(a) Agencies should destroy or render inaccessible any information that is irrelevant to the designated purpose of a database.
(b) Programs implementing subsection (a) should include policies requiring that policing databases be purged:
- (1) after a finite period specified in the authorization creating the database, which may be extended only if the agency can show that the specific type of data, or the data in a particular individual’s case, continues to be necessary for the purpose for which it was originally obtained, or for a separate purpose authorized pursuant to § 6.01;
- (2) when necessary to make a correction to the database pursuant to § 6.03(c); or
- (3) when otherwise required by law.
Comment:
a. The relevance test. The temptation on the part of governmental agencies to forever maintain data about everyone on the assumption it might eventually prove useful is especially great with the advent of computerized databases that easily house terabytes of information. But over-storage increases the chances that an individual’s information will be accessed by unauthorized personnel or misused by authorized personnel, and also increases the chances that the data will become outdated and therefore inaccurate. Records not pertinent to a legitimate policing objective should not be accessible to police officials. Accord, Principles of the Law, Data Privacy § 8.
Relevance obviously is contextual. For instance, the information in casefiles and watch lists is more likely to be relevant for a longer period of time than the information in programmatic databases, which can include data about large numbers of innocent individuals never suspected of any wrongdoing. Even within a casefile, the relevance of the names, addresses, and phone numbers of people near the scene of a crime, or the credit-card and communications records of a suspect, may vary greatly depending on developments in a case. Furthermore, information that is relevant at the time it is obtained may become irrelevant with the passage of time. Generally, purging should occur after an acquittal or a dismissal of charges (recognizing that this information may still be retained in court databases), as well as when investigative stops are determined to have been groundless.
For the most part, this Section leaves the judgment calls that have to be made to agencies maintaining the data. However, § 6.03(b)(3) requires periodic audits of databases to ensure the information they contain remains relevant. Further, this Section sets out some specific but nonexclusive situations in which purging should occur.
b. Specified time limits. The key limitation in this Section, which reinforces the similar provision in § 5.02(f) that applies to programmatic databases, is the requirement that database policies state a finite point at which collected data should be destroyed. A presumptive retention period puts teeth into the otherwise vague command to delete irrelevant information. Without such a provision, the temptation is too great to keep all data that is collected, exacerbating the harms described previously.
In some types of situations, legitimate law-enforcement interests may justify retaining data for long periods. For instance, a policy reasonably could provide that felony arrest and conviction records or DNA profiles in serious cases be kept at least as long as the relevant individual is alive, and perhaps longer, unless a case ends in acquittal. In contrast, casefiles in less serious cases, including in cases in which conviction results, might be rendered inaccessible much earlier—a stance that is reflected in some state expungement statutes. Certain types of data collected through suspicionless programs, such as those involving closed-circuit television recordings or license-plate readers, might be destroyed even sooner, perhaps within a week or even just 24 hours if no crime is reported in the monitored areas.
This Section provides for retention of data beyond the designated period when it continues to be necessary to carry out the purpose for which it was obtained. For instance, there may be justification for a law-enforcement agency to retain camera-surveillance data of a particular area beyond the specified period if it shows that access to the recordings is necessary for an ongoing investigation. An agency may be able to retain the DNA of a suspect even after acquittal if it can show that it would be relevant to another criminal case. The burden is on the agency to document the reason for the extension. Occasionally, data that are no longer useful for their original purpose may become necessary for another legitimate policing objective. However, unless there is legislative or regulatory authorization for the new purpose, as required in § 6.01(c), destruction of the data still must occur.
It is important to note that records that might ordinarily be purged should not be if, as prescribed in Chapter 14, they are relevant to an investigation of police misconduct. As indicated in the Comments to § 6.01, police misconduct files are not the subject of this Chapter. But this Section should not be read to require purging of information in casefiles or other policing databases that are the subject of this Chapter—even if, for instance, charges against the subject of the file have been dismissed—when the record remains relevant to the subject’s treatment by the police.
c. Purging pursuant to corrective process. This Section also requires purging of data that is shown to be inaccurate—and therefore very likely irrelevant to a legitimate policing objective—through the procedure set out in § 6.03(c). This procedure is most likely to apply to casefiles (for instance, as a means of purging invalid arrest warrants) and to watchlists, which often erroneously identify individuals as persons of interest (e.g., as gang members or terrorist sympathizers).
d. Other laws. The laws most likely to require purging of police records are expungement laws, which exist in every jurisdiction. However, agencies often ignore expungement laws or fail to implement them in a consistent fashion. This Section requires strict adherence to expungement laws, which are most likely to apply to casefile databases.
Reporters’ Notes
1. Law regarding data destruction. Federal and state laws typically require destruction of data that are no longer are relevant to the acquiring entity. The federal Privacy Act limits the retention of records to those that are “relevant and necessary” to accomplish a purpose of the agency. 5 U.S.C. § 552a(e)(1). Other statutes have specific data-destruction rules applicable to financial institutions, 16 C.F.R. § 314.4(b)(2), (c) (2017), medical establishments, 45 C.F.R. § 164.310(d)(2)(ii) (2017), video businesses, 18 U.S.C. § 2710(e), business organizations, N.Y. Gen. Bus. Law § 399-H (McKinney 2017), and all types of consumer data. 16 C.F.R. § 682(a) (2017). See generally Daniel Solove & Paul Schwartz, Privacy Law Fundamentals 220 (2017) (describing relevant state laws). The Federal Trade Commission’s “disposal rule” requires that covered entities take “reasonable measures” to destroy irrelevant data, which include “burning, pulverizing, or shredding papers . . . so that the information cannot practicably be read or reconstructed,” 16 C.F.R. § 682.3(b)(1) (2017), and “destruction or erasure of electronic media . . . so that the information cannot practicably be read or reconstructed.” 16 C.F.R. § 682.3(b)(2) (2017). The Principles of the Law, Data Privacy, similarly state that “[a] data controller shall retain personal data only as consistent with the scope of notice, the purposes for which notice is provided, and purposes that are consistent with these Data Privacy Principles” and provide for destruction of the data when it no long serves those purposes. Principles of the Law, Data Privacy § 10 (Am. L. Inst. 2020).
These general rules often are applied to specific types of policing databases. For instance, federal regulations governing criminal-history records and related information require that states not only “assure that all information which is retained by a project has relevancy and importance,” but that “[i]nformation retained in the system must be reviewed and validated for continuing compliance with system submission criteria before the expiration of its retention period, which in no event shall be longer than five years.” 28 C.F.R. § 23.20(h) (2017). Many state statutes set out maximum lengths of time for data storage of policing information. See, e.g., Minn. Stat. § 13.824(3)(a) (2017) (“data collected by an automated license plate reader . . . must be destroyed no later than 60 days from the date of collection”); Mont. Code Ann. § 46-5-118 (2017) (“license plate data . . . may not be preserved for more than 90 days”); cf. Cal. Code § 1798.90.51(b)(2)(G) (2016) (requiring a “usage and privacy policy” that sets out, inter alia, “[t]he length of time ALPR information will be retained, and the process the ALPR operator will utilize to determine if and when to destroy retained ALPR information”).
Some courts likewise have required that information obtained through surveillance, especially surveillance that captures information about non-suspects, be destroyed within a short period of time. In re Application of the U.S. for an Order Relating to Tels. Used by Suppressed, 2015 WL 6871289, at *4 (N.D. Ill. Nov. 9, 2015) (requiring that all data acquired by a Stingray—a device that captures data from all cellphones in the vicinity—other than information identifying the particular phone used by the target, be destroyed within 48 hours after capture, and also prohibiting use of the extraneous data for further searching of or against third parties). See also In re Search of Info. Associated with Facebook Account Identified by the Username Aaron.Alexis that is Stored at Premises Controlled by Facebook, Inc., 21 F. Supp. 3d 1, 9-11 (D.D.C. 2013) (limiting retention of Facebook data).
In contrast, some police regulations allow for data to be stored for fairly long periods of time. See, e.g., S.F. Admin. Code § 8.3 (2017) (“records . . . may be destroyed five years after they were created”); Forms Retention Schedule, Chicago Police Department 11.717 (Jan. 17, 2018), [https://perma.cc/L3QJ-7XL4] (allowing data to be retained for one to 10 years depending on classification). Furthermore, most police regulations do not define “destruction” and thus do not set out adequate standards to ensure that information cannot be read or reconstructed. Compare NYPD Patrol Guide (Apr. 5, 2016), [https://perma.cc/L3AC-7J64] (silent as to data destruction entirely) to Ga. Code Ann. § 50-18-95(b) (2017) (“records shall be destroyed in such a manner that they cannot be read, interpreted, or reconstructed”). As such, those policies would not meet the requirements of this Section.
2. Expungement of arrest and conviction records. A federal law grants expungement for misdemeanor drug offenses when the offender successfully completes probation. 18 U.S.C. § 3607 (2012). See also 18 U.S.C. § 3607(a), (c) (2012) (requiring courts to expunge the record of a person, under 21 years old at the time of the offense, if he or she was found guilty of simple possession and had not previously been convicted of a federal or state crime relating to controlled substances). But there is no general federal expungement statute, despite repeated proposals to enact one for nonviolent offenders. See, e.g., Fresh Start Act of 2019, H.R. 5043 (115th Cong.); see also Raj Mukherji, In Search of Redemption: Expungement of Federal Criminal Records, Seton Hall Univ. 41-45 (2013), [https://perma.cc/U2EQ-DMXF] (discussing the provisions of federal proposals). Given the limited statutory authority, federal courts grant expungement only in extraordinary circumstances. Moreover, since the U.S. Supreme Court’s decision in Kokkonen v. Guardian Life Ins. Co. of Amer., 511 U.S. 375 (1994), limiting the reach of federal courts’ ancillary jurisdiction, most Courts of Appeals have held that they lack equitable power to expunge criminal records. See, e.g., United States v. Wahi, 850 F.3d 296 (7th Cir. 2017).
State legislatures and courts are more likely to require expungement, although there too expungement is rare. See Margaret Love, Restrictions on Access to Criminal Records: A National Survey, Collateral Consequences Res. Ctr. (Mar. 9, 2017), [https://perma.cc/7CEG-4QJE] (describing a recently updated nationwide survey of state expungement law that found that since 2013, 27 states have given courts some authority to restrict access to criminal records but that only 12 states give courts authority to seal criminal records altogether); Ross E. Cheit, The Elusive Record: On Researching High Profile 1980s Sexual Abuse Cases, 28 Just. Sys. J. 79, 81 (2007) (providing a chart detailing rules regarding destruction of records in all 50 states, with expungement most likely when arrest does not result in conviction or the conviction is for a misdemeanor). When statutes do not exist or do not cover a particular situation, most state courts hold that they have inherent authority to expunge based on a balancing of society’s interest in the record against the harm to the individual that arises from its continued existence. Anna Kessler, Excavating Expungement: A Comprehensive Approach, 87 Temp. L. Rev. 403, 416-418 (2015). Some courts have grounded this authority in the Due Process Clause. Id.
However, scholars have documented that even when statutory language exists, mandated expungement does not always occur. One study found that expungement of a conviction record often fails to take place even after official exoneration. Amy Schlosberg, Evan Mandery & Valerie West, The Expungement Myth, 75 Alb. L. Rev. 1229, 1229-1230 (2011-2012). Expungement of arrestees’ DNA records after dismissal or acquittal on criminal charges, required under most state DNA laws, has also been said to be “largely a myth.” Elizabeth Joh, The Myth of Arrestee DNA Expungement, 164 U. Pa. L. Rev. Online 51, 51 (2015). Many federal and state laws grant expungement only from “public records” accessible by employers, the press, and so on, while maintaining law-enforcement access. See, e.g., 18 U.S.C. § 3607(c) (2012) (“The expungement order shall direct that there be expunged from all official records, except the nonpublic records [retained by the central repository for use by courts in subsequent proceedings], all references to [the individual’s] arrest for the offense, the institution of criminal proceedings against him, and the results thereof.”). See also S.C. Code Ann. § 17-1-40 (2017).
Some authors have argued that offenders should be able to ask for expungement not only of charges that result in acquittal or dismissal, but also of records of conviction, after a specified time period proportionate to the crime has elapsed. See, e.g., Sara Shiavone, Wiping the Slate Clean: A Proposal to Expand Ohio’s Expungement Statute to Promote Effective Offender Reintegration, 45 Cap. U. L. Rev. 509, 543-546 (2017) (calling for expungement eligibility within six months to five years after conviction, depending on the offense). Whether or not a jurisdiction adopts that position, expungement laws that do exist should be implemented rigorously and—unless relevant law states otherwise—law enforcement agencies should not have access to the expunged material.
3. Departmental policies. In some domains, policing agencies have been active in establishing retention policies, with many calling for limited retention periods. For instance, most police departments have policies governing the retention of footage from police body cameras. See Police Body Camera Policies: Retention and Release, Brennan Ctr. for Justice (Aug. 3, 2016), [https://perma.cc/DC5K-M79X] (chart listing the retention policies for different cities). Closed-circuit television (CCTV) recordings provide another example. At one time, surveillance-camera recordings in Baltimore had to be destroyed within 96 hours unless a crime was reported that the surveillance could help solve. Stephen McMahon, Cent. Dist. Commander for Balt. City, Remarks at the International Association of Chiefs of Police Meeting (Apr. 17, 2002). That policy no longer exists, but the Department does require that aerial surveillance data be destroyed after 45 days, Frequently Asked Questions, Baltimore Police Community Support Program, [https://perma.cc/JY44-PV6K], although this requirement is not always enforced. Jay Stanley, Baltimore Aerial Surveillance Program Retained Data Despite 45-Day Privacy Policy Limit, ACLU (Oct. 25, 2016), [https://perma.cc/M8AK-AGNW]. Colorado allows for effectively unfettered access to CCTV recordings during the first year after collection, but it requires a custodian to record the reason for access after one year has passed, and it requires that the recordings be destroyed after three years unless an investigatory or judicial proceeding has commenced. Colo. Rev. Stat. Ann. § 24-72-113 (West 2017).
Police departments also have adopted policies limiting how long license-plate data may be maintained. See, e.g., Bos. Police Dep’t, Special Order on License Plate Recognition System (Sept. 14, 2011), [https://perma.cc/Y7YU-4K62] (requiring deletion of data after 90 days); L.A. Cnty. Sheriff’s Dep’t, Field Operations Directive on Automated License Plate Recognition (APLR) System (Aug. 17, 2009), [https://perma.cc/7625-D9U9] (requiring deletion only after two years); Ohio Emergency Mgmt. Agency, FY 2010 Local Program Guidance and Application Package (Dec., 2010), [https://perma.cc/9AHM-SN4V] (requiring immediate deletion); Mesquite Police Dep’t, ACLU Open Records Request for MPD ALPR Records 10465-10466, [https://perma.cc/8LSV-SWD6] (indefinite retention).
At one time, records maintained by the federal government’s counterintelligence services that were not directly linked to national security could be maintained only for six months, but that period has now been extended to five years. U.S. Dep’t of Justice, Off. Dir. Nat’l Intel., Guidelines for Access, Retention, Use and Dissemination by the National Counterterrorism Center and Other Agencies of Information in Datasets Containing Non-Terrorism Information 6 (Mar. 2012) [https://perma.cc/ZM7J-3UT9] [hereinafter NCTC Rep.] The American Bar Association’s Standards on Law Enforcement Access to Third Party Records provide that database records should be destroyed when no longer relevant to legitimate law-enforcement interests. American Bar Association’s Criminal Justice Standards, Law Enforcement Access to Third Party Records § 25‑6.1(b)(ii) (3d ed. 2013), [https://perma.cc/2756-MG3L].