JusticePrivacy.com

Development Tools
Work Products

Privacy Policy Guidance, Volume 1

Historical background

The first volume of the Privacy Policy Guidance series is the most substantial work product to come out of the IIJIS Privacy Policy Subcommittee to date. The story behind its development includes thousands of hours of research, six full subcommittee hearings, countless meetings with individual subcommittee members, and one major re-write. Criminal justice agencies interested in developing a privacy policy for their integrated information systems could learn a great deal from the history of Illinois's privacy policy efforts.

The subcommittee had to substantially change its direction from developing policy to articulating best privacy practices that state and local justice agencies could use to develop their own policies.

The initial goal of the subcommittee was bold: to develop a comprehensive, statewide privacy policy that would guide Illinois justice agencies in their collection, analysis, and sharing of personally identifying information. To this end, staff devoted considerable time to developing an outline of the proposed policy. It was at this point that staff was approached by the Global Privacy and Information Quality Working Group and its report, Privacy Policy Development Guide and Implementation Templates, contains an expanded version of Illinois's privacy policy outline.

The IIJIS Privacy Policy Subcommittee decided to focus its initial policy development efforts on the types of information traditionally shared by the justice system. It was felt that these exchanges of information were being overlooked for sexier issues surrounding information sharing for anti-terrorism initiatives. Staff took the concerns identified in the Issues document, notes from meetings with individual members, and hours of research into existing information sharing practices in Illinois, and drafted, in declarative language, policy provisions for the sharing of justice information concerning various actors in the justice system.

The first draft of the policy attempted to address the collection, use, sharing, and retention of personally identifying information about suspects, arrestees, convicted persons, probationers, prisoners, parolees (i.e., those on supervised release), victims, and witnesses. The draft attempted to address the group's concerns as stated in the Issues document by making logical expansions of existing protections and adopting some ideas implemented by other jurisdictions - all properly footnoted and discussed in a commentary under each section.

Unfortunately, the subcommittee couldn't go from issue identification directly to developing the privacy policy. Too many questions had not yet been answered. Would the policy provisions discussed and included by the subcommittee be mandatory? Would grant funds be conditioned upon agencies' adherence to these policies? What were the existing protections in each of the privacy areas?

The result was a substantial change in the subcommittee's direction from developing policy to articulating best privacy practices that state and local justice agencies could use to develop their own policies. The thought was that providing uniform guidance would result in substantially similar privacy protections across the state. Additionally, compilations of best practices, especially those developed with diverse stakeholder input, have a tendency to become standards of care. Developing best practices also freed participants to discuss issues without fear of binding their agencies to rules developed by the subcommittee. This meant that the draft policy staff had developed had to be reorganized and significantly rewritten.

Privacy Policy Guidance, Volume 1, is vastly improved over that original draft policy. The first volume of the series (volumes were necessary to break down the privacy work into manageable components) begins with a brief overview of the privacy interests implicated by the enhanced collection, analysis, and sharing of information made possible by integrated justice information systems. The report then introduces the types of personally identifying information collected about actors in the criminal justice system. For each class of actor, the report describes the types of information sharing that are mandated, prohibited, and permitted by existing federal and state requirements. Volume 1 also identifies issues that agencies should address before developing or participating in an integrated justice information system; the pros and cons of each issue are addressed followed by the subcommittee's recommendations regarding how that information should be treated. Although resolution of several issues awaits the development of future volumes, the first volume in the Privacy Policy Guidance series is a significant step toward understanding the body of law surrounding the sharing of information by the Illinois criminal justice system.

Each state should seriously consider developing a document like Privacy Policy Guidance, Volume 1 to better understand the privacy issues and protections in place to protect their residents' privacy interests.