View Document - California Code of Regulations

Home Table of Contents

§ 999.228.

11 CA ADC § 999.228Barclays Official California Code of RegulationsEffective: January 1, 2024

Barclays California Code of Regulations

Title 11. Law

Division 1. Attorney General

Chapter 19. Racial and Identity Profiling Act of 2015 Regulations

Article 5. Technical Specifications and Uniform Reporting Practices

Effective: January 1, 2024

11 CCR § 999.228

§ 999.228.

Currentness

(a) Electronic System. The system developed by the Department shall require the electronic submission of data from reporting agencies.

(b) Submission of Data. Reporting agencies shall be provided with the following options to submit their stop data to the Department: (1) a web-browser based application, which shall include mobile capabilities for agencies that choose to use the Department's developed and hosted solution to submit stop data; (2) a system-to-system web service for agencies that elect to collect the data in a local system and then submit the data to the Department; and (3) a secured file transfer protocol for agencies that elect to collect the data in a local repository and then submit the data to the Department. Agencies that select option 3 shall be permitted to submit batch uploads of stop data in Excel spreadsheets and other delimited text formats of electronic documentation that complies with the Department's interface specifications.

(c) If a reporting agency's officers have not conducted any stops in the preceding calendar year, the reporting agency shall report to the Department that no stops were conducted, consistent with their reporting obligations under Government Code section 12525.5, subdivision (a).

(d) Reporting Schedule. Nothing in this section prohibits a reporting agency from submitting this data more frequently than required under Government Code section 12525.5, subdivision (a)(1). Due to the volume of the data, it is recommended that reporting agencies submit stop data on a monthly or quarterly basis. The Department shall accept data submitted on a more frequent basis, including data submitted daily.

(e) Reporting Responsibilities. Law enforcement agencies are solely responsible to ensure that neither personally identifiable information of the person stopped, nor any other information that is exempt from disclosure pursuant to Government Code section 12525.5, subdivision (d), is transmitted to the Department in the data element entitled “Location of Stop” required by section 999.226, subdivision (a)(4) and the explanatory fields required by section 999.226, subdivisions (a)(14)(B) and (16)(C)(2). By transmitting a stop data report to the Department, the law enforcement agency is attesting that it ensured that neither personally identifiable information nor any other information that is exempt from disclosure, as described above, is included in the stop data report. Unless otherwise provided, all information submitted in the stop data report, including the information entered into the data element entitled “Location of Stop” required by section 999.226, subdivision (a)(4) and the explanatory fields required by section 999.226, subdivisions (a)(14)(B) and (16)(C)(2), is subject to public disclosure consistent with Government Code section 12525.5, subdivision (d).

(f) System Security. The Department shall design its system to be easily accessible for authorized users, confidential, and accurate. The system will provide role-based authorization services. Reporting agencies will be required to authorize and remove users to the system as necessary. Automated systems handling stop data and the information derived therein shall be secure from unauthorized access, alteration, deletion or release.

(g) Data Standards. The Department shall publish a data dictionary and interface specifications to ensure uniform and complete reporting of stop data. These documents will define each required data element and acceptable data values. These data standards shall be consistent with the definitions and technical specifications set forth in this chapter.

(h) Data Publication. Data submitted to the Department will be published, at the discretion of the Attorney General and consistent with Government Code section 12525.5, on the Department's Open Justice website. The data published shall include disaggregated statistical data for each reporting agency. The Department shall not release to the public Unique Identifying Information or the Officer's I.D. Number, as defined in these regulations. Nothing in this section prohibits the Department from confidentially disclosing all stop data reported to the Department to a Confidential Stop Data Requestor to advance public policy and/or for scientific study, provided that any material identifying stopped persons or officers is used for Research Purposes and not transferred to an unauthorized third party, duplicated, revealed, or used for any other purposes and that reports or publications derived therefrom do not identify specific individuals. Any release of Confidential Stop Data containing personally identifying information or an Officer's I.D. Number will be done pursuant to the Department's data security protocols, which will ensure that the publication of any data, analyses, or research will not result in the disclosure of an individual officer's or stopped person's identity.

(1) “Research Purposes,” when used in this section, means analysis of data to conduct a systematic investigation, including research development, testing, or evaluation, which is designed to develop or contribute to (A) generalizable knowledge or (B) education on racial and identity profiling in law enforcement, as defined in subdivision (e) of Section 13519.4.

(2) “Confidential Stop Data,” when used in this section, is defined as personally identifying information or an Officer's I.D. Number, as defined in these regulations.

(3) A “Confidential Stop Data Requestor,” when used in this section, means an individual or entity:

(A) requesting disclosure of Confidential Stop Data for Research Purposes; and

(B) that has, and can maintain, security measures to prevent the unauthorized access of hard copies or electronic files containing Confidential Stop Data, as listed in subdivision (10)(R)-(T).

(4) A “Team Member,” when used in this section, means any individual who shares the same employer as the Confidential Stop Data Requestor or is employed by the Confidential Stop Data Requestor.

(5) “Data Request Application,” when used in this section, means the application developed by the Department's Research Services for an individual or entity to obtain approval to receive Confidential Stop Data.

(6) A Confidential Stop Data Requestor must only use the requested Confidential Stop Data to support Research Purposes, as defined in this section and as specified in the Data Request Application.

(7) A Confidential Stop Data Requestor must sign a form, acknowledging that the Confidential Stop Data Requestor will adhere to the following conditions, consistent with these regulations:

(A) Requests for Confidential Stop Data must be in writing and a Confidential Stop Data Requestor is strictly prohibited from using the Confidential Stop Data for any purpose other than the purpose for which the Confidential Stop Data was provided.

(B) The Confidential Stop Data Requestor shall not duplicate these data or disseminate it to a third party.

(C) The Confidential Stop Data Requestor must identify each Team Member who is expected to access the Confidential Stop Data.

(D) The Confidential Stop Data Requestor must notify the Department when a Team Member is removed from the project.

(E) The Confidential Stop Data Requestor and each Team Member must take precautions to protect Confidential Stop Data from unauthorized access for so long as the Confidential Stop Data Requestor maintains the data.

(F) The indicated location of where the Confidential Stop Data Requestor and each Team Member will access the requested data must be accurate and neither the Confidential Stop Data Requestor nor any Team Member will access the requested data outside of the provided location.

(G) The Confidential Stop Data Requestor must attest that they are in compliance with the Department's security protocols by signing the Non-Criminal Justice Information Security Requirements, which is described below in subdivision (h)(9)(R).

(H) The Confidential Stop Data Requestor must report all security incidents and breaches within 24 hours.

1. As used in these regulations, security incidents are defined as those incidents that actually or potentially jeopardized the confidentiality, integrity, or availability of an information system or network or the information the system processes, stores, or transmits, or that constitutes a violation or imminent threat of violation of the security requirements, policies, procedures, or information.

2. As used in these regulations, breach is defined as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where an unauthorized user accesses or potentially accesses the Confidential Stop Data, or an authorized user accesses the Confidential Stop Data other than for an authorized purpose.

(I) Within 90 days of concluding the research project or report identified in the Data Request Application, the Confidential Stop Data Requestor must destroy the requested data. Within 30 days of the data destruction, the Confidential Stop Data Requestor must notify the Department of the research project or report's completion and must submit a signed and dated certification, made under penalty of perjury, of data destruction.

(J) The Confidential Stop Data Requestor must take precautions to prevent re-identification of officers and stopped persons whose personally identifying information may be contained in these data, consistent with subdivision (h)(12).

(K) The Confidential Stop Data Requestor must further acknowledge that the failure to comply with the conditions identified in subdivision (h)(7)(A)-(J) may result in the loss of access to the Department's data for this and/or future research projects. In exercising its discretion to limit or end access to the Department's data for a current or future research project, the Department may consider the following, including but not limited to, the severity of the violation, whether personally identifying information or Confidential Stop Data was involved, any previous violations, the type of data disclosed or requested, and the violator's culpability.

(8) A Confidential Stop Data Requestor must electronically submit a completed Data Request Application to the Department's Research Services. The Department may deny a Data Request Application for failure to provide any of the required information listed in subdivision (h)(9). In exercising its discretion to deny a Data Request Application, the Department may consider the following factors, including but not limited to, whether the purposes do not meet the definition of Research Purposes under subdivision (h)(1), whether the missing information relates to the security measures required by these regulations, whether the missing information threatens disclosure of the Confidential Stop Data, and whether the missing information is a technicality, such as a missing zip code, that can be readily provided by the Confidential Stop Data Requestor.

(9) To complete the Data Request Application, a Confidential Stop Data Requestor must provide all of the following information and documentation in the Data Request Application:

(A) Designation as a new request or a modified request.

(B) Date of request.

(D) Address, city, state, and postal code of the Confidential Stop Data Requestor.

(E) Name, phone number, and email address of the Confidential Stop Data Requestor's information security officer or IT manager, if applicable.

(F) Project title.

(G) The name of the public agency or research body, if applicable.

(H) Date of anticipated completion of the project or the report.

(I) List of information for each Team Member that includes all of the following:

1. Name of Team Member.

2. The physical location from which the Team Member will access the requested data.

3. A signature acknowledging that the indicated location of where each team member will access the requested data is accurate; that no member will access the requested data outside the provided location; and that failure to comply with these terms may result in the loss of access to the Department's data for this and/or future research projects, consistent with subdivision (h)(7)(K).

4. Whether the Team Member is part of a data analysis team.

5. Whether the Team Member is part of an information technology team.

(J) The purposes and objectives of the project or report, including how the project or report serves its Research Purposes.

(K) How the requested data will be used to support the Research Purposes of the project or report.

(L) The expected benefits of the project or report.

(M) If applicable, the funding source of the project or report, including all of the following:

1. Whether the funding source is a public or private grant.

2. The grant period.

3. The grant expiration date.

(N) Proposed project design and methodology, including, but not limited to:

1. Where the data analysis will be conducted.

2. A detailed description of the requested data.

(O) If applicable, any information pertaining to other formal proposals, grants, or project approvals, including institutional review board approvals for the academic community. If the entity has an institutional review board, a copy of the institutional review board approval and all documentation submitted as part of that review and approval process, including the application number and expiration date. This approval must demonstrate that the institutional review board is aware of, and has considered, relevant federal and State laws and regulations regarding the general use of human subjects, and specifically the use of human subjects who are incarcerated, minors, or otherwise vulnerable populations.

(P) Curriculum vitae of the Confidential Stop Data Requestor.

(Q) A description of all security measures, compliant with NIST 800-171, that the Confidential Stop Data Requestor has in place to prevent the unauthorized access of hard copies or electronic files containing Confidential Stop Data, including at a minimum:

1. Encryption methods.

2. Anti-virus software.

3. Network security.

4. Physical storage location of the data.

5. Risks or confidentiality issues related to the storage location.

6. Whether the data is stored on a device with an internet connection.

7. Any software protection on the device on which the data is stored.

8. Whether hard copies of the data will be stored.

9. How the network attached storage is secured.

10. How the Confidential Stop Data Requestor will ensure the elimination of individual identifiers from subject records or publications when the project is completed.

(R) The Confidential Stop Data Requestor's signature and date of signature on the Department's Non-Criminal Justice Information Security Requirements, attesting that they are in compliance with the Department's security protocols. This document must include the following provisions and attachments:

1. The name, position title, signature, and date of signature, of the Confidential Stop Data Requestor's information security officer or IT manager, if applicable. If the Confidential Stop Data Requestor does not have an information security officer or IT manager, the name, position title, signature, and date of signature of the Confidential Stop Data Requestor.

2. A certification that the security controls are in place to meet the requirements of United States Department of Commerce, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 2, dated February 21, 2020, which is incorporated by reference.

3. Detailed description demonstrating compliance to the NIST 800-171 requirements, as described in these regulations.

4. If the data storage will be in a data server maintained by a cloud provider and/or or a third-party data center, the Confidential Stop Data Requestor must submit one of the following: (a) a Systems and Organization Control (SOC) 2 type I or type II audit or (b) a Federal Risk and Authorization Management Program (FedRAMP) Authorization assessed at the moderate or high security baseline.

(S) Whether the Confidential Stop Data Requestor is capable of receiving data over a secure file transfer protocol.

(10) If the Data Request Application is approved, the Confidential Stop Data Requestor and all Team Members must complete and submit a notarized identification verification. After the notarized identification verification is received, the Department's Research Services will securely transfer the requested data to the Confidential Stop Data Requestor.

(11) Ninety (90) days before the expiration date of the approved Data Request Application, the Department's Research Services shall notify the Confidential Stop Data Requestor to submit a renewal request. The Confidential Stop Data Requestor shall complete the renewal process before the expiration date of the approved Data Request Application. A project renewal must be submitted in writing, on the Stop Data Requestor's official letterhead, to the Department's Research Services, and include all of the following information:

1. Any personnel changes and updated contact information, including removal or addition of the Confidential Stop Data Requestor or other Team Members.

2. Any technology changes to the location or procedures around where the stop data is stored or accessed.

3. Any environmental changes to the location or procedures around where the stop data is stored or accessed.

4. The name and contact information of the Confidential Stop Data Requestor information security officer or IT manager, if applicable.

(12) The Confidential Stop Data Requestor and Team Member(s) shall protect the confidentiality and take precautions to prevent the re-identification of officers and stopped persons whose unique identifying information or personally identifying information may be contained in the Confidential Stop Data. Examples of precautions include:

1. Not reporting any nonzero counts less than 10 for a category;

2. Not publishing counts and relying on percentages;

3. Collapsing across categories and displaying the results only as a percentage distribution;

4. Rounding and recoding; and

5. Separating information in charts, for instance, reporting demographic and location information separately from actions taken.

(13) The Confidential Stop Data Requestor and Team Member(s) shall protect the security of stop data, and shall ensure that the system or network containing the stop data is secure and segmented from other applications, shall limit access to the system or network to authorized persons identified in the Data Request Application, and shall take the following actions in the event of a security incident or breach:

1. Notify the Department's Research Services of a security incident or breach within 24 hours.

2. Submit a notification letter to the Department for publication on the Department's public website of any breach affecting the Confidential Stop Data of 500 individuals or more.

3. The Confidential Stop Data Requestor shall reimburse the Department for any losses or expenses resulting from the security incident or breach, such as expenses related to credit monitoring for individuals whose data was exposed by the security incident or breach.

4. The information security officer or information technology manager identified in the Confidential Stop Data Requestor's Data Request Application will be the Department's primary point of contact in case there is a security incident or breach. If no information security officer or information technology officer is identified in the Data Request Application, the Confidential Stop Data Requestor shall be the Department's primary point of contact.

(14) If the Confidential Stop Data Requestor requests remote access authorization, the Confidential Stop Data Requestor and each applicable Team Member must complete and submit a Researcher Confidentiality and Non-Disclosure Agreement (DOJRS 0003) (Rev. 05/2024), incorporated by reference in this chapter, and a Researcher Data Access User Agreement (DOJRS 0002) (Rev. 05/2024), incorporated by reference in this chapter. If the Confidential Stop Data Requestor or any Team Member is unable to meet the security requirements of the Researcher Data Access User Agreement, that Confidential Stop Data Requestor or Team Member may submit a Security Variance Form for Data Access Non-Compliance of Security Requirements (DOJRS 0001) (Rev. 05/2024), incorporated by reference in this chapter, for consideration by the Department's Research Services.

(15) When the Confidential Stop Data Requestor has concluded a research project or report, in accordance with the restrictions on use or disclosure of stop data, as specified in this section, the Confidential Stop Data Requestor must notify the Department's Research Services that the research project or report has concluded and submit to the Department's Research Services, in writing, a signed and dated certification, made under penalty of perjury, of data destruction confirming all of the following:

1. The project name and project number.

2. The type of data destroyed.

3. The name of the Confidential Stop Data Requester.

4. All confidential information received from the Department's Research Services has been sanitized using one or more of the approved destruction methods listed in National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1, Guidelines for Media Sanitation (December 2014), which is incorporated by reference.

5. The date that all electronic files containing stop data were destroyed.

6. The name of the witness or witnesses of the data destruction.

7. The position of the witness or witnesses of the data destruction.

8. Acknowledgement by the Confidential Stop Data Requestor that failure to comply with the data destruction protocols required by this section may result in an audit of the project associated with requested data. In exercising its discretion to audit a project for failure to comply with the data destruction protocols, the Department may consider the following, including but not limited to, the severity of the violation, whether Confidential Stop Data was involved, any previous violations, and the violator's culpability.

9. A description of the items disposed of or destroyed.

10. An explanation of the method of destruction used.

The destruction of data must take place within 90 days of the conclusion of the research project or report. The notification of the research project and conclusion and the dated certification, made under penalty of perjury, of data destruction must be submitted within 30 days of the data destruction.

(i) Nothing in this section prohibits a reporting agency from confidentially disclosing all of its stop data to advance public policy, for scientific study, or for analysis of the data for use by the agency itself. The reporting agency is responsible for establishing its own data security protocol to ensure that the publication of any data, analyses, or research will not result in the disclosure of Confidential Stop Data or an individual officer's identity.

(j) Retention Period. The Department shall retain the stop data collected indefinitely. Each reporting agency shall keep a record of its source data for a minimum of three years, and shall make this data available for inspection by the Department should any issues arise regarding the transfer of data to the Department. Each reporting agency is responsible for responding to requests made to the agency for its stop data, consistent with their obligations under the California Public Records Act, and shall not refer requestors to the Department to request information required to be retained by the reporting agency.

Credits

Note: Authority cited: Section 12525.5, Government Code. Reference: Section 12525.5, Government Code.

History

1. New article 5 (section 999.228) and section filed 11-7-2017; operative 11-7-2017 pursuant to Government Code section 11343.4(b)(3) (Register 2017, No. 45).

2. Amendment filed 8-5-2022; operative 8-5-2022 pursuant to Government Code section 11343.4(b)(3) (Register 2022, No. 31).

3. Amendment of subsections (h) and (h)(2) filed 10-11-2023; operative 10-11-2023 pursuant to Government Code section 11343.4(b)(3) (Register 2023, No. 41).

4. Amendment of subsection (e) filed 10-11-2023; operative 1-1-2024 pursuant to Government Code section 11343.4(a)(1) (Register 2023, No. 41).

5. Change without regulatory effect amending subsections (h)(5), (h)(8), (h)(10)-(11), (h)(13)1., (h)(14)-(15) and (h)(15)4. filed 5-29-2024 pursuant to section 100, title 1, California Code of Regulations (Register 2024, No. 22).

This database is current through 6/14/24 Register 2024, No. 24.

Cal. Admin. Code tit. 11, § 999.228, 11 CA ADC § 999.228

End of Document