The following updated policy manual for the FBI National Data Exchange (N-DEx) was released August 28, 2013. The manual was updated to include substantial additions to the regulations governing use of information within the system and the maintenance of records for auditing of law enforcement agencies’ access to the system.
Criminal Justice Information Services (CJIS) Law Enforcement National Data Exchange (N-DEx)
- 22 pages
- August 28, 2013
1.1.1 Law Enforcement National Data Exchange (N-DEx) Mission: To provide law enforcement with a powerful new investigative tool to search, link, analyze and share law enforcement/criminal justice information such as, incident/case reports, booking and incarceration data, and parole and/or probation data on a national basis to a degree never before possible.
1.1.2 N-DEx Vision: To share complete, accurate, timely, and useful law enforcement/criminal justice information across jurisdictional boundaries and to provide new investigative tools that enhance the nation’s ability to fight crime and terrorism.
1.1.3 Scope of N-DEx policy: The N-DEx Policy and Operating Manual applies to all entities accessing N-DEx. N-DEx information shall be used only for the purpose indicated by the Use Code and used consistently with the coordination required by the Advanced Permission Requirement (confirming the terms of N-DEx information use). Any subsequent use of N-DEx information inconsistent with the original Use Code or the previously conducted Advanced Permission Requirement requires re-satisfaction of the Advanced Permission Requirement.
1.1.4 The N-DEx Policy and Operating Manual integrates presidential directives, federal laws, Federal Bureau of Investigation (FBI) directives, and the Criminal Justice Information Services (CJIS) Advisory Policy Board (APB) decisions to provide criminal justice agencies with a minimum set of policy and procedural requirements for participating in N-DEx and to protect and safeguard criminal justice information. This minimum set of requirements ensures continuity of N-DEx operation and information security.
1.1.5 The N-DEx Policy and Operating Manual may be used as the sole policy and operating manual for N-DEx participating agencies. A participating agency may complement the N-DEx Policy and Operating Manual with agency specific policy and operating procedures, or the participating agency may develop their own stand-alone policy and operating manual; however, the N-DEx Policy and Operating Manual shall always be the minimum standard and participating agencies may augment, or increase the standards, but shall not detract from the N-DEx Policy and Operating Standards.
1.1.6 The N-DEx Policy and Operating Manual applies to all entities with access to, or who operate in support of, N-DEx services and information. This policy manual is subject to change as a result of presidential directives, federal laws, FBI directives, and CJIS APB decisions. The terms of any policy and procedural change preempt any existing inconsistency contained herein.
1.1.7 The N-DEx Policy and Operating Manual is an unrestricted document and can be shared without limitation.
1.2 Operational Framework
1.2.1 The N-DEx system is a system managed within the framework of the CJIS System of Services and identified within the CJIS systems User Agreement.
1.2.2 Participating agencies and users must adhere to the CJIS Security Policy.
1.2.3 The N-DEx system stores vast amounts of criminal justice information which may be instantly retrieved by and/or furnished to any authorized agency.
1.2.4 N-DEx is restricted to documented criminal justice information obtained by criminal justice agencies in connection with their official duties administering criminal justice.
1.2.5 Within the context of N-DEx, leveraging refers to the capability to access National Crime Information Center (NCIC) and Interstate Identification Index (III) via a N-DEx search. Leveraging is only available if both the CJIS Systems Agency (CSA) and User Administrator (UA) authorize and enable this capability.
1.2.6 N-DEx will not contain criminal intelligence data as defined by Title 28, Code of Federal Regulations (C.F.R.), Part 23.
1.2.7 In accordance with the CJIS Security Policy and consistent with Title 28, C.F.R., Part 20, Subpart A, N-DEx system access is restricted to “criminal justice agencies” and agencies performing the “administration of criminal justice.”
1.2.8 N-DEx is an on-line real-time program and records are constantly being updated; therefore, record information can change at any time.
1.2.9 N-DEx is the national enhanced pointer and data discovery system for SBU, law enforcement sensitive, and Controlled Unclassified Information (CUI) class criminal justice data.
1.2.10 N-DEx is a fee free, secure, nationwide, computerized information sharing system established to fill an identified gap in the CJIS System of Services.
1.2.11 The N-DEx Program is a cooperative endeavor of local, state, tribal, and federal law enforcement/criminal justice entities, in which each entity is participating under its own legal status, jurisdiction and authorities. All N-DEx operations will be based upon the legal status, jurisdiction and authorities of individual participants. N-DEx is not intended, and shall not be deemed, to have any independent legal status.
1.2.12 Agencies shall participate in N-DEx in accordance with their own individual legal status, jurisdiction, restrictions, and authorities.
1.2.13 Participating agencies contribute information to N-DEx with an express promise of confidentiality.
1.2.14 N-DEx participants shall contribute or allow access to information via N-DEx, and agrees to permit the access, dissemination, and/or use of such information by other parties pursuant to the provisions of this policy. The record owning agency has the sole responsibility and accountability for ensuring that it is not constrained from permitting this access by any laws, regulations, policies, or procedures.
1.2.15 N-DEx is not created pursuant to a single federal statute; rather, N-DEx is the FBI’s response to the criminal justice community’s request to answer the challenge of information sharing.
1.2.16 All inquiries regarding the N-DEx system should be addressed to the FBI, CJIS Division, via e-mail: ndex@leo.gov; via telephone (304) 625-HELP [4357]: or via mail; Attention: N-DEx Program Office, Module B-3, 1000 Custer Hollow Road, Clarksburg, WV 26306-0153.
…
1.3.7 Use Code: The FBI’s CJIS Division maintains an audit trail of each disclosure and receipt of N-DEx data. Therefore, all N-DEx searches must include a Use Code identifying why the search was performed. While N-DEx supports this logging requirement through the N-DEx Portal, entities accessing N-DEx data through a web service must independently maintain these logs and must automate the Use Code transmission prior to any additional use other than “C.”
The following Use Codes are considered acceptable when searching N-DEx:
1.3.7.1 Administrative Use Code “A”: Must be used when N-DEx is utilized by a record-owning agency to retrieve and display N-DEx contributed records in association with performing the agency’s data administration/management duty. Responses for this purpose shall not be disseminated for any other reason and are limited to the record-owning agency portion of N-DEx records.
1.3.7.2 Criminal Justice Use Code “C”: Must be used when N-DEx is utilized for official duties in connection with the administration of criminal justice as the term is defined in 28 Code of Federal Regulations (CFR) § 20.3 (2011).
1.3.7.3 Criminal Justice Employment Use Code “J”: Must be used when N-DEx is utilized to conduct criminal justice employment background checks or the screening of employees of other agencies over which the criminal justice agency maintains management control.
In order to use N-DEx to conduct criminal justice employment background checks, the agency must adhere to the following notice and consent, redress and audit requirements:
Notice and Consent: The agency must provide notice to the applicant and the applicant must provide a signed consent. At a minimum one of the following or substantially similar statements must appear on an agency’s Notice and Consent form to an applicant, examples of which are provided below:General Statement:
The (agency’s name)’s acquisition, retention, and sharing of information related to your employment application is generally authorized under (state and federal citations). The purpose for requesting this information is to conduct a complete background investigation pertaining to your fitness to serve as a (employee type). This background investigation may include inquiries pertaining to your (employment) (education) (medical history) (credit history) (criminal history) and any information relevant to your character and reputation. By signing this form, you are acknowledging that you have received notice and have provided consent for (agency’s name) to use this information to conduct such a background investigation, which may include the searching of (N-DEx) (criminal justice databases) (private databases) (public databases).
Specific N-DEx statement:
I authorize any employee or representative of (agency’s name) to search N-DEx to obtain information regarding my qualifications and fitness to serve as a (employee type). I understand that N-DEx is an electronic repository of information from federal, state, local, tribal, and regional criminal justice entities. This national information sharing system permits users to search and analyze data from the entire criminal justice cycle, including crime incident and investigation reports; arrest, booking, and incarceration reports; and probation and parole information. This release is executed with full knowledge, understanding, and consent that any information discovered in N-DEx may be used for the official purpose of conducting a complete employment background investigation. I also understand that any information found in N-DEx will not be disclosed to any other person or agency unless authorized and consistent with applicable law. I release (agency’s name) from any liability or damage that may result from the use of information obtained from N-DEx.
Redress: The agency must provide applicants with an opportunity to challenge and/or correct records if employment is denied based on information obtained from N-DEx.
If employment is denied solely due to information obtained from N-DEx, and the applicant challenges the accuracy or completeness of those records, the denying agency shall provide the applicant with the contact information of the agency owning the information underlying the decision to deny. After receiving a written request from the applicant challenging the accuracy or completeness of the record used to deny employment, the record-owning agency shall then review the relevant information and advise the applicant in writing whether it has confirmed the accuracy or completeness of its records or whether the records will be corrected. If the applicant does not receive a response from the record-owning agency within 30 days from the date of the applicant’s written request, the applicant may contact the FBI CJIS Division N-DEx Unit, 1000 Custer Hollow Rd, Clarksburg, WV 26306. The FBI shall forward the challenge to the record-owning agency for verification or correction. The record-owning agency shall then review the relevant information and advise the applicant in writing whether it has verified its records or whether the records will be corrected. Agencies should inform applicants of their responsibility to provide any corrected information to the denying agency that may assist the record owning agency in its research on behalf of the applicant.
Audit: The agency must comply with certain procedural and documentation requirements.
All use of N-DEx for criminal justice employment background investigations shall require Use Code “J”. Agencies that contribute records to N-DEx shall be permitted and enabled to reject Use Code “J” requests. When N-DEx is searched as part of a criminal justice employment background investigation, the fact that the search was conducted must be documented in the applicant’s file. If information accessed through N-DEx is viewed and used during the criminal justice employment background investigation, the agency must document in the applicant’s file: (1) that the requesting agency received advanced authorization for the use of the information for employment purposes from the record-owning agency and (2) that the requesting agency has confirmed the accuracy of the information with the record-owning agency.
Agencies are expected to comply with the above requirements in addition to the existing N-DEx policy requirements (e.g. training, information sharing, data quality, system security) and all applicable laws and regulations. These additional requirements mitigate the privacy risks of using N-DEx to conduct criminal justice employment background checks and ensure that such use is implemented in a lawful and proper manner.
1.3.8 All users are required to provide a search reason. While the Use Code provides some lead information, it only provides a minimal audit trail. Requiring the reason for all searches will ensure N-DEx searches are conducted for authorized uses and use codes are correctly applied. It is recommended unique information, e.g., incident number, arrest transaction number, booking number, project name, description, etc., be entered to assist the user in accounting for appropriate system use for each transaction. This information shall be captured and maintained in a transaction log for a minimum of one year. While N-DEx supports this logging requirement through the N-DEx Portal, entities accessing N-DEx data through a web service must independently maintain these logs and are encouraged to automate the logging requirement.
1.3.9 Authorized Pre-Permission Use: N-DEx information may be viewed, output, or discussed without advance authorization of the record owning agency, within the record-requesting agency or another agency, if the other agency is an authorized recipient of such information by virtue of meeting the requirements for N-DEx access and is being serviced by the record-requesting agency. However, any recipient of N-DEx data must obtain advanced permission from the record-owning agency prior to acting upon any data obtained through N-DEx.
1.3.10 Advanced Permission Requirement: Terms of N-DEx information use must be obtained from the record-owning agency prior to reliance or action upon, or secondary dissemination. N-DEx information may only be relied or acted upon, or secondarily disseminated within the limitations specified by the record-owning agency. Reliance or action upon, or secondary dissemination of N-DEx information beyond the original terms requires further permission from the record owning agency. The use or inclusion of N-DEx information in the publication or preparation of charts, presentations, official files, analytical products or other documentation, to include, use in the judicial, legal, administrative, or other criminal justice process, etc., specifically requires advanced permission.
1.3.11 Verification Requirement: N-DEx information must be verified with the record-owning agency for completeness, timeliness, accuracy, and relevancy prior to reliance upon, action, or secondary dissemination.
1.3.12 Information returned specifically from an N-DEx leveraged CJIS System of Services system may only be used in accordance with the policies governing those specific systems.
1.3.13 Immediate use of N-DEx information can be made without the advanced permission of the record owning agency if there is an exigent circumstance – an emergency situation requiring swift action to prevent imminent danger to life or serious damage to property, or to forestall the imminent escape of a suspect, or destruction of evidence. The record-owning agency shall be immediately notified of any use made as a result of exigent circumstances.
1.3.14 Participating agencies are encouraged to consider how they may wish to account for use authorization requests and concurrences. While N-DEx does not systematically support nor require a log to be maintained, agencies are encouraged to consider how the advanced permission, verification, and data provision may be documented within their own organization.