Report 2015-130 Recommendation 10 Responses

Report 2015-130: The CalGang Criminal Intelligence System: As the Result of Its Weak Oversight Structure, It Contains Questionable Information That May Violate Individuals' Privacy Rights (Release Date: August 2016)

Recommendation #10 To: Justice, Department of

As the Legislature considers creating a public program for shared gang database oversight and accountability, Justice should guide the board and the committee to identify and address the shortcomings that exist in CalGang's current operations and oversight. The guidance Justice provides to the board and the committee should address, but not be limited to, developing best practices based on the requirements stated in the federal regulations, the state guidelines and state law, and advising user agencies on the implementation of those practices. The best practices should include, but not be limited to reviewing criminal intelligence, appropriately disseminating information, performing robust audit practices, establishing plans to recover from disasters, and meeting all of the State's juvenile notification law requirements. Justice should guide the board and the committee to develop these best practices by June 30, 2017.

Annual Follow-Up Agency Response From August 2022

The DOJ disseminated a "CalGang Disaster Recovery" plan to all CalGang Node Administrators. The plan establishes DOJ recommended hardware and software, such as high availability servers, a clustered environment, and local backups. The plan also presents a 16-step "Business Resumption" plan, in the event that there is an interruption to one or more critical information technology applications or technologies.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

The DOJ completed the last step necessary to demonstrate that this recommendation is fully implemented by providing to us its July 2022 disaster recovery plan for CalGang.

Annual Follow-Up Agency Response From August 2021

The Department of Justice Regulations for the Fair and Accurate Governance of the CalGang Database, became effective on October 22, 2020. The regulations mandate a supervisory review of all intelligence prior to entry, regular audits of records and gangs, and provide guidance on notifications and information requests. The DOJ continues to provide workflows, checklists, and guidance to law enforcement agencies on best practices of data integrity and security.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

The regulations DOJ promulgated fulfill most parts of our recommendation related to CalGang. Specifically, the regulations provide counties guidance on reviewing, auditing, and disseminating criminal intelligence, as well as on juvenile notification requirements. However, the regulations do not address, and DOJ do not otherwise provide evidence of, guidance to counties related to disaster recovery plans.

Annual Follow-Up Agency Response From November 2020

The DOJ continues to facilitate California Gang Node Advisory Committee (CGNAC) meetings and provide guidance on best practices through meetings, various types of correspondence, and training materials. DOJ staff have visited all of the node agencies, established positive working relationships, and conducted on-site inspections to ensure the security of physical records and equipment.

New regulations governing the access and use of CalGang and shared gang databases became effective on October 22, 2020. Prior to implementation of the regulations, the DOJ had already been working to provide training to all current users on the new mandates, system changes, and processes, and will continue to do so after the regulations are in place. The DOJ is diligently working to provide user law enforcement agencies with workflows, checklists, and other materials to ensure proper use of the system.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From August 2020

Since the last update was provided, the DOJ has actively worked with the Office of Administrative Law and is on track to promulgate regulations governing the access and use of CalGang which will satisfy this requirement, effective October 1, 2020. Until those regulations are in effect, the DOJ continues to facilitate CGNAC meetings; and provide guidance on best practices through meetings, various types of correspondence, and training materials. DOJ staff have visited all of the node agencies, established positive working relationships and conducted on-site inspections to ensure the security of physical records and equipment.

Prior to implementation of the regulations, the DOJ will provide training to all current users on the new mandates, system changes, and processes. The DOJ is diligently working to provide user law enforcement agencies with workflows, checklists, and other materials to ensure proper use of the system.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From October 2019

Since the last update was provided, the DOJ held several GDTAC meetings and will be promulgating regulations governing the access and use of CalGang, which will satisfy this requirement. The regulations are being delayed due to the high volume of public comments received during both the initial 45-day public comment period and the second 30-day comment period. It has taken DOJ additional time to fully consider and weigh each comment received and to make changes, where applicable, to the regulation packages. Dependent upon the comments received during this period, it is possible that we will need to make additional changes to the regulations, which may prompt an additional comment period. It is important that the DOJ develop the most effective set of regulations possible.

Until those regulations are in effect, the DOJ continues to facilitate California Gang Node Advisory Committee (CGNAC) meetings three times per calendar year; and provide guidance on best practices through meetings, various types of correspondence, and training materials. DOJ staff have visited eight of the nine node agencies to establish better relationships and conduct on-site inspections to ensure the security of physical records and equipment. It is the DOJ's goal to visit all node agencies before year-end and to continue to conduct periodic visits thereafter.

The DOJ continues to stress the importance of protecting personally identifiable information and the integrity of the database. Specifically, in March 2019, the DOJ procured software for all California Node Administrators to securely send large data files to/from external agencies via encrypted attachments when conducting audits. At the May 2019 CGNAC meeting, the DOJ provided an audit standard operating procedure to all Node Administrators based on a comprehensive methodology developed in consultation with the DOJ Research Center.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From August 2019

Since the last update, DOJ held several GDTAC meetings to draft regulations governing CalGang use and access. DOJ published the rulemaking package on May 10, 2019. DOJ received significant public comment, many of which were incorporated into the proposed regulations text. DOJ published the modified regulations text on July 31, 2019, for a subsequent comment period, which ends on August 31, 2019. Given the need to consider recently submitted comments and make any necessary changes, as well as the review times mandated by OAL and DOF, the DOJ will be unable to meet the January 1, 2020 deadline to publish the regulations.

Until those regulations are in effect, the DOJ continues to facilitate CGNAC meetings three times a calendar year, provide guidance on best practices through meetings, various types of correspondence, and training materials. DOJ staff have visited eight of the nine node agencies to establish better relationships and conduct on-site inspections to ensure the security of physical records and equipment. DOJ's plans to visit all node agencies before year-end and to continue to conduct periodic visits thereafter.

The DOJ continues to stress the importance of protecting personally identifiable information and the integrity of the database. Specifically, in March 2019, the DOJ procured software for all California node administrators to securely send large data files to/from external agencies via encrypted attachments when conducting audits. At the May 2019 CGNAC meeting, the DOJ provided an audit standard operating procedure to all Node Administrators based on a comprehensive methodology developed in consultation with the DOJ Research Center.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

Annual Follow-Up Agency Response From August 2018

Assembly Bill (AB) 90 (Chapter 695, Statutes of 2017), hereafter referred to as "AB 90", requires Justice (DOJ), with the advice of the Attorney General's Gang Database Technical Advisory Committee (GDTAC), to promulgate regulations governing the use, operation, and oversight of shared gang databases no later than January 1, 2020. These regulations will address many of the concerns outlined in the California State Auditor's (CSA's) report and include, but are not limited to, system integrity, standardized training, review of entered records, equipment security, access to the database, record disclosure, gang member or associate designation criteria, criteria for designating a criminal street gang, retention and purging of records, notice requirements and requests for removal. In addition, the DOJ must promulgate regulations specific to the CalGang database that address periodic audits to ensure the accuracy, reliability, and proper use of the database as well as standardized training for all users.

AB 90, which went into effect on January 1, 2018, eliminated the CalGang Executive Board and provided DOJ with responsibility to "administer and oversee the CalGang database." Since this mandate went into effect, the DOJ has held two GDTAC meetings to discuss regulations drafted by the DOJ, and has attended two California Gang Node Advisory Committee meetings, during which best practices concerning reviewing criminal intelligence information and auditing were reviewed. In addition, the CalGang database now requires users to certify that they have notified individuals, both adults and juveniles, being placed in the database for the first time.

California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented

1-Year Agency Response

Justice management attended the CalGang Executive Board and California Node Advisory Committee meetings in May 2017. At the meetings, the board and committee advised that they had updated the existing Policy and Procedures for the CalGang System manual to incorporate components identified in the audit recommendations. The new language was voted on and approved by the board. Justice did not review or provide input, but was provided a copy of the updated manual after it was approved and implemented by the board. In addition, the board is working to ensure consistency in juvenile notifications across the user agencies.

At the February 2017 board and committee meetings, the board requested that Justice examine the possibility of modifying the Attorney General's Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities to note that the document represents best practices, not requirements. In light of the pending legislation, it was determined Justice would postpone the request.

Since the introduction of Assembly Bill (AB) 90 and Senate Bill (SB) 505, both of which would implement the recommendations of the audit, Justice has been involved in conversations with the authors' offices, providing technical guidance and suggestions as to best ways to implement.

Justice has begun discussions with the CalGang vendor regarding development of disaster recovery planning.

Justice received funding and position authority from the Legislature for enhancements to the CalGang system with the Fiscal Year (FY) 2017-18 budget; however, Justice will have no authority to implement the recommendations made by the California State Auditor (CSA) until legislation is passed.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

Justice compiled an internal Cal Gang working group consisting of management and staff from impacted Justice programs that is researching applicable state and federal regulations, law and guidelines, including the California Attorney General's Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities for future implementation of best practices procedures.

Justice management attended the CalGang Executive Board meetings on September 9, 2016 and February 3, 2017 and the California Node Advisory Committee meeting on February 2, 2017. At the meetings, the committee advised that it had drafted language to modify the existing Policy and Procedures for the CalGang System manual to incorporate the components identified in the audit recommendations. The new language was voted on by the board. The CalGang Executive Board requested that Justice examine the possibility of modifying the Attorney General's Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities to note that the document represents best practices, not requirements. The Justice working group is reviewing this recommendation from the CalGang Executive Board.

Justice currently has no existing resources, authority or program in place to handle oversight or administration of CalGang; thus, additional resources and funding will be needed to fully implement this recommendation.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

Justice has compiled an internal CalGang working group consisting of management and staff from impacted Justice programs and has begun researching applicable state and federal regulations, law, and guidelines, including the California Attorney General's Model Standards and Procedures for Maintaining Criminal Intelligence Files and Criminal Intelligence Operational Activities.

Justice management also attended the recent CalGang Executive Board meeting on September 9, 2016.

Justice currently has no existing resources or program in place to handle oversight or administration of CalGang, however, the department has begun dialogue with the board on each recommendation and will do everything possible to begin implementation until additional resources and funding are granted to the department.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2015-130

Agency responses received are posted verbatim.