(a) Policing agencies should maintain an unalterable record of every instance in which policing databases have been accessed. The record should include:
- (1) when the access occurred;
- (2) the purpose of the access and the type of data accessed;
- (3) who accessed the data; and
- (4) the method of access (in particular whether an algorithm was used).
(b) The records kept pursuant to subsection (a) should be audited routinely to ensure compliance with the policies developed pursuant to this Chapter.
(c) When feasible, policing agencies should maintain and periodically make available to the public statistics about the purposes and uses of policing databases, the numbers of people in each database, and the extent to which the databases have been accessed, including any violations of access rules.(d) If an unauthorized data breach occurs, policing agencies should provide immediate and adequate notice of the breach to the affected individuals, although such notice may be delayed if it would compromise a legitimate law-enforcement investigation.
Comment:
a. Access accountability. A record of when access to a policing database took place, for what purpose, and by whom, is an essential means of ensuring databases are not being misused or manipulated. This Section requires that such a record be maintained, in an unalterable form if feasible. Because police use of algorithms raises special issues, see § 2.06, this Section expressly requires that the audit unambiguously note whether access to databases involves the application of algorithms.
b. Auditing. Simply keeping a record of access is insufficient for ensuring accountability. Auditing of database records is necessary to detect and deter improper use of databases. This Section requires periodic auditing aimed at determining whether access to the database has been consistent with the other Principles in this Chapter, in particular the access rules required by § 6.05. Policing agencies also should consider having researchers conduct the audits. Researchers can help construct more secure systems given their knowledge of how they are misused.
c. Statistical accountability. Police use of databases inevitably is covert. Yet, democratic evaluations of the necessity for, and use of, databases can occur only if the public is kept informed about how databases are used. This information, in redacted form, should be considered a matter of public record. Accordingly, policing agencies should notify the public on a periodic basis about the existence, scope, efficacy, and security of police databases and police access to databases. Accord, Principles of the Law, Data Privacy § 3 (requiring that data users “clearly, conspicuously and accurately explain the data controller’s or data processor’s current personal-data activities”). Such information provides important feedback both to policymakers and the public, which could lead to the modification of legislation or regulations authorizing and regulating police collection and retention of information about the populace. This type of feedback is particularly important in connection with watchlists and programmatic databases, which easily can proliferate and expand in scope.
Ideally, these publicly disseminated reports about data access would provide information about several aspects of database use: (1) the types of police databases maintained and, with respect to watchlists and programmatic databases, the number of people in each; (2) the types of third-party databases accessed in connection with programmatic information-gathering and an approximation of how often they were accessed; (3) the number of suspects investigated using databases; (4) the number of algorithmic inquiries conducted and the number of people so identified, (5) the number of events investigated through database access and the approximate number of people identified per event. Additionally, some indication of whether the access to the database produced useful results, in terms of arrests, clearances, exonerations, or some other law-enforcement indicator, is important. Not all jurisdictions can produce all of this information, but this Section requires that every jurisdiction provide data about the first two subjects.
d. Notification of data breaches. As is customary in other fields, agencies that have accumulated personal information and have allowed it to be accessed by unauthorized personnel should have a duty to notify the affected individuals so they can take appropriate corrective steps. For instance, individuals should be alerted if unauthorized parties access expunged records or surveillance data from closed-circuit television cameras. This Section does not specify whether notice need be individualized; in many cases, a general alert may be sufficient. Further, if notification would compromise a legitimate investigation, it need not be given until the investigation is complete.
Reporters’ Notes
1. Auditing. Auditing regimes that indicate who has accessed databases, when, and for what purpose are a highly recommended means of safeguarding database security and ensuring accountability. See, e.g., The Tech. and Privacy Advisory Comm., Safeguarding Privacy in the Fight Against Terrorism 52 (Mar. 2004), [https://perma.cc/SPR4-MJBG]; American Bar Association’s Criminal Justice Standards, Law Enforcement Access to Third Party Records § 25‑6.2(c) (3d ed. 2013), [https://perma.cc/2756-MG3L]; Markle Task Force on Nat’l Sec. in the Info. Age, Implementing a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Trust, and Accountability (Feb. 1, 2006), [https://perma.cc/GP9H-55W4]. The federal government’s national-security guidelines also require auditing. Nat’l Counterterrorism Ctr., Attorney General Guidelines for Access, Retention, Use and Dissemination By The National Counterterrorism Center And Other Agencies Of Information In Datasets Containing Non-Terrorism Information 6 (Mar. 2013), [https://perma.cc/VU2L-SKB3]. A number of other government agencies do as well. See generally Erin Murphy, Databases, Doctrine and Constitutional Criminal Procedure, 37 Fordham Urb. L.J. 803, 826-827 (2010).
Many states have statutes requiring routine audits for compliance with existing regulations regarding database procedure. See Ga. Code Ann. § 35-3-32(b)(3) (2017) (requiring the Crime Information Center to “[e]nsure that adequate security safeguards are incorporated so that the data available through this system is used only by properly authorized persons and agencies”); 20 Ill. Comp. Stat. Ann. 2635/21 (West 2017) (mandating representative audits for internal compliance); Minn. Stat. § 13.055(6) (2017) (requiring an annual comprehensive security assessment); Cal. Code Regs. tit. 11 § 724 (2017) (mandating an audit trail consisting of “the person conducting the query, the date of each query, each agency and/or database queried, and the result of each query”). See also Uniform Criminal Records Accuracy Act § 104 (Unif. L. Comm’n 2018) (requiring a “dissemination log” that documents the name of the person making a request for criminal records, the name of the person making the dissemination, the date of the request and dissemination, and “a statement whether the information was disseminated for a purpose other than the administration of criminal justice.”).
2. Notice to the public. Title III of The Omnibus Crime Control and Safe Streets Act of 1968 requires judges and prosecutors to make annual reports about interception of communications that occur pursuant to federal law, which the Administrative Office of the United States Courts then compiles and disseminates to the public. 18 U.S.C. § 2519(3) (2012). Those reports indicate, inter alia, how many surveillance applications were submitted, how many warrants were issued, how many extensions of warrants were granted, the number of people whose conversations were intercepted, and the number of interceptions that disclosed incriminating information. See, e.g., Wiretap Reports, Admin. Off. of the Courts, [https://perma.cc/XHB7-M3MZ]. California requires periodic notice of government efforts to access communications records when the target is not identified, Cal. Penal Code § 1546.2(c) (2017), as well as annual disclosure of “criminal statistics,” id. § 13010(g), which in theory could include technologically assisted surveillance. The City of San Francisco requires that law enforcement provide annual reports in connection with the use of “surveillance technology” that provide: (1) a general description of how the technology was used; (2) the identity of other entities with which data obtained through the technology was shared; (3) a summary of public complaints about the technology; (4) the results of internal audits; (5) aggregate information about violations of policies and actions taken in response; (6) crime statistics relevant to the technology’s effectiveness; (7) annual costs associated with the technology’s use; and (8) data sources, among other types of information. S.F. Administrative Code, § 19B.1, https://sfgov.legistar.com/View.ashx?M=F&ID=7206781&GUID=38D37061-4D87-4A94-9AB3-CB113656159A.
The American Bar Association recommends analogous reports in the data-access context. It provides for “appropriate periodic review and public reporting” as one option for ensuring accountability. American Bar Association’s Criminal Justice Standards, Law Enforcement Access to Third Party Records § 25‑7.1 (3d ed. 2013), [https://perma.cc/2756-MG3L]. See also Constitution Project, Principles for Government Data Mining: Preserving Civil Liberties in the Information Age 24 (Dec., 2010), [https://perma.cc/WG5Y-6QES] (proposing that agencies “[c]onduct and publish the results of regular audits, and report regularly to Congress”). In its separate Standards Relating to Technologically-Assisted Physical Surveillance, the American Bar Association provides that “government officials should be held accountable for use of regulated technologically-assisted physical surveillance technology by means of . . . periodic review by law enforcement agencies of the scope and effectiveness of technologically-assisted physical surveillance; and maintaining and making available to the public general information about the type or types of surveillance being used and the frequency of their use. Sensitive law enforcement information need not be disclosed.” ABA Crim. Justice Standards, Technologically-Assisted Physical Surveillance § 2-9.1(f)(iv)(v) (1999).
A number of private companies have begun issuing periodic transparency reports. For instance, Apple Inc. and Microsoft Corporation now indicate how often they give data to the government, although the reports are not particularly detailed and are entirely voluntary. See Kashmir Hill, Thanks Snowden! Now All the Major Tech Companies Reveal How Often They Give Data to Government, Forbes (Nov. 14, 2013), [https://perma.cc/DEU7-UYDE]. Finally, every state except for Alabama and South Dakota has some form of a data-breach statute, although not all apply to data held by the state itself, and it is not always clear whether they apply to police databases. See 017 Security Breach Legislation, Nat’l Conference of State Legislatures (Dec. 29, 2017), [https://perma.cc/HK2V-CYPB]. California has one of the most extensive data-breach statutes, requiring written notice detailing what happened, what information was involved, and what is being done to remedy the situation any time a state agency’s database of “personal information” is accessed improperly. Cal. Civ. Code § 1798.29 (West 2018). “Personal information” is defined to include a large subset of data, including any records containing social-security-number, driver’s-license-number, and automated-license-plate-reader data. Id. Similarly, Minnesota requires written notice to any citizen whose “private or confidential” information is accessed improperly by outside hackers and the like; access by unauthorized government employees, however, is excluded from the notice requirements, provided that such access occurred in good faith. Minn. Stat. § 13.055 (2018). Some states that require notification allow law enforcement to delay such notification if necessary to avoid impeding a criminal investigation. Ind. Code § 4-1-11-7 (2018).