Report 2019-118 Recommendations

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Fresno should review its policy and draft or revise it as necessary. Also by August 2020, Fresno should post its revised policy on its website in accordance with state law.

To protect ALPR data to the appropriate standard, by August 2020 Fresno should identify the types of data in its ALPR system and, as Fresno reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

To protect ALPR data to the appropriate standard, by August 2020 Fresno should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Fresno should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

To ensure that ALPR images are being shared appropriately, by April 2020 Fresno should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

To ensure that ALPR images are being shared appropriately, by August 2020 Fresno should revise its written procedures for ALPR image-sharing, as necessary, to ensure that it follows those procedures.

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020 Fresno should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Fresno should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

To minimize the privacy risk of retaining ALPR images for a long period of time, Fresno should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020 Fresno should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Fresno should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020 Fresno should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Fresno should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

To enable auditing of user access to and user queries of ALPR images, by April 2020 Fresno should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

To enable auditing of user access to and user queries of ALPR images, Fresno should ensure that its ALPR policy makes clear how frequently Fresno will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Fresno will retain the audit documents. Fresno should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

To enable auditing of user access to and user queries of ALPR images, by June 2021 Fresno should implement its audit plan and complete its first audit.

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to require Justice to draft and make available on its website a policy template that local law enforcement agencies can use as a model for their ALPR policies.

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to require Justice to develop and issue guidance to help local law enforcement agencies identify and evaluate the types of data they are currently storing in their ALPR systems. The guidance should include the necessary security requirements agencies should follow to protect the data in their ALPR systems.

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to establish a maximum data retention period for ALPR images. The Legislature should also establish a maximum data retention period for data or lists, such as hot lists, that are used to link persons of interest with license plate images.

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to require periodic evaluation of a retention period for ALPR images to ensure that the period is as short as practicable.

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to specify how frequently ALPR system use must be audited and that the audits must include assessing user searches.

To better protect individual's privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a manner that supports accountability for proper database use, the Legislature should amend state law to specify that those with access to ALPR systems must receive data privacy and data security training. The Legislature should require law enforcement agencies to include training on the appropriateness of including certain data in an ALPR system, such as data from CLETS.

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Los Angeles should review its policy and draft or revise it as necessary. Also by August 2020, Los Angeles should post its revised policy on its website in accordance with state law.

To protect ALPR data to the appropriate standard, by August 2020, Los Angeles should identify the types of data in its ALPR system and, as Los Angeles reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

To protect ALPR data to the appropriate standard, by August 2020, Los Angeles should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

To ensure that ALPR images are being shared appropriately, as Los Angeles develops its ALPR policy, it should be certain to list the entities with which it will share ALPR images and the process for handling image-sharing requests.

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Los Angeles should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Los Angeles should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

To minimize the privacy risk of retaining ALPR images for a long period of time, Los Angeles should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020, Los Angeles should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Los Angeles should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Los Angeles should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Los Angeles should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

To enable auditing of user access to and user queries of ALPR images, by April 2020, Los Angeles should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

To enable auditing of user access to and user queries of ALPR images, Los Angeles should ensure that its ALPR policy makes clear how frequently Los Angeles will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Los Angeles will retain the audit documents. Los Angeles should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

To enable auditing of user access to and user queries of ALPR images, by June 2021, Los Angeles should implement its audit plan and complete its first audit.

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Marin should review its policy and draft or revise it as necessary. Also by August 2020, Marin should post its revised policy on its website in accordance with state law.

To protect ALPR data to the appropriate standard, by August 2020, Marin should identify the types of data in its ALPR system and, as Marin reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

To protect ALPR data to the appropriate standard, by August 2020, Marin should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Marin should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

To ensure that ALPR images are being shared appropriately, by April 2020, Marin should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

To ensure that ALPR images are being shared appropriately, by August 2020, Marin should develop a process for handling ALPR image-sharing requests that includes maintaining records separate from the Vigilant system of when and with whom it shares images. The process should verify a requesting agency's law enforcement purpose for obtaining the images and consider the requesting agency's need for the images. The process should be documented in Marin's ALPR policy and/or procedures.

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Marin should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Marin should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

To minimize the privacy risk of retaining ALPR images for a long period of time, Marin should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Marin should, by April 2020, review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Marin should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Marin should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Marin should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

To enable auditing of user access to and user queries of ALPR images, by April 2020, Marin should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

To enable auditing of user access to and user queries of ALPR images, Marin should ensure that its ALPR policy makes clear how frequently Marin will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Marin will retain the audit documents. Marin should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

To enable auditing of user access to and user queries of ALPR images, by June 2021, Marin should implement its audit plan and complete its first audit.

To ensure that its ALPR policy contains all of the required elements as specified in state law, by August 2020, Sacramento should review its policy and draft or revise it as necessary. Also by August 2020, Sacramento should post its revised policy on its website in accordance with state law.

To protect ALPR data to the appropriate standard, by August 2020, Sacramento should identify the types of data in its ALPR system and, as Sacramento reviews or drafts its ALPR policy, ensure that it clarifies the types of information its officers may upload into its ALPR system, such as, but not limited to, information obtained through CLETS.

To protect ALPR data to the appropriate standard, by August 2020, Sacramento should perform an assessment of its ALPR system data-security features, and make adjustments to its system configuration where necessary to comply with CJIS policy best practices based on that assessment.

To ensure that the agreement with its cloud vendor offers the strongest possible data protections, by August 2020, Sacramento should enter into a new contract with Vigilant that contains the contract provisions recommended in CJIS policy.

To ensure that ALPR images are being shared appropriately, by April 2020, Sacramento should review the entities with which it currently shares images, determine the appropriateness of this sharing, and take all necessary steps to suspend those sharing relationships deemed inappropriate or unnecessary.

To ensure that ALPR images are being shared appropriately, by August 2020, Sacramento should develop a process for handling ALPR image-sharing requests that includes maintaining records separate from the Vigilant system of when and with whom it shares images. The process should verify a requesting agency's law enforcement purpose for obtaining the images and consider the requesting agency's need for the images. The process should be documented in Sacramento's ALPR policy and/or procedures.

To minimize the privacy risk of retaining ALPR images for a long period of time, by August 2020, Sacramento should review the age of the ALPR images its personnel are searching for and ensure that its retention period for ALPR images is based on agency needs. Sacramento should reflect in its ALPR policy the updated retention period and state in its policy that it will reevaluate its retention period at least every two years.

To minimize the privacy risk of retaining ALPR images for a long period of time, Sacramento should include in its ALPR policy a retention period for data or lists, such as hot lists, used to link persons of interest with license plate images, and create necessary processes to ensure that those data unrelated to ongoing investigations are periodically removed from its ALPR system.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by April 2020, Sacramento should review all user accounts and deactivate accounts for separated employees, inactive users, and others as necessary.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, Sacramento should ensure that its ALPR policy specifies the staff classifications, ranks, or other designations that may hold ALPR system user accounts and that accounts are granted based on need to know and right to know.

To ensure that ALPR system access is limited to agency staff who have a need and a right to use ALPR data, by August 2020, Sacramento should develop and implement procedures for granting and managing user accounts that include, but are not limited to, requiring that supervisors must approve accounts for users, providing training to users before granting accounts, suspending users after defined periods of inactivity, and requiring regular refresher training for active users and training for users before reactivating previously inactive accounts. Sacramento should also ensure that it has procedures in place to deactivate an account immediately for an account holder who separates from the agency or who no longer needs a user account.

To enable auditing of user access to and user queries of ALPR images, by April 2020, Sacramento should assess the information its ALPR system captures when users access it to ensure that the system's logs are complete and accurate and that the logs form a reasonable basis for conducting necessary, periodic audits.

To enable auditing of user access to and user queries of ALPR images, Sacramento should ensure that its ALPR policy makes clear how frequently Sacramento will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Sacramento will retain the audit documents. Sacramento should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

To enable auditing of user access to and user queries of ALPR images, by June 2021, Sacramento should implement its audit plan and complete its first audit.