Report 2019-118 Recommendations

When an audit is completed and a report is issued, auditees must provide the State Auditor with information regarding their progress in implementing recommendations from our reports at three intervals from the release of the report: 60 days, six months, and one year. Additionally, Senate Bill 1452 (Chapter 452, Statutes of 2006), requires auditees who have not implemented recommendations after one year, to report to us and to the Legislature why they have not implemented them or to state when they intend to implement them. Below, is a listing of each recommendation the State Auditor made in the report referenced and a link to the most recent response from the auditee addressing their progress in implementing the recommendation and the State Auditor's assessment of auditee's response based on our review of the supporting documentation.

Recommendations in Report 2019-118: Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards for the Data It Collects (Release Date: February 2020)

:
Recommendations to Fresno Police Department
Number Recommendation Status
1

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Fresno should review its policy and draft or revise it as necessary. Also by August 2020, Fresno should post its revised policy on its website in accordance with state law.

2

To protect ALPR data to the appropriate standard, by August 2020 Fresno should identify the types of data in its ALPR system and, as Fresno reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

3

To protect ALPR data to the appropriate standard, by August 2020 Fresno should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

4

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Fresno should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

5

To ensure that ALPR images are being shared appropriately, by April 2020 Fresno should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

6

To ensure that ALPR images are being shared appropriately, by August 2020 Fresno should revise its written procedures for ALPR image-sharing, as necessary, to ensure that it follows those procedures.

7

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020 Fresno should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Fresno should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

8

To minimize the privacy risk of retaining ALPR images for a long period of time, Fresno should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

9

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020 Fresno should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

10

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Fresno should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

11

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020 Fresno should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Fresno should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

12

To enable auditing of user access to and user queries of ALPR images, by April 2020 Fresno should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

13

To enable auditing of user access to and user queries of ALPR images, Fresno should ensure that its ALPR policy makes clear how frequently Fresno will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Fresno will retain the audit documents. Fresno should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

14

To enable auditing of user access to and user queries of ALPR images, by June 2021 Fresno should implement its audit plan and complete its first audit.

Recommendations to Los Angeles Police Department
Number Recommendation Status
15

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Los Angeles should review its policy and draft or revise it as necessary. Also by August 2020, Los Angeles should post its revised policy on its website in accordance with state law.

16

To protect ALPR data to the appropriate standard, by August 2020, Los Angeles should identify the types of data in its ALPR system and, as Los Angeles reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

17

To protect ALPR data to the appropriate standard, by August 2020, Los Angeles should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

18

To ensure that ALPR images are being shared appropriately, as Los Angeles develops its ALPR policy, it should be certain to list the entities with which it will share ALPR images and the process for handling image-sharing requests.

19

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Los Angeles should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Los Angeles should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

20

To minimize the privacy risk of retaining ALPR images for a long period of time, Los Angeles should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

21

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020, Los Angeles should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

22

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Los Angeles should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

23

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Los Angeles should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Los Angeles should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

24

To enable auditing of user access to and user queries of ALPR images, by April 2020, Los Angeles should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

25

To enable auditing of user access to and user queries of ALPR images, Los Angeles should ensure that its ALPR policy makes clear how frequently Los Angeles will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Los Angeles will retain the audit documents. Los Angeles should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

26

To enable auditing of user access to and user queries of ALPR images, by June 2021, Los Angeles should implement its audit plan and complete its first audit.

Recommendations to Marin County Sheriff's Department
Number Recommendation Status
27

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Marin should review its policy and draft or revise it as necessary. Also by August 2020, Marin should post its revised policy on its website in accordance with state law.

28

To protect ALPR data to the appropriate standard, by August 2020, Marin should identify the types of data in its ALPR system and, as Marin reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

29

To protect ALPR data to the appropriate standard, by August 2020, Marin should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

30

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Marin should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

31

To ensure that ALPR images are being shared appropriately, by April 2020, Marin should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

32

To ensure that ALPR images are being shared appropriately, by August 2020, Marin should develop a process for handling ALPR image-sharing requests that includes maintaining records separate from the Vigilant system of when and with whom it shares images. The process should verify a requesting agency's law enforcement purpose for obtaining the images and consider the requesting agency's need for the images. The process should be documented in Marin's ALPR policy and/or procedures.

33

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Marin should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Marin should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

34

To minimize the privacy risk of retaining ALPR images for a long period of time, Marin should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

35

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Marin should, by April 2020, review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

36

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Marin should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

37

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Marin should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Marin should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

38

To enable auditing of user access to and user queries of ALPR images, by April 2020, Marin should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

39

To enable auditing of user access to and user queries of ALPR images, Marin should ensure that its ALPR policy makes clear how frequently Marin will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Marin will retain the audit documents. Marin should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

40

To enable auditing of user access to and user queries of ALPR images, by June 2021, Marin should implement its audit plan and complete its first audit.

Recommendations to Sacramento County Sheriff's Department
Number Recommendation Status
41

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Sacramento should review its policy and draft or revise it as necessary. Also by August 2020, Sacramento should post its revised policy on its website in accordance with state law.

42

To protect ALPR data to the appropriate standard, by August 2020, Sacramento should identify the types of data in its ALPR system and, as Sacramento reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

43

To protect ALPR data to the appropriate standard, by August 2020, Sacramento should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

44

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Sacramento should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

45

To ensure that ALPR images are being shared appropriately, by April 2020, Sacramento should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

46

To ensure that ALPR images are being shared appropriately, by August 2020, Sacramento should develop a process for handling ALPR image-sharing requests that includes maintaining records separate from the Vigilant system of when and with whom it shares images. The process should verify a requesting agency's law enforcement purpose for obtaining the images and consider the requesting agency's need for the images. The process should be documented in Sacramento's ALPR policy and/or procedures.

47

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Sacramento should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Sacramento should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

48

To minimize the privacy risk of retaining ALPR images for a long period of time, Sacramento should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

49

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020, Sacramento should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

50

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Sacramento should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

51

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Sacramento should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Sacramento should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

52

To enable auditing of user access to and user queries of ALPR images, by April 2020, Sacramento should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

53

To enable auditing of user access to and user queries of ALPR images, Sacramento should ensure that its ALPR policy makes clear how frequently Sacramento will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Sacramento will retain the audit documents. Sacramento should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

54

To enable auditing of user access to and user queries of ALPR images, by June 2021, Sacramento should implement its audit plan and complete its first audit.



Print all recommendations and responses.