
This directive:
  • A.defines Department policy specific to acquiring, entering, accessing, disseminating and retaining data stored in the Department's computerized information systems.
  • B.delineates responsibilities for Department members when acquiring, entering, accessing, disseminating and purging data.
  • C.continues and expands established guidelines for the collection, storage, access, dissemination and retention of computerized information.
  • D.establishes policy and procedures for sharing computerized information with outside law enforcement agencies.
  • E.establishes mandates for compliance with Title 28 Code of Federal Regulations Part 23 (28 CFR 23) as it applies to Criminal Intelligence Information shared by the Department with outside law enforcement agencies.
II.Policy
  • A.Information gathered by Department members will be obtained by lawful means in a manner consistent with Department policies, practices and procedures.
  • B.Entry of data into the Department's computerized information systems is restricted to authorized Department members.
  • C.Access to various classifications of information stored on the Department's computerized information systems will be restricted to those Department members authorized by Public Safety Information Technology (PSIT).
  • D.Information contained within the Department's computerized information systems will be disseminated in accordance with Department policy and in compliance with all federal, state and local laws.
  • E.Department members will not purge any information stored in the Department's computerized information systems, unless explicitly authorized.
  • F.Incidental sharing of information from the Department's computerized information systems or remote access by an outside law enforcement agency will conform to the policies and procedures outlined in this directive and will comply with 28 CFR 23.
III.General Information
  • A.In order to meet the information needs of its members, the Chicago Police Department utilizes a centralized management approach to the processing, handling, and analysis of computerized information.
  • B.Information made available on the Department's computerized information systems may originate from outside agencies. However, Criminal Intelligence Information shall only be entered into the Department's computerized information systems by Department members acting within their prescribed capacity and in accordance with this directive and applicable federal, state and local laws.
  • C.Computerized files on known active criminals will be used to advise members of information which could:
    • 1.provide investigative leads.
    • 2.provide a measure of officer safety.
      NOTE:
      This information is, in and of itself, not authority to place an individual under arrest, nor is it cause for unreasonable restraint or search of the individual.
  • D.The interface tools developed and/or used by the Department to access the computerized information systems are intended for the use of Department members lawfully engaged in the performance of their prescribed duties.
  • E.Computer-generated forms that replace CPD printed forms will use the same form number and initiation or revision date as the printed form. All required information in the original CPD printed form will also be required in the computerized version. Information fields not contained in the original printed form will not be added to the computerized version. No CPD form will be made available for use on the Department's computerized information systems without the Information Systems Development Group approval.
  • F.Members creating forms/reports that are computer-generated will create a footer at the lower left hand corner of each page stating: "computer generated form" and place the appropriate CPD form number and initiation or revision date next to it.
IV.Collection and Entry of Information
  • A.Department members will collect information in a lawful manner and in compliance with Department directives and applicable federal, state and local laws.
  • B.Prior to submission for entry into the Department's computerized information systems, Department members making a submission will verify the information contained in the entry.
  • C.Members assigned to enter data will be responsible for accurately entering the data according to the prescribed guidelines.
  • D.Data entered into the Department's computer information systems is subject to the same level of supervisory review as is currently in place for reports submitted on formsets. Information will be attributed to the submitting officer(s).
  • E.Department members will not retain information about any individual or organization gathered solely on the basis of religious, political, or social views or activities; participation in a particular noncriminal organization or lawful event; or race, ethnicity, citizenship, place of origin, age, disability, gender, or sexual orientation. The investigation and related documentation must comply with the Department directives entitled "The First Amendment and Police Actions" and "Information Report System" and all associated addenda.
    NOTE:
    This prohibition does not apply when the individual or entity is not the subject of an investigation and the reference is Non-criminal Identifying Information tied to an existing criminal report or subject record. Retrieval and use of such information, especially when taken out of context, will be clearly labeled as Non-criminal Identifying Information.
  • F.Whenever a member assigned/detailed to the Bureau of Detectives or the Bureau of Organized Crime identifies an individual as an active criminal and seeks to enter such information into a criminal intelligence database, the member will:
    • 1.verify that the individual has been assigned an IR, SID and/or FBI number.
    • 2.prepare a Suspect Person/Suspect Vehicle card (CPD-11.460).
    • 3.ensure that the data is current and accurate.
    • 4.forward completed Suspect Person/Suspect Vehicle cards to the division chief.
  • G.The Chief, Bureau of Detectives and the Chief, Organized Crime will:
    • 1.review submitted Suspect Person/Suspect Vehicle cards for conformance to required criteria.
    • 2.ensure only those submissions meeting the established criteria are forwarded to be entered into the Department's computerized information systems.
      • a.After entry into the Department's computerized information systems, the Suspect Person/Suspect Vehicle card will be returned to the originating unit.
      • b.Unit files will be maintained in accordance with the forms retention schedule.
    • 3.conduct periodic audits with unit commanders, as outlined in Item IX entitled "Retention."
    • 4.authorize the purging of records as appropriate.
V.Storage and Security
  • A.Public Safety Information Technology (PSIT) is charged with the responsibility of computerized information systems storage and security issues as delineated in the Department directive entitled "Computerized Information Systems."
  • B.Department members have no expectation of privacy in the use of Department computers or related equipment. Individuals may be subject to monitoring while using any of the Department's computers or accessing the computerized information systems.
  • C.Each Department member will be issued a Logon ID and will be responsible for its security and accountable for its use. Members will not use another member's logon ID under any circumstances. All access including, but not limited to, Local Area Networks (LANs), Wide Area Networks (WANs), information system interfaces, entry terminals and administration terminals requires an authorized log-on and password.
  • D.Department computerized information systems are designed with transaction logs for the purpose of establishing audit trails and back-up sets.
  • E.Periodic audits for 28 CFR 23 compliance will be conducted to monitor Criminal Intelligence Information access and usage.
    • 1.PSIT will establish procedures to conduct audits of electronic submissions.
    • 2.The Inspection Division will establish procedures to conduct periodic audits of "Inquiry Request Worksheets" (CPD-11.704).
VI.Access to Computerized Information
  • A.Use by Department Members
    • 1.Access to information or files maintained in the Department's computerized information system is granted only when authorized and by means of the log-on process on Department owned/leased equipment through authorized networking protocols and procedures.
    • 2.Any member who accesses information through the Department's computerized information systems is accountable for the appropriate use and disposal of the information. Access to information is restricted to official police business. Access of information for personal or other reasons is strictly prohibited.
    • 3.Department personnel are required to clear all open fields and log-off from the access device when they have completed the task(s) that required them to access the system.
    • 4.Access to Department computerized information systems is restricted by the following design features:
      • a.Logon IDs assigned for the appropriate approved level of access.
      • b.Limited access to information based upon the classification of the information and the authorization of the member accessing the system.
      • c.Labeling of information, both on screen and in printed form, based upon its level of sensitivity and its classification as either Criminal Intelligence Information or Non-criminal Identifying Information.
      • d.daily purges of invalidated Logon IDs.
  • B.Remote Access by Outside Agencies
    The Chicago Police Department may enter into agreements with outside agencies to provide limited remote access to its computerized information systems. Remote access to the Department's computerized information systems will only be permitted after compliance with all of the following:
    • 1.the Superintendent of Police has given written preliminary approval, and
    • 2.the requesting agency head has submitted, for the approval of the Superintendent, an interagency agreement. The interagency agreement will contain the following provisions:
      • a.a description of the interface tool(s) and access methods to be employed.
      • b.an acknowledgment and assumption of responsibility for all use or misuse of information obtained from Department computerized information systems.
      • c.a statement that the requesting agency is in full compliance with 28 CFR 23.
      • d.a specific agreement to:
        • (1)ensure secure access points,
        • (2)comply with all procedural protocol required by PSIT,
        • (3)ensure that only authorized members are assigned unique Logon IDs provided by PSIT,
        • (4)notify PSIT of any terminations of privilege associated with a Logon ID,
        • (5)notify PSIT of any unusual occurrences or breaches of policy,
        • (6)monitor and periodically audit usage by its members, and
        • (7)train personnel having access to the Department's computerized information systems on 28 CFR 23 compliance issues.
    • 3.the requesting agency has furnished a copy of their 28 CFR 23 policy.
    • 4.execution of the agreement by the Superintendent of Police.
    • 5.the interagency agreement and appropriate documentation have been forwarded to the Office of Justice Programs and been approved.
    • 6.the Department has notified the grantor of any funding relating to the project.
    • 7.approval of the Office of Justice Programs; the Department may initiate remote access capability to the requesting agency when:
      • a.the Department has trained designated members of the outside agency in the proper use of the interface tool(s) and issues involving 28 CFR 23 compliance, and
      • b.the Superintendent has given final approval to the project.
VII.Dissemination of Information
Records, files or reports may be printed from computerized information systems and/or duplicated by Department personnel for Department use only, except as provided in this section.
  • A.The contents of any record, file or report will not be exhibited or divulged to any non-Departmental person or entity except in the performance of official duties and in accordance with Department policy, and applicable federal, state and local laws.
  • B.Public Release
    • 1.Any information provided to the public will be released in accordance with Department directives and in compliance with federal, state and local laws.
    • 2.Any mechanism allowing public access shall be reviewed by the Information Systems Development Group to ensure that information retrieved is not of a sensitive nature and is in compliance with the provisions enumerated in Item VII-B-1.
    • 3.Command staff members may release relevant information to community groups or private citizens, in compliance with Department directives and all federal, state and local laws.
      NOTE:
      Department members may consult with the Office of Legal Affairs prior to dissemination of information to the public to determine if any prohibition on the release exists.
    • 4.Reports and graphs provided to the public will contain a unit identifier, a date and a disclaimer on the last page of each report.
      DISCLAIMER:
      This document has been generated by the Chicago Police Department. Information and statistics contained within this report may not be verified and may vary from other documents prepared by the Department using other methods or procedures.
  • C.Incidental Sharing of Information with Outside Agencies
    The Department recognizes that some criminal activity may affect multiple jurisdictions. Whenever possible, the Department will provide outside law enforcement agencies engaged in an active investigation access to information which is relevant to that investigation.
    • 1.Department members receiving a request for information from an outside agency, whether in person, by phone or by fax, will:
      • a.verify the identity and agency of the requester prior to making a query.
      • b.submit a query if satisfied that the prerequisites in Item VII-C-1-a have been met. If a query is made on behalf of an outside agency and the Department's computerized information system returns:
        • (1)data which is classified as "Criminal Intelligence Information," the member will have a sworn supervisor approve the "Inquiry Request Worksheet" (CPD-11.704) prior to disseminating the information.
        • (2)data which is labeled as "Non-criminal Identifying Information," the member will determine if the information is relevant to the requester's needs.
          • (a)If the "Non-criminal Identifying Information" is not relevant to the inquiring agency's needs, the member will not divulge this information.
          • (b)If the "Non-criminal Identifying Information" is relevant to the investigation, the member will have a sworn supervisor approve the "Inquiry Request Worksheet" prior to disseminating the information.
        • (3)data which is not labeled as "Criminal Intelligence Information" or "Non-criminal Identifying Information," the member will make a determination:
          • (a)If the information serves a legitimate law enforcement purpose, it may be disseminated.
          • (b)If the information does not serve a legitimate lawful purpose, it will not be disseminated.
    • 2.Sworn supervisors reviewing an "Inquiry Request Worksheet" will:
      • a.determine if the "Need to Know/Right to Know" criteria has/have been satisfied.
      • b.ensure that a 28 CFR 23 notification is printed upon the hard copy report delivered to the agency representative.
      • c.ensure the agency representative has signed the "Inquiry Request Worksheet." A signed facsimile copy will suffice for phone inquiries.
      • d.forward the completed "Inquiry Request Worksheet" to PSIT.
    • 3.PSIT will forward one copy of the completed "Inquiry Request Worksheet" to the owner of the data.
VIII.Self-Contained Information Systems
Any unit that maintains investigative records or criminal intelligence information on a system that is self-contained is expressly prohibited from sharing any information contained on that system with any outside agency.
IX.Retention
  • A.Information in the Department's computerized information systems will adhere to the Department's Form Retention Schedule and all applicable federal, state and local laws.
  • B.Department members will not remove or alter any official record, file or report from the Department's computerized information systems, unless explicitly authorized.
  • C.PSIT will preserve transaction logs in a manner consistent with operational functionality and in accordance with the Department's retention schedule and in compliance with all federal, state and local laws.
  • D.The Owner of the Data labeled as Criminal Intelligence Information or Non-criminal Identifying Information will be responsible for reviewing on a periodic basis the validity of such information.
    • 1.Inaccurate or outdated information should be deleted.
    • 2.Whenever a member assigned/detailed to the Bureau of Detectives or the Bureau of Organized Crime determines that a suspect person or vehicle record is no longer appropriate the member will remove the Suspect Person/Suspect Vehicle card from the unit file, check the "Delete" box and enter his star number in the "Remarks" section of the card. The card will be submitted through the chain of command to the division chief for authorization of the records purge.
    • 3.Additions to a record will be dated.
    • 4.Modifications to a record which correct errors or negate an individual's classification as a suspect must be reported to any agency that received such erroneous information.
    • 5.Owners of data will submit an annual report, through their respective chain of command, to the Chief, Bureau of Administration certifying that the records in the Department's computerized information systems have been verified.
  • E.PSIT will purge Criminal Intelligence records no later than five years from the last validated entry.
X.Violations of Policy
  • A.Alleged violations of this directive shall be investigated by means of the Complaint Register (CR) process and subject to disciplinary action.
  • B.Violations of the regulations imposed by 28 CFR 23 are subject to monetary fines of $11,000.00 per violation.
(Items indicated by italic/double underline were added or revised)
Garry F. McCarthy
Superintendent of Police
12-008 (RJN) TRH