Privacy Act of 1974; Implementation, 35651-35654 [2017-15423]

Download as PDF Federal Register / Vol. 82, No. 146 / Tuesday, August 1, 2017 / Rules and Regulations date and time will thereafter be continuously published in the Chart Supplement. * * * * * Paragraph 6002 Class E Airspace Designated as Surface Areas. * * * * * AGL WI E2 Kenosha, WI [Amended] Kenosha Regional Airport, WI (Lat. 42°35′45″ N., long. 87°55′40″ W.) That airspace extending upward from the surface to and including 3,200 feet within a 4.2-mile radius of Kenosha Regional Airport. This Class E airspace area is effective during the specific dates and times established in advance by Notice to Airmen. The effective date and time will thereafter be continuously published in the Chart Supplement. * * * * * Paragraph 6004 Class E Airspace Area Designated as an Extension of Class D Airspace. * * * AGL WI E4 * * * * Kenosha, WI [Removed] * * * Paragraph 6005 Class E Airspace Areas Extending Upward From 700 Feet or More Above the Surface of the Earth. * * * * * AGL WI E5 Kenosha, WI [Amended] Kenosha Regional Airport, WI (Lat. 42°35′45″ N., long. 87°55′40″ W.) Kenosha Localizer (Lat. 42°36′04″ N., long. 87°55′11″ W.) That airspace extending upward from 700 feet above the surface within a 6.7-mile radius of Kenosha Regional Airport, and within 9.9 miles north and 5.9 miles south of a 246° bearing from the Kenosha Localizer to 10 miles west of the Kenosha Localizer. Issued in Fort Worth, Texas, on July 24, 2017. Walter Tweedy, Acting Manager, Operations Support Group, ATO Central Service Center. [FR Doc. 2017–16098 Filed 7–31–17; 8:45 am] BILLING CODE 4910–13–P DEPARTMENT OF JUSTICE 28 CFR Part 16 [CPCLO Order No. 007–2017] Privacy Act of 1974; Implementation Federal Bureau of Investigation, United States Department of Justice. ACTION: Final rule. mstockstill on DSK30JT082PROD with RULES AGENCY: The Federal Bureau of Investigation (FBI), a component of the United States Department of Justice (DOJ or Department), is issuing a final rule to amend its Privacy Act exemption regulations for the system of records SUMMARY: VerDate Sep<11>2014 17:30 Jul 31, 2017 Jkt 241001 titled, ‘‘Next Generation Identification (NGI) System,’’ JUSTICE/FBI–009, last published in full on May 5, 2016. Specifically, the FBI exempts the records maintained in JUSTICE/FBI–009 from one or more provisions of the Privacy Act. The listed exemptions are necessary to avoid interference with the Department’s law enforcement and national security functions and responsibilities of the FBI. This document addresses public comments on the proposed rule. DATES: This final rule is effective August 31, 2017. FOR FURTHER INFORMATION CONTACT: Roxane M. Panarella, Assistant General Counsel, Privacy and Civil Liberties Unit, Office of the General Counsel, FBI, Washington DC, telephone 304–625– 4000. SUPPLEMENTARY INFORMATION: Background In 1990, the FBI published in the Federal Register a System of Records Notice (SORN) for the FBI system of records titled, ‘‘Identification Division Records System,’’ JUSTICE/FBI–009. JUSTICE/FBI–009 evolved into the ‘‘Fingerprint Identification Records System (FIRS),’’ also referred to as the ‘‘Integrated Automated Fingerprint Identification System (IAFIS),’’ published at 61 FR 6386 (February 20, 1996), which covered individuals arrested or incarcerated, individuals applying for Federal employment or military service, registered aliens or naturalized citizens, and individuals wishing to place their fingerprints on record for personal identification purposes. The FIRS SORN included the following records: A. Criminal fingerprint cards and/or related criminal justice information submitted by authorized agencies having criminal justice responsibilities; B. Civil fingerprint cards submitted by Federal agencies and civil fingerprint cards submitted by persons desiring to have their fingerprints placed on record for personal identification purposes; C. Identification records sometimes referred to as ‘‘rap sheets’’ which are compilations of criminal history information pertaining to individuals who have criminal fingerprint cards maintained in the system; and D. A name index pertaining to all individuals whose fingerprints are maintained in the system. As the system expanded, records continued to fall within the general categories of records specified in the SORN. As a policy matter, however, and in an effort to better detail the enhancements made to the system, the PO 00000 Frm 00029 Fmt 4700 Sfmt 4700 35651 FBI and DOJ determined that JUSTICE/ FBI–009 should be modified to more fully describe the features and capabilities of the system, which has since been renamed the Next Generation Identification (NGI) System. Important enhancements to the NGI System include the increased retention and searching of fingerprints obtained for the purposes of licensing, employment, obtaining government benefits, and biometric services such as improved latent fingerprint searching and face recognition technology. Leading up to the publication of the modified SORN and a Notice of Proposed Rulemaking (NPRM) for the NGI System, the FBI conducted a series of Privacy Impact Assessments that detailed the steps taken by the FBI to fully assess the privacy impacts of new and modified NGI System components, addressing potential risks and mitigation techniques. On May 5, 2016, the FBI issued a Notice of a Modified System of Records for the NGI System in the Federal Register at 81 FR 27284 (May 5, 2016), and an NPRM at 81 FR 27288 (May 5, 2016). In determining whether to claim exemptions, the FBI did not simply rely on exemptions granted to the predecessor system of records, but thoroughly evaluated the NGI System and its various components to determine whether exemptions were necessary. The necessary exemptions were proposed in the NPRM along with supporting rationales, and are to be codified in accordance with the issuance of this final rule. Response to Public Comments In its NGI System NPRM and Notice of a Modified System of Records, published on May 5, 2016, the Department invited public comment. The comment periods for both documents were originally set to close on June 6, 2016, but were extended 30 days to allow interested individuals additional time to analyze the proposal and prepare their comments. The FBI received over 100 comments and letters from individuals, and from nongovernment, public interest, civil liberties, non-profit, and academic organizations. The FBI has closely reviewed and considered these comments. The following discussion is provided to respond to the NPRM comments and provide greater insight into the FBI’s assessment of the need to claim exemptions from certain provisions of the Privacy Act for the NGI System. Many questions and comments were received concerning the breadth and scope of the exemptions claimed. As E:\FR\FM\01AUR1.SGM 01AUR1 35652 Federal Register / Vol. 82, No. 146 / Tuesday, August 1, 2017 / Rules and Regulations mstockstill on DSK30JT082PROD with RULES noted in the NPRM and reiterated here, the following exemptions apply only to the extent information in this system is subject to exemption pursuant to 5 U.S.C. 552a(j) or (k). Where compliance with an exempted section of the Privacy Act would not appear to interfere with or adversely affect the purposes of the NGI System to support law enforcement and to protect national security, the applicable exemption may be waived by the FBI in its sole discretion. These exemptions are claimed with respect to the NGI System’s records, which are compiled for the purposes of identifying criminal offenders or alleged criminal offenders, criminal investigations, and reports identifiable to an individual compiled throughout the criminal law enforcement process, including fingerprints, as well as associated biographic data, the nature and disposition of any criminal charges, and additional biometrics such as mugshots and palm prints, if available and if provided by the submitting agency. The NGI System records qualify for exemption from sections of the Privacy Act under 5 U.S.C. 552a(j)(2) because the FBI’s principal function is the enforcement of criminal laws and the records maintained in the NGI System fall into one or more of the categories listed in (j)(2). Due to the evolving nature of identity records and investigations and the scope of the NGI System, certain NGI System records may fall outside the scope of (j)(2) and would qualify for the specific exemptions under 5 U.S.C. 552a(k)(2) and (5). The exercise of all exemptions is discretionary and the FBI will not exercise an exemption of any section of the Privacy Act that is not appropriate and necessary. 5 U.S.C. 552a(c)(3), Accounting of Disclosures Upon Request of the Named Subject Some of the comments communicated concerns about claiming exemptions from accounting and audit disclosure requirements. As with exemptions claimed under subsections (c)(4) and (d), exemption from (c)(3) disclosure requirements is necessary to preserve the integrity of ongoing investigations. Revealing this information could compromise ongoing, authorized law enforcement and national security efforts by alerting an individual to collaborative law enforcement and national security investigations as well as the relative interests of the FBI and/ or other investigatory agencies. Although the vast majority of NGI System disclosures need not be provided in an accounting request, the FBI must claim this additional VerDate Sep<11>2014 17:30 Jul 31, 2017 Jkt 241001 exemption to ensure its ability to protect the integrity of ongoing investigations. It is important to note that, despite claiming this exemption, the Privacy Act does not permit the FBI to exempt this system of records from the requirements codified under subsections 5 U.S.C. 552a(c)(1) and (c)(2). As a result, except under limited circumstances as outlined in the Privacy Act, the FBI is obligated to keep an accurate accounting of the date, nature, and purpose of each disclosure of a record maintained within this system of records, and retain the accounting for at least five years or the life of the record, whichever is longer, after the disclosure for which the accounting is made. 5 U.S.C. 552a(d)(1), (2), (3) and (4), (e)(4)(G) and (H), (e)(8), (f), Access to and Amendment of Records Many of the comments received concerned exemptions regarding the access to and amendment of records pursuant to 5 U.S.C. 552a(d)(1), (2), (3) and (4), (e)(4)(G) and (H), (e)(8), and (f). As with exemptions claimed to (c)(3) and (c)(4), providing access to these records could compromise ongoing investigations. It is necessary for the FBI to claim these exemptions because the NGI System also contains latent fingerprints, as well as other biometrics, and associated personal information that may be law enforcement or national security sensitive. Compliance with these provisions could alert the subject of an authorized law enforcement activity about that particular activity and the interest of the FBI and/or other law enforcement agencies. With that said, as cited in both the SORN and the NPRM, separate federal regulations (see 28 CFR 16.30–16.34 and 28 CFR 20.34) inform individuals of the process to access and amend their criminal history records in the NGI System. These regulations permit any person to receive his or her criminal history record for review and correction. If the individual has no criminal history record in the NGI System, he or she receives a letter confirming the absence of such record. Pursuant to the regulations, after an individual receives his or her criminal history record, he or she may consult both the FBI and the relevant criminal justice agency to correct or update the record. The vast majority of records in the NGI System have been entered by state and local law enforcement and require coordination with those agencies. In addition, pursuant to 28 CFR 50.12, agencies submitting fingerprints to the FBI for individuals seeking employment, licensing, or similar benefits are required to inform the PO 00000 Frm 00030 Fmt 4700 Sfmt 4700 applicants that their fingerprints will be searched in the NGI System and of the process for access and amendment under 28 CFR 16.30–16.34. The regulation also advises that agencies should afford the applicants the opportunity to correct or complete their records before making licensing or employment decisions. Additionally, for records claiming specific exemption under 5 U.S.C. 552a(k), if an individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or for which he would otherwise be eligible, further access may be available. Consequently, although the FBI has claimed exemptions to the notification, access, and amendment provisions of the Privacy Act for the NGI System, the FBI generally does not exercise these exemptions when doing so would not interfere with its law enforcement functions and responsibilities. 5 U.S.C. 552a(g), Rights of Judicial Redress The comments received also expressed concerns about the FBI’s exemption from 5 U.S.C. 552a(g), which grants individuals the right to certain civil remedies under the Privacy Act. As a matter of clarification, the Privacy Act only permits an agency to exempt 5 U.S.C. 552a(g) if the records in the system of records qualify for the general exemption provisions under 5 U.S.C. 552a(j). This exemption cannot be, and has not been, claimed for the records within the NGI System that qualify for only the specific exemptions under 5 U.S.C. 552a(k). Additionally, many comments expressed concern that by claiming an exemption from 5 U.S.C. 552a(g), the FBI would somehow absolve itself of meeting even those provisions of the Privacy Act that are not subject to exemption because an individual’s right to seek a cause of action for any provisions of the Privacy Act would be exempted. First, the FBI takes all of its constitutional and statutory requirements seriously, and does not limit its compliance to only those provisions of the Privacy Act subject to judicial redress. As addressed throughout this SUPPLEMENTARY INFORMATION section, even when an exemption is claimed, the FBI takes all reasonable and appropriate steps necessary to meet the requirements of the Privacy Act that would not interfere with its law enforcement functions and responsibilities. The FBI is subject to a number of oversight mechanisms to ensure compliance with its requirements under the Privacy Act, E:\FR\FM\01AUR1.SGM 01AUR1 Federal Register / Vol. 82, No. 146 / Tuesday, August 1, 2017 / Rules and Regulations mstockstill on DSK30JT082PROD with RULES including internal and external audits and inspections. Second, while the FBI has proposed an exemption from this provision for the NGI System, the exemption regulation is clear that the FBI will only claim exemptions to the extent that information in this system of records is subject to an exemption pursuant to the Privacy Act. Many courts have interpreted an agency’s decision to exempt the Privacy Act’s civil remedies provisions as only an exemption from a cause of action based on an exempted provision. In those jurisdictions, individuals are still permitted to exercise their right of judicial redress, pursuant to 5 U.S.C. 552a(g), for those provisions of the Privacy Act that are not subject to exemption. 5 U.S.C. 552a(e)(2), and (3), Collection Directly From the Individual Commenters also expressed concerns regarding the exemption from (e)(2) and (3) of the requirement to collect information directly from the individual. The vast majority of the records in the NGI System are contributed by state and local law enforcement agencies. Because the FBI is neither the arresting official, nor the agency issuing the license, evaluating the individual for employment, or offering the benefit, it is impossible for the FBI to collect information directly from the subject. However, in most circumstances these other agencies create the records using information obtained directly from the subject with his or her knowledge. Fingerprints and other biometrics and information are collected by other government agencies based on their legal authorities to collect such information and submit it to the FBI. For records created for the purpose of licensing, employment, or to obtain a government benefit, the FBI requires that specific notice be provided to the applicant. This notice, in the form of a Privacy Act statement, discloses the authority which authorizes the solicitation of the information, whether disclosure of such information is mandatory or voluntary, the principal purpose for which the information is intended to be used, the routine uses which may be made of the information, and the effects on the individual, if any, of not providing all or any part of the requested information. 5 U.S.C. 552a(e)(4)(I), Categories of Sources of Records The FBI also received a comment concerning exemption of the requirement to disclose sources of records contained in the NGI System. VerDate Sep<11>2014 17:30 Jul 31, 2017 Jkt 241001 Despite claiming this exemption, the FBI has published in the NGI SORN the categories of sources of records to the extent that such disclosure would not compromise confidential sources or the safety of witnesses. However, to the extent such additional details would be required, it is believed that such detail may interfere with the Department’s law enforcement functions and the responsibilities of the FBI. The FBI claims the exemption to (e)(4)(I) because greater specificity than was provided in the NGI SORN cannot be disclosed without compromising confidential sources or the safety of witnesses. 5 U.S.C. 552a(e)(5), Accurate, Relevant, Timely, and Complete The comments also expressed concerns regarding the NGI System’s exemption from the (e)(5) requirements to maintain accurate, relevant, timely, and complete records. When collecting information for authorized law enforcement purposes, it is not always possible to determine in advance what information is accurate, relevant, timely, or complete. With time, additional facts, and analysis, information may acquire new significance. Although the FBI has claimed this exemption, it continuously works with its federal, state, local, tribal, and international law enforcement partners to maintain the accuracy of records to the greatest extent possible. The FBI does so with established policies and practices that include the review, audit, and validation of records, and formal agreements with partner agencies that require regular records updates. The law enforcement and national security communities have a strong operational interest in using up-to-date and accurate records and will foster relationships with partners to further this interest. If alterations are made to criminal record sources outside the FBI, we encourage subject individuals to bring said documentation to the FBI’s attention to ensure timely modification of an NGI System record. General Comments on the NGI System A few commenters expressed concerns about the safety and security of the system. It should be noted that the FBI is not and cannot claim exemption from 5 U.S.C. 552a(e)(10), which requires agencies to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity. In compliance with this provision of the Privacy Act and other security mandates, the NGI System has PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 35653 been developed and implemented in compliance with all federal information technology standards designed to safeguard personal information from loss, destruction, or unauthorized access. Many commenters communicated concerns about the NGI System being used to track the expression of First Amendment rights. The NGI System is a biometric database. It is not utilized to conduct surveillance or track the expression of a citizen’s First Amendment rights. It should be noted that the FBI is not and cannot claim exemption from 5 U.S.C. 552a(e)(7), which, absent specific authorization or consent, prohibits the maintenance of records describing how any individual exercises rights guaranteed by the First Amendment. The FBI is not exempting the NGI System from all provisions of the Privacy Act. The protections of many of the provisions of the Privacy Act and the E-Government Act of 2002 are still in place; only the named Privacy Act exemptions have been claimed, if needed, to protect sensitive law enforcement and national security operations. Overall, the FBI has made only minor, administrative edits to the rule as originally proposed to ensure accuracy and consistency with the listed authorities and other subsections of 28 CFR part 16. The FBI has made no substantive changes to the rule as it was originally proposed. For the reasons identified in this publication, the Department and the FBI are issuing this final rule. List of Subjects in 28 CFR Part 16 Administrative practices and procedures, Courts, Freedom of information, Privacy Act. Pursuant to the authority vested in the Attorney General by 5 U.S.C. 552a and delegated to me by Attorney General Order 2940–2008, 28 CFR part 16 is amended as follows: PART 16—PRODUCTION OR DISCLOSURE OF MATERIAL OR INFORMATION 1. The authority citation for part 16 continues to read as follows: ■ Authority: 5 U.S.C. 301, 552, 552a, 553; 28 U.S.C. 509, 510, 534; 31 U.S.C. 3717. Subpart E—Exemption of Records Systems Under the Privacy Act 2. Amend § 16.96 by revising paragraphs (e) and (f) to read as follows: ■ E:\FR\FM\01AUR1.SGM 01AUR1 35654 Federal Register / Vol. 82, No. 146 / Tuesday, August 1, 2017 / Rules and Regulations § 16.96 Exemption of Federal Bureau of Investigation Systems—limited access. mstockstill on DSK30JT082PROD with RULES * * * * * (e) The following system of records is exempt from 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2) and (3); (e)(4)(G), (H) and (I); (e)(5) and (8); (f) and (g): (1) The Next Generation Identification (NGI) System (JUSTICE/FBI–009). (2) These exemptions apply only to the extent that information in this system is subject to exemption pursuant to 5 U.S.C. 552a(j) or (k). Where compliance would not appear to interfere with or adversely affect the purpose of this system to detect, deter, and prosecute crimes and to protect the national security, the applicable exemption may be waived by the FBI in its sole discretion. (f) Exemptions from the particular subsections are justified for the following reasons: (1) From subsection (c)(3), the requirement that an accounting be made available to the named subject of a record, because this system is exempt from the access provisions of subsection (d). Also, because making available to a record subject the accounting of disclosures from records concerning the subject would specifically reveal investigative interest by the FBI or agencies that are recipients of the disclosures. Revealing this information could compromise ongoing, authorized law enforcement and national security efforts and may provide the record subject with the opportunity to evade or impede the investigation. (2) From subsection (c)(4) notification requirements because this system is exempt from the access and amendment provisions of subsection (d) as well as the accounting of disclosures provision of subsection (c)(3). The FBI takes seriously its obligation to maintain accurate records despite its assertion of this exemption, and to the extent it, in its sole discretion, agrees to permit amendment or correction of FBI records, it will share that information in appropriate cases. (3) From subsection (d) (1), (2), (3) and (4), (e)(4)(G) and (H), (e)(8), (f) and (g) because these provisions concern individual access to and amendment of law enforcement records and compliance and could alert the subject of an authorized law enforcement activity about that particular activity and the interest of the FBI and/or other law enforcement agencies. Providing access could compromise sensitive law enforcement information, disclose information that would constitute an unwarranted invasion of another’s personal privacy, reveal a sensitive VerDate Sep<11>2014 17:30 Jul 31, 2017 Jkt 241001 investigative technique, provide information that would allow a subject to avoid detection or apprehension, or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, or witnesses. Also, an alternate system of access has been provided in 28 CFR 16.30 through 16.34, and 28 CFR 20.34, for record subjects to obtain a copy of their criminal history records. However, the vast majority of criminal history records concern local arrests for which it would be inappropriate for the FBI to undertake correction or amendment. (4) From subsection (e)(1) because it is not always possible to know in advance what information is relevant and necessary for law enforcement purposes. The relevance and utility of certain information may not always be evident until and unless it is vetted and matched with other sources of information that are necessarily and lawfully maintained by the FBI. Most records in this system are acquired from state and local law enforcement agencies and it is not possible for the FBI to review that information as relevant and necessary. (5) From subsection (e)(2) and (3) because application of this provision could present a serious impediment to the FBI’s responsibilities to detect, deter, and prosecute crimes and to protect the national security. Application of these provisions would put the subject of an investigation on notice of that fact and allow the subject an opportunity to engage in conduct intended to impede that activity or avoid apprehension. Also, the majority of criminal history records and associated biometrics in this system are collected by state and local agencies at the time of arrest; therefore it is not feasible for the FBI to collect directly from the individual or to provide notice. Those persons who voluntarily submit fingerprints into this system pursuant to state and federal statutes for licensing, employment, and similar civil purposes receive an (e)(3) notice. (6) From subsection (e)(4)(I), to the extent that this subsection is interpreted to require more detail regarding the record sources in this system than has been published in the Federal Register. Should the subsection be so interpreted, exemption from this provision is necessary to protect the sources of law enforcement information and to protect the privacy and safety of witnesses and informants and others who provide information to the FBI. (7) From subsection (e)(5) because in the collection of information for authorized law enforcement purposes it is impossible to determine in advance PO 00000 Frm 00032 Fmt 4700 Sfmt 4700 what information is accurate, relevant, timely and complete. With time, seemingly irrelevant or untimely information may acquire new significance when new details are brought to light. Additionally, the information may aid in establishing patterns of activity and providing criminal leads. Most records in this system are acquired from state and local law enforcement agencies and it would be impossible for the FBI to vouch for the compliance of these agencies with this provision. The FBI does communicate to these agencies the need for accurate and timely criminal history records, including criminal dispositions. * * * * * Dated: July 13, 2017. Peter A. Winn, Acting Chief Privacy and Civil Liberties Officer, Department of Justice. [FR Doc. 2017–15423 Filed 7–31–17; 8:45 am] BILLING CODE 4410–02–P DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Part 100 [Docket No. USCG–2017–0673] Special Local Regulations; SUP3Rivers the Southside Outside, Pittsburgh, PA Coast Guard, DHS. Notice of enforcement of regulation. AGENCY: ACTION: The Coast Guard will enforce a special local regulation for navigable waters of the Allegheny and Monongahela Rivers during the SUP3Rivers the Southside Outside event. This regulation is needed to provide for the safety of life during the marine event. During the enforcement period, entry into this regulated area is prohibited to all vessels not registered with the sponsor as participants or official patrol vessels, unless specifically authorized by the Captain of the Port Marine Safety Unit Pittsburgh (COTP) or a designated representative. DATES: The regulations in 33 CFR 100.801, Table 1, Sector Ohio Valley, line 29, will be enforced from 6:30 a.m. through 11:30 a.m. on September 2, 2017. SUMMARY: If you have questions about this notice of enforcement, call or email MST1 Jennifer Haggins, Marine Safety Unit Pittsburgh, U.S. Coast Guard; telephone FOR FURTHER INFORMATION CONTACT: E:\FR\FM\01AUR1.SGM 01AUR1

Agencies

[Federal Register Volume 82, Number 146 (Tuesday, August 1, 2017)]
[Rules and Regulations]
[Pages 35651-35654]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-15423]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

28 CFR Part 16

[CPCLO Order No. 007-2017]


Privacy Act of 1974; Implementation

AGENCY: Federal Bureau of Investigation, United States Department of 
Justice.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Bureau of Investigation (FBI), a component of the 
United States Department of Justice (DOJ or Department), is issuing a 
final rule to amend its Privacy Act exemption regulations for the 
system of records titled, ``Next Generation Identification (NGI) 
System,'' JUSTICE/FBI-009, last published in full on May 5, 2016. 
Specifically, the FBI exempts the records maintained in JUSTICE/FBI-009 
from one or more provisions of the Privacy Act. The listed exemptions 
are necessary to avoid interference with the Department's law 
enforcement and national security functions and responsibilities of the 
FBI. This document addresses public comments on the proposed rule.

DATES: This final rule is effective August 31, 2017.

FOR FURTHER INFORMATION CONTACT: Roxane M. Panarella, Assistant General 
Counsel, Privacy and Civil Liberties Unit, Office of the General 
Counsel, FBI, Washington DC, telephone 304-625-4000.

SUPPLEMENTARY INFORMATION: 

Background

    In 1990, the FBI published in the Federal Register a System of 
Records Notice (SORN) for the FBI system of records titled, 
``Identification Division Records System,'' JUSTICE/FBI-009. JUSTICE/
FBI-009 evolved into the ``Fingerprint Identification Records System 
(FIRS),'' also referred to as the ``Integrated Automated Fingerprint 
Identification System (IAFIS),'' published at 61 FR 6386 (February 20, 
1996), which covered individuals arrested or incarcerated, individuals 
applying for Federal employment or military service, registered aliens 
or naturalized citizens, and individuals wishing to place their 
fingerprints on record for personal identification purposes. The FIRS 
SORN included the following records:
    A. Criminal fingerprint cards and/or related criminal justice 
information submitted by authorized agencies having criminal justice 
responsibilities;
    B. Civil fingerprint cards submitted by Federal agencies and civil 
fingerprint cards submitted by persons desiring to have their 
fingerprints placed on record for personal identification purposes;
    C. Identification records sometimes referred to as ``rap sheets'' 
which are compilations of criminal history information pertaining to 
individuals who have criminal fingerprint cards maintained in the 
system; and
    D. A name index pertaining to all individuals whose fingerprints 
are maintained in the system.
    As the system expanded, records continued to fall within the 
general categories of records specified in the SORN. As a policy 
matter, however, and in an effort to better detail the enhancements 
made to the system, the FBI and DOJ determined that JUSTICE/FBI-009 
should be modified to more fully describe the features and capabilities 
of the system, which has since been renamed the Next Generation 
Identification (NGI) System. Important enhancements to the NGI System 
include the increased retention and searching of fingerprints obtained 
for the purposes of licensing, employment, obtaining government 
benefits, and biometric services such as improved latent fingerprint 
searching and face recognition technology. Leading up to the 
publication of the modified SORN and a Notice of Proposed Rulemaking 
(NPRM) for the NGI System, the FBI conducted a series of Privacy Impact 
Assessments that detailed the steps taken by the FBI to fully assess 
the privacy impacts of new and modified NGI System components, 
addressing potential risks and mitigation techniques.
    On May 5, 2016, the FBI issued a Notice of a Modified System of 
Records for the NGI System in the Federal Register at 81 FR 27284 (May 
5, 2016), and an NPRM at 81 FR 27288 (May 5, 2016). In determining 
whether to claim exemptions, the FBI did not simply rely on exemptions 
granted to the predecessor system of records, but thoroughly evaluated 
the NGI System and its various components to determine whether 
exemptions were necessary. The necessary exemptions were proposed in 
the NPRM along with supporting rationales, and are to be codified in 
accordance with the issuance of this final rule.

Response to Public Comments

    In its NGI System NPRM and Notice of a Modified System of Records, 
published on May 5, 2016, the Department invited public comment. The 
comment periods for both documents were originally set to close on June 
6, 2016, but were extended 30 days to allow interested individuals 
additional time to analyze the proposal and prepare their comments. The 
FBI received over 100 comments and letters from individuals, and from 
non-government, public interest, civil liberties, non-profit, and 
academic organizations. The FBI has closely reviewed and considered 
these comments. The following discussion is provided to respond to the 
NPRM comments and provide greater insight into the FBI's assessment of 
the need to claim exemptions from certain provisions of the Privacy Act 
for the NGI System.
    Many questions and comments were received concerning the breadth 
and scope of the exemptions claimed. As

[[Page 35652]]

noted in the NPRM and reiterated here, the following exemptions apply 
only to the extent information in this system is subject to exemption 
pursuant to 5 U.S.C. 552a(j) or (k). Where compliance with an exempted 
section of the Privacy Act would not appear to interfere with or 
adversely affect the purposes of the NGI System to support law 
enforcement and to protect national security, the applicable exemption 
may be waived by the FBI in its sole discretion.
    These exemptions are claimed with respect to the NGI System's 
records, which are compiled for the purposes of identifying criminal 
offenders or alleged criminal offenders, criminal investigations, and 
reports identifiable to an individual compiled throughout the criminal 
law enforcement process, including fingerprints, as well as associated 
biographic data, the nature and disposition of any criminal charges, 
and additional biometrics such as mugshots and palm prints, if 
available and if provided by the submitting agency. The NGI System 
records qualify for exemption from sections of the Privacy Act under 5 
U.S.C. 552a(j)(2) because the FBI's principal function is the 
enforcement of criminal laws and the records maintained in the NGI 
System fall into one or more of the categories listed in (j)(2). Due to 
the evolving nature of identity records and investigations and the 
scope of the NGI System, certain NGI System records may fall outside 
the scope of (j)(2) and would qualify for the specific exemptions under 
5 U.S.C. 552a(k)(2) and (5). The exercise of all exemptions is 
discretionary and the FBI will not exercise an exemption of any section 
of the Privacy Act that is not appropriate and necessary.

5 U.S.C. 552a(c)(3), Accounting of Disclosures Upon Request of the 
Named Subject

    Some of the comments communicated concerns about claiming 
exemptions from accounting and audit disclosure requirements. As with 
exemptions claimed under subsections (c)(4) and (d), exemption from 
(c)(3) disclosure requirements is necessary to preserve the integrity 
of ongoing investigations. Revealing this information could compromise 
ongoing, authorized law enforcement and national security efforts by 
alerting an individual to collaborative law enforcement and national 
security investigations as well as the relative interests of the FBI 
and/or other investigatory agencies. Although the vast majority of NGI 
System disclosures need not be provided in an accounting request, the 
FBI must claim this additional exemption to ensure its ability to 
protect the integrity of ongoing investigations.
    It is important to note that, despite claiming this exemption, the 
Privacy Act does not permit the FBI to exempt this system of records 
from the requirements codified under subsections 5 U.S.C. 552a(c)(1) 
and (c)(2). As a result, except under limited circumstances as outlined 
in the Privacy Act, the FBI is obligated to keep an accurate accounting 
of the date, nature, and purpose of each disclosure of a record 
maintained within this system of records, and retain the accounting for 
at least five years or the life of the record, whichever is longer, 
after the disclosure for which the accounting is made.

5 U.S.C. 552a(d)(1), (2), (3) and (4), (e)(4)(G) and (H), (e)(8), (f), 
Access to and Amendment of Records

    Many of the comments received concerned exemptions regarding the 
access to and amendment of records pursuant to 5 U.S.C. 552a(d)(1), 
(2), (3) and (4), (e)(4)(G) and (H), (e)(8), and (f). As with 
exemptions claimed to (c)(3) and (c)(4), providing access to these 
records could compromise ongoing investigations. It is necessary for 
the FBI to claim these exemptions because the NGI System also contains 
latent fingerprints, as well as other biometrics, and associated 
personal information that may be law enforcement or national security 
sensitive. Compliance with these provisions could alert the subject of 
an authorized law enforcement activity about that particular activity 
and the interest of the FBI and/or other law enforcement agencies. With 
that said, as cited in both the SORN and the NPRM, separate federal 
regulations (see 28 CFR 16.30-16.34 and 28 CFR 20.34) inform 
individuals of the process to access and amend their criminal history 
records in the NGI System. These regulations permit any person to 
receive his or her criminal history record for review and correction. 
If the individual has no criminal history record in the NGI System, he 
or she receives a letter confirming the absence of such record. 
Pursuant to the regulations, after an individual receives his or her 
criminal history record, he or she may consult both the FBI and the 
relevant criminal justice agency to correct or update the record. The 
vast majority of records in the NGI System have been entered by state 
and local law enforcement and require coordination with those agencies.
    In addition, pursuant to 28 CFR 50.12, agencies submitting 
fingerprints to the FBI for individuals seeking employment, licensing, 
or similar benefits are required to inform the applicants that their 
fingerprints will be searched in the NGI System and of the process for 
access and amendment under 28 CFR 16.30-16.34. The regulation also 
advises that agencies should afford the applicants the opportunity to 
correct or complete their records before making licensing or employment 
decisions. Additionally, for records claiming specific exemption under 
5 U.S.C. 552a(k), if an individual is denied any right, privilege, or 
benefit that he would otherwise be entitled by Federal law, or for 
which he would otherwise be eligible, further access may be available.
    Consequently, although the FBI has claimed exemptions to the 
notification, access, and amendment provisions of the Privacy Act for 
the NGI System, the FBI generally does not exercise these exemptions 
when doing so would not interfere with its law enforcement functions 
and responsibilities.

5 U.S.C. 552a(g), Rights of Judicial Redress

    The comments received also expressed concerns about the FBI's 
exemption from 5 U.S.C. 552a(g), which grants individuals the right to 
certain civil remedies under the Privacy Act. As a matter of 
clarification, the Privacy Act only permits an agency to exempt 5 
U.S.C. 552a(g) if the records in the system of records qualify for the 
general exemption provisions under 5 U.S.C. 552a(j). This exemption 
cannot be, and has not been, claimed for the records within the NGI 
System that qualify for only the specific exemptions under 5 U.S.C. 
552a(k).
    Additionally, many comments expressed concern that by claiming an 
exemption from 5 U.S.C. 552a(g), the FBI would somehow absolve itself 
of meeting even those provisions of the Privacy Act that are not 
subject to exemption because an individual's right to seek a cause of 
action for any provisions of the Privacy Act would be exempted. First, 
the FBI takes all of its constitutional and statutory requirements 
seriously, and does not limit its compliance to only those provisions 
of the Privacy Act subject to judicial redress. As addressed throughout 
this SUPPLEMENTARY INFORMATION section, even when an exemption is 
claimed, the FBI takes all reasonable and appropriate steps necessary 
to meet the requirements of the Privacy Act that would not interfere 
with its law enforcement functions and responsibilities. The FBI is 
subject to a number of oversight mechanisms to ensure compliance with 
its requirements under the Privacy Act,

[[Page 35653]]

including internal and external audits and inspections.
    Second, while the FBI has proposed an exemption from this provision 
for the NGI System, the exemption regulation is clear that the FBI will 
only claim exemptions to the extent that information in this system of 
records is subject to an exemption pursuant to the Privacy Act. Many 
courts have interpreted an agency's decision to exempt the Privacy 
Act's civil remedies provisions as only an exemption from a cause of 
action based on an exempted provision. In those jurisdictions, 
individuals are still permitted to exercise their right of judicial 
redress, pursuant to 5 U.S.C. 552a(g), for those provisions of the 
Privacy Act that are not subject to exemption.

5 U.S.C. 552a(e)(2), and (3), Collection Directly From the Individual

    Commenters also expressed concerns regarding the exemption from 
(e)(2) and (3) of the requirement to collect information directly from 
the individual.
    The vast majority of the records in the NGI System are contributed 
by state and local law enforcement agencies. Because the FBI is neither 
the arresting official, nor the agency issuing the license, evaluating 
the individual for employment, or offering the benefit, it is 
impossible for the FBI to collect information directly from the 
subject. However, in most circumstances these other agencies create the 
records using information obtained directly from the subject with his 
or her knowledge.
    Fingerprints and other biometrics and information are collected by 
other government agencies based on their legal authorities to collect 
such information and submit it to the FBI. For records created for the 
purpose of licensing, employment, or to obtain a government benefit, 
the FBI requires that specific notice be provided to the applicant. 
This notice, in the form of a Privacy Act statement, discloses the 
authority which authorizes the solicitation of the information, whether 
disclosure of such information is mandatory or voluntary, the principal 
purpose for which the information is intended to be used, the routine 
uses which may be made of the information, and the effects on the 
individual, if any, of not providing all or any part of the requested 
information.

5 U.S.C. 552a(e)(4)(I), Categories of Sources of Records

    The FBI also received a comment concerning exemption of the 
requirement to disclose sources of records contained in the NGI System. 
Despite claiming this exemption, the FBI has published in the NGI SORN 
the categories of sources of records to the extent that such disclosure 
would not compromise confidential sources or the safety of witnesses. 
However, to the extent such additional details would be required, it is 
believed that such detail may interfere with the Department's law 
enforcement functions and the responsibilities of the FBI. The FBI 
claims the exemption to (e)(4)(I) because greater specificity than was 
provided in the NGI SORN cannot be disclosed without compromising 
confidential sources or the safety of witnesses.

5 U.S.C. 552a(e)(5), Accurate, Relevant, Timely, and Complete

    The comments also expressed concerns regarding the NGI System's 
exemption from the (e)(5) requirements to maintain accurate, relevant, 
timely, and complete records. When collecting information for 
authorized law enforcement purposes, it is not always possible to 
determine in advance what information is accurate, relevant, timely, or 
complete. With time, additional facts, and analysis, information may 
acquire new significance. Although the FBI has claimed this exemption, 
it continuously works with its federal, state, local, tribal, and 
international law enforcement partners to maintain the accuracy of 
records to the greatest extent possible. The FBI does so with 
established policies and practices that include the review, audit, and 
validation of records, and formal agreements with partner agencies that 
require regular records updates. The law enforcement and national 
security communities have a strong operational interest in using up-to-
date and accurate records and will foster relationships with partners 
to further this interest. If alterations are made to criminal record 
sources outside the FBI, we encourage subject individuals to bring said 
documentation to the FBI's attention to ensure timely modification of 
an NGI System record.

General Comments on the NGI System

    A few commenters expressed concerns about the safety and security 
of the system. It should be noted that the FBI is not and cannot claim 
exemption from 5 U.S.C. 552a(e)(10), which requires agencies to 
establish appropriate administrative, technical, and physical 
safeguards to ensure the security and confidentiality of records and to 
protect against any anticipated threats or hazards to their security or 
integrity. In compliance with this provision of the Privacy Act and 
other security mandates, the NGI System has been developed and 
implemented in compliance with all federal information technology 
standards designed to safeguard personal information from loss, 
destruction, or unauthorized access.
    Many commenters communicated concerns about the NGI System being 
used to track the expression of First Amendment rights. The NGI System 
is a biometric database. It is not utilized to conduct surveillance or 
track the expression of a citizen's First Amendment rights. It should 
be noted that the FBI is not and cannot claim exemption from 5 U.S.C. 
552a(e)(7), which, absent specific authorization or consent, prohibits 
the maintenance of records describing how any individual exercises 
rights guaranteed by the First Amendment.
    The FBI is not exempting the NGI System from all provisions of the 
Privacy Act. The protections of many of the provisions of the Privacy 
Act and the E-Government Act of 2002 are still in place; only the named 
Privacy Act exemptions have been claimed, if needed, to protect 
sensitive law enforcement and national security operations.
    Overall, the FBI has made only minor, administrative edits to the 
rule as originally proposed to ensure accuracy and consistency with the 
listed authorities and other subsections of 28 CFR part 16. The FBI has 
made no substantive changes to the rule as it was originally proposed. 
For the reasons identified in this publication, the Department and the 
FBI are issuing this final rule.

List of Subjects in 28 CFR Part 16

    Administrative practices and procedures, Courts, Freedom of 
information, Privacy Act.

    Pursuant to the authority vested in the Attorney General by 5 
U.S.C. 552a and delegated to me by Attorney General Order 2940-2008, 28 
CFR part 16 is amended as follows:

PART 16--PRODUCTION OR DISCLOSURE OF MATERIAL OR INFORMATION

0
1. The authority citation for part 16 continues to read as follows:

    Authority: 5 U.S.C. 301, 552, 552a, 553; 28 U.S.C. 509, 510, 
534; 31 U.S.C. 3717.

Subpart E--Exemption of Records Systems Under the Privacy Act

0
2. Amend Sec.  16.96 by revising paragraphs (e) and (f) to read as 
follows:

[[Page 35654]]

Sec.  16.96  Exemption of Federal Bureau of Investigation Systems--
limited access.

* * * * *
    (e) The following system of records is exempt from 5 U.S.C. 
552a(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2) and (3); 
(e)(4)(G), (H) and (I); (e)(5) and (8); (f) and (g):
    (1) The Next Generation Identification (NGI) System (JUSTICE/FBI-
009).
    (2) These exemptions apply only to the extent that information in 
this system is subject to exemption pursuant to 5 U.S.C. 552a(j) or 
(k). Where compliance would not appear to interfere with or adversely 
affect the purpose of this system to detect, deter, and prosecute 
crimes and to protect the national security, the applicable exemption 
may be waived by the FBI in its sole discretion.
    (f) Exemptions from the particular subsections are justified for 
the following reasons:
    (1) From subsection (c)(3), the requirement that an accounting be 
made available to the named subject of a record, because this system is 
exempt from the access provisions of subsection (d). Also, because 
making available to a record subject the accounting of disclosures from 
records concerning the subject would specifically reveal investigative 
interest by the FBI or agencies that are recipients of the disclosures. 
Revealing this information could compromise ongoing, authorized law 
enforcement and national security efforts and may provide the record 
subject with the opportunity to evade or impede the investigation.
    (2) From subsection (c)(4) notification requirements because this 
system is exempt from the access and amendment provisions of subsection 
(d) as well as the accounting of disclosures provision of subsection 
(c)(3). The FBI takes seriously its obligation to maintain accurate 
records despite its assertion of this exemption, and to the extent it, 
in its sole discretion, agrees to permit amendment or correction of FBI 
records, it will share that information in appropriate cases.
    (3) From subsection (d) (1), (2), (3) and (4), (e)(4)(G) and (H), 
(e)(8), (f) and (g) because these provisions concern individual access 
to and amendment of law enforcement records and compliance and could 
alert the subject of an authorized law enforcement activity about that 
particular activity and the interest of the FBI and/or other law 
enforcement agencies. Providing access could compromise sensitive law 
enforcement information, disclose information that would constitute an 
unwarranted invasion of another's personal privacy, reveal a sensitive 
investigative technique, provide information that would allow a subject 
to avoid detection or apprehension, or constitute a potential danger to 
the health or safety of law enforcement personnel, confidential 
sources, or witnesses. Also, an alternate system of access has been 
provided in 28 CFR 16.30 through 16.34, and 28 CFR 20.34, for record 
subjects to obtain a copy of their criminal history records. However, 
the vast majority of criminal history records concern local arrests for 
which it would be inappropriate for the FBI to undertake correction or 
amendment.
    (4) From subsection (e)(1) because it is not always possible to 
know in advance what information is relevant and necessary for law 
enforcement purposes. The relevance and utility of certain information 
may not always be evident until and unless it is vetted and matched 
with other sources of information that are necessarily and lawfully 
maintained by the FBI. Most records in this system are acquired from 
state and local law enforcement agencies and it is not possible for the 
FBI to review that information as relevant and necessary.
    (5) From subsection (e)(2) and (3) because application of this 
provision could present a serious impediment to the FBI's 
responsibilities to detect, deter, and prosecute crimes and to protect 
the national security. Application of these provisions would put the 
subject of an investigation on notice of that fact and allow the 
subject an opportunity to engage in conduct intended to impede that 
activity or avoid apprehension. Also, the majority of criminal history 
records and associated biometrics in this system are collected by state 
and local agencies at the time of arrest; therefore it is not feasible 
for the FBI to collect directly from the individual or to provide 
notice. Those persons who voluntarily submit fingerprints into this 
system pursuant to state and federal statutes for licensing, 
employment, and similar civil purposes receive an (e)(3) notice.
    (6) From subsection (e)(4)(I), to the extent that this subsection 
is interpreted to require more detail regarding the record sources in 
this system than has been published in the Federal Register. Should the 
subsection be so interpreted, exemption from this provision is 
necessary to protect the sources of law enforcement information and to 
protect the privacy and safety of witnesses and informants and others 
who provide information to the FBI.
    (7) From subsection (e)(5) because in the collection of information 
for authorized law enforcement purposes it is impossible to determine 
in advance what information is accurate, relevant, timely and complete. 
With time, seemingly irrelevant or untimely information may acquire new 
significance when new details are brought to light. Additionally, the 
information may aid in establishing patterns of activity and providing 
criminal leads. Most records in this system are acquired from state and 
local law enforcement agencies and it would be impossible for the FBI 
to vouch for the compliance of these agencies with this provision. The 
FBI does communicate to these agencies the need for accurate and timely 
criminal history records, including criminal dispositions.
* * * * *

    Dated: July 13, 2017.
Peter A. Winn,
Acting Chief Privacy and Civil Liberties Officer, Department of 
Justice.
[FR Doc. 2017-15423 Filed 7-31-17; 8:45 am]
 BILLING CODE 4410-02-P