Report 2019-118 Recommendations

When an audit is completed and a report is issued, auditees must provide the State Auditor with information regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year. Additionally, Senate Bill 1452 (Chapter 452, Statutes of 2006), requires auditees who have not implemented recommendations after one year, to report to us and to the Legislature why they have not implemented them or to state when they intend to implement them. Below, is a listing of each recommendation the State Auditor made in the report referenced and a link to the most recent response from the auditee addressing their progress in implementing the recommendation and the State Auditor's assessment of auditee's response based on our review of the supporting documentation.

Recommendations in Report 2019-118: Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards for the Data It Collects (Release Date: February 2020)

:
Recommendations to Fresno Police Department
Number Recommendation Status
1

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Fresno should review its policy and draft or revise it as necessary. Also by August 2020, Fresno should post its revised policy on its website in accordance with state law.

Partially Implemented
2

To protect ALPR data to the appropriate standard, by August 2020 Fresno should identify the types of data in its ALPR system and, as Fresno reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

Partially Implemented
3

To protect ALPR data to the appropriate standard, by August 2020 Fresno should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

Pending
4

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Fresno should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

Pending
5

To ensure that ALPR images are being shared appropriately, by April 2020 Fresno should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

Pending
6

To ensure that ALPR images are being shared appropriately, by August 2020 Fresno should revise its written procedures for ALPR image-sharing, as necessary, to ensure that it follows those procedures.

Partially Implemented
7

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020 Fresno should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Fresno should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

Fully Implemented
8

To minimize the privacy risk of retaining ALPR images for a long period of time, Fresno should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

Partially Implemented
9

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020 Fresno should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

Partially Implemented
10

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Fresno should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

Partially Implemented
11

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020 Fresno should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Fresno should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

Partially Implemented
12

To enable auditing of user access to and user queries of ALPR images, by April 2020 Fresno should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

Fully Implemented
13

To enable auditing of user access to and user queries of ALPR images, Fresno should ensure that its ALPR policy makes clear how frequently Fresno will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Fresno will retain the audit documents. Fresno should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

Partially Implemented
14

To enable auditing of user access to and user queries of ALPR images, by June 2021 Fresno should implement its audit plan and complete its first audit.

Partially Implemented
Recommendations to Legislature
Number Recommendation Status
55

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to require Justice to draft and make available on its website a policy template that local law enforcement agencies can use as a model for their ALPR policies.

Legislation Introduced
56

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to require Justice to develop and issue guidance to help local law enforcement agencies identify and evaluate the types of data they are currently storing in their ALPR systems. The guidance should include the necessary security requirements agencies should follow to protect the data in their ALPR systems.

Legislation Introduced
57

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to establish a maximum data retention period for ALPR images. The Legislature should also establish a maximum data retention period for data or lists, such as hot lists, that are used to link persons of interest with license plate images.

Legislation Introduced
58

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to require periodic evaluation of a retention period for ALPR images to ensure that the period is as short as practicable.

No Action Taken
59

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to specify how frequently ALPR system use must be audited and that the audits must include assessing user searches.

Legislation Introduced
60

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to specify that those with access to ALPR systems must receive data privacy and data security training. The Legislature should require law enforcement agencies to include training on the appropriateness of including certain data in an ALPR system, such as data from CLETS.

No Action Taken
Recommendations to Los Angeles Police Department
Number Recommendation Status
15

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Los Angeles should review its policy and draft or revise it as necessary. Also by August 2020, Los Angeles should post its revised policy on its website in accordance with state law.

Pending
16

To protect ALPR data to the appropriate standard, by August 2020, Los Angeles should identify the types of data in its ALPR system and, as Los Angeles reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

Pending
17

To protect ALPR data to the appropriate standard, by August 2020, Los Angeles should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

Pending
18

To ensure that ALPR images are being shared appropriately, as Los Angeles develops its ALPR policy, it should be certain to list the entities with which it will share ALPR images and the process for handling image-sharing requests.

Pending
19

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Los Angeles should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Los Angeles should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

Pending
20

To minimize the privacy risk of retaining ALPR images for a long period of time, Los Angeles should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

Pending
21

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020, Los Angeles should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

Pending
22

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Los Angeles should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

Pending
23

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Los Angeles should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Los Angeles should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

Pending
24

To enable auditing of user access to and user queries of ALPR images, by April 2020, Los Angeles should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

Pending
25

To enable auditing of user access to and user queries of ALPR images, Los Angeles should ensure that its ALPR policy makes clear how frequently Los Angeles will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Los Angeles will retain the audit documents. Los Angeles should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

Pending
26

To enable auditing of user access to and user queries of ALPR images, by June 2021, Los Angeles should implement its audit plan and complete its first audit.

Pending
Recommendations to Marin County Sheriff's Department
Number Recommendation Status
27

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Marin should review its policy and draft or revise it as necessary. Also by August 2020, Marin should post its revised policy on its website in accordance with state law.

Pending
28

To protect ALPR data to the appropriate standard, by August 2020, Marin should identify the types of data in its ALPR system and, as Marin reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

Pending
29

To protect ALPR data to the appropriate standard, by August 2020, Marin should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

Fully Implemented
30

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Marin should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

Fully Implemented
31

To ensure that ALPR images are being shared appropriately, by April 2020, Marin should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

Fully Implemented
32

To ensure that ALPR images are being shared appropriately, by August 2020, Marin should develop a process for handling ALPR image-sharing requests that includes maintaining records separate from the Vigilant system of when and with whom it shares images. The process should verify a requesting agency's law enforcement purpose for obtaining the images and consider the requesting agency's need for the images. The process should be documented in Marin's ALPR policy and/or procedures.

Fully Implemented
33

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Marin should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Marin should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

Pending
34

To minimize the privacy risk of retaining ALPR images for a long period of time, Marin should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

Pending
35

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Marin should, by April 2020, review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

Fully Implemented
36

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Marin should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

Pending
37

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Marin should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Marin should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

38

To enable auditing of user access to and user queries of ALPR images, by April 2020, Marin should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

Fully Implemented
39

To enable auditing of user access to and user queries of ALPR images, Marin should ensure that its ALPR policy makes clear how frequently Marin will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Marin will retain the audit documents. Marin should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

Partially Implemented
40

To enable auditing of user access to and user queries of ALPR images, by June 2021, Marin should implement its audit plan and complete its first audit.

Recommendations to Sacramento County Sheriff's Department
Number Recommendation Status
41

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Sacramento should review its policy and draft or revise it as necessary. Also by August 2020, Sacramento should post its revised policy on its website in accordance with state law.

42

To protect ALPR data to the appropriate standard, by August 2020, Sacramento should identify the types of data in its ALPR system and, as Sacramento reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

43

To protect ALPR data to the appropriate standard, by August 2020, Sacramento should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

44

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Sacramento should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

45

To ensure that ALPR images are being shared appropriately, by April 2020, Sacramento should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

46

To ensure that ALPR images are being shared appropriately, by August 2020, Sacramento should develop a process for handling ALPR image-sharing requests that includes maintaining records separate from the Vigilant system of when and with whom it shares images. The process should verify a requesting agency's law enforcement purpose for obtaining the images and consider the requesting agency's need for the images. The process should be documented in Sacramento's ALPR policy and/or procedures.

47

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Sacramento should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Sacramento should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

48

To minimize the privacy risk of retaining ALPR images for a long period of time, Sacramento should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

49

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020, Sacramento should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

50

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Sacramento should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

51

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Sacramento should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Sacramento should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

52

To enable auditing of user access to and user queries of ALPR images, by April 2020, Sacramento should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

53

To enable auditing of user access to and user queries of ALPR images, Sacramento should ensure that its ALPR policy makes clear how frequently Sacramento will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Sacramento will retain the audit documents. Sacramento should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

54

To enable auditing of user access to and user queries of ALPR images, by June 2021, Sacramento should implement its audit plan and complete its first audit.



Print all recommendations and responses.