R722-900. Access to Bureau Records  

The purpose of this rule is to establish procedures whereby criminal justice agencies, qualified entities, and individuals may obtain access to bureau records.

  This rule is authorized by Subsections 53-10-108(9) and (10).

  (1) Terms used in this rule are found in Section 53-10-102.

  (2) In addition:

  (a) "agency" means a criminal justice agency as defined in Subsection 53-10-102(9) and 28 U.S.C. Subsection 534(e), a vendor entity, or a non-criminal entity authorized to access CJIS under state or federal law;

  (b) "bureau" means the Utah Bureau of Criminal Identification within the Department of Public Safety established by Section 53-10-201;

  (c) "CJIS" means the Criminal Justice Information System administered by the FBI;

  (d) "entity" means an entity qualified to access criminal history information under state or federal law;

  (e) "entity id" means an entity's unique identifier that is used to access criminal history information;

  (f) "FBI" means the Federal Bureau of Investigation within the United States Department of Justice;

  (g) "login id" means a unique identifier in UCJIS for a user or non-user;

  (h) "misuse" means the access, use, disclosure, or dissemination of records for a purpose prohibited or not permitted by statute, rule, regulation, or policy of a governmental entity;

  (i) "NCIC" means the National Crime Information Center;

  (j) "non-user" means a person working for or with an agency, who does not have direct access to UCJIS but has indirect access to records, including individuals who may:

  (i) access computer systems or programs used to access UCJIS files; or

  (ii) have unrestricted access to a location containing UCJIS records or a computer with UCJIS access;

  (k) "ORI" means originating agency identifier;

  (l) "provider" means a law enforcement agency as defined in Subsection 53-1-102(1)(c), the Utah Attorney General's Office, a county attorney's office, a district attorney's office, or a city prosecutor's office;

  (m) "records" means records created, maintained, or to which access is granted by the bureau, including criminal history information;

  (n) "right of access program" means a program established under Subsection 53-10-108(9) in which a provider makes an individual's UCH and warrant of arrest information available to the subject of the record;

  (o) "TAC" means an agency's terminal agency coordinator;

  (p) "UCH" means Utah Criminal History;

  (q) "UCJIS" means Utah Criminal Justice Information System, which includes the Criminal Justice Information System; and

  (r) "user" means a person working for or with an agency who has direct access to UCJIS or who obtains UCJIS records from a person who has direct access.

  (1) An agency seeking direct access to UJCIS shall submit a completed Criminal Justice Agency Application Packet to the bureau.

  (2)(a) The bureau shall submit the agency's information to the FBI, which shall determine whether the agency meets the requirements for access to CJIS records established by the FBI.

  (b) If the FBI determines the agency is entitled to access any CJIS records, the FBI shall assign the agency an ORI and the bureau shall notify the agency in writing what records it may access on UCJIS using the assigned ORI.

  (c)(i) If the FBI determines that the agency is not entitled to access records on CJIS, the bureau shall notify the agency of the FBI's decision and refer the agency to the agencies whose records are available on UCJIS to determine if the agency may have access to those records.

  (ii) If the agency is granted access to any records on UJCIS, the bureau shall assign the agency an ORI and notify the agency in writing which records the agency may access using that ORI.

  (iii) If the agency is not entitled to access any records on UCJIS, the bureau shall notify the agency in writing and provide notice of the right to appeal pursuant to R722-900-10.

  (3)(a) Within 30 days after an agency is granted access to records on UCJIS, it shall submit the following documents to the bureau:

  (i) a Criminal Justice Agency Agreement, signed by the agency administrator; and

  (ii) a CJIS fingerprint submission form with a legible FD258 fingerprint card for the TAC, which shall be retained in the FBI Rap Back System in accordance with Subsection 53-10-108(14).

  (b) The bureau shall conduct a fingerprint-based criminal history background check of the TAC.

  (c) If the bureau determines that the TAC meets all the requirements for access to UCJIS, the TAC shall complete the new TAC orientation training provided by the bureau within six months.

  (d) If the bureau determines that the TAC does not meet the requirements for access to UCJIS, the bureau shall notify the agency and the TAC in writing including notice of the right to appeal pursuant to R722-900-10.

  (4)(a) The agency TAC may conduct a criminal history check using the name and date of birth of each user or non-user at the agency when making determination concerning employment by the agency.

  (b) The TAC shall create an account on UCJIS and assign the user or non-user a login id.

  (c) Before a user or non-user is allowed unescorted access to CJIS information or unescorted access to secure or controlled locations with CJIS information, the individual must be approved by the bureau to access CJIS information.

  (d) In order to obtain approval to access CJIS information, the TAC must submit to the bureau:

  (i) a UCJIS User Agreement for each user and non-user; and

  (ii) a CJIS fingerprint submission form with a legible FD258 fingerprint card for all users and non-users employed at the agency, which shall be retained in the FBI Rap Back System in accordance with Subsection 53-10-108(14).

  (e) The bureau shall conduct a fingerprint-based criminal history background check for all users and non-users employed at the agency.

  (f) If the bureau determines that a user or non-user meets the requirements for access to CJIS, the bureau shall notify the TAC that the user or non-user has been approved.

  (i) If the individual is approved by the bureau, but has a criminal record, the agency TAC shall notify the bureau that it intends to employ the individual before access to CJIS may be activated.

  (g) If the bureau determines a user or non-user does not meet the requirements for access to CJIS, the bureau shall notify the user or non-user, the TAC, and the agency administrator in writing which includes the right to appeal pursuant to R722-900-10.

  (5)(a) Within six months of assigning a login id to a user or non-user, the TAC shall train the user or non-user in accordance with the BCI Operations Manual.

  (b) Upon completion of the training, the TAC shall administer a test to the users and submit to the bureau a signed testing agreement form from each user indicating that the user passed all of the required training and testing.

  (6)(a) The TAC shall attend the annual TAC training meeting and provide updates to all users and non-user at the agency based on the training.

  (b) The TAC shall be responsible for ensuring that all users or non-users at the agency complete all training required by the bureau.

  (c) The TAC shall be responsible for ensuring that all users at the agency complete all re-testing required by the bureau.

  (d) The bureau may suspend or revoke a TAC's, user's, non-user's access to records if the TAC, user, or non-user fails to complete the required training or testing.

  (1)(a) An entity seeking access to criminal background check information for employment background checks or other screening purposes shall submit a completed Qualified Entity Application Packet to the bureau, which includes the following:

  (i) a Qualified Entity Application Form;

  (ii) documentation that it is a business, organization, or governmental entity that is qualified to access criminal background check information;

  (iii) a description of why the entity is seeking to conduct employment background checks or other screenings;

  (iv) billing information; and

  (v) contact information for:

  (A) the entity's administrator; and

  (B) a point of contact.

  (2)(a) The bureau shall review the entity's application to determine whether the entity meets the requirements for access to criminal background check information found in state or federal law.

  (b) The bureau may request additional documentation from the entity to verify whether the entity is qualified to access criminal history information.

  (c) If the bureau determines that an entity is qualified to access criminal background check information, it shall notify the entity in writing and assign it an entity id.

  (d) If the bureau determines the entity is not qualified to access criminal background check information, the bureau shall notify the entity of the bureau's decision in writing and provide notice of the right to appeal pursuant to R722-900-10.

  (3)(a) Once an entity has been granted access to criminal background check information, it shall submit the following documents to the bureau:

  (i) a Qualified Entity Agreement, signed by the entity administrator; and

  (ii) a signed Qualified Entity Employee Agreement for each employee of the entity who will have access to criminal background check information.

  (b) Any employee of the entity who has access to criminal background check information shall successfully complete all training and testing required by the bureau.

  (c) The bureau may suspend or revoke access to criminal background check information if an employee of an entity fails to complete the required training and testing or violates any provision contained within the signed Qualified Entity Agreement or signed Qualified Entity Employee Agreement.

  (1) An individual may review his or her own criminal history record information contained in a UCH, by submitting a completed Criminal History Record Application to the bureau along with:

  (a) a set of fingerprints which have been verified with photo identification at the time the fingerprints were taken;

  (b) a copy of a government issued photo identification; and

  (c) payment of the processing fee required by Subsection 53-10-108(9)(b).

  (2)(a) An individual may challenge the completeness and accuracy of the information contained in the individual's UCH by submitting a completed Application to Challenge Criminal History Records to the bureau along with:

  (i) the challenge fee; and

  (ii) documentation to establish what information is missing or incorrect on the UCH.

  (b) The challenge process shall be an informal adjudicative proceeding under Section 63G-4-203.

  (c)(i) If the bureau determines that the individual's criminal history record information is incomplete or inaccurate, the bureau shall amend the UCH.

  (ii) The bureau shall send the individual a letter notifying the individual of the changes made to the individual's UCH and a copy of the individual's corrected UCH.

  (d)(i) If the bureau determines that the criminal history record information is correct, the bureau shall notify the individual in writing that the UCH shall not be amended.

  (ii) An individual may appeal the bureau's decision not to amend a record to district court in accordance with Section 63G-4-402.

  (e) If the bureau determines that the individual seeking to challenge the information in the UCH is not the subject of the record, the bureau shall notify the individual in writing.

(1) A provider seeking to establish a right of access program shall submit a completed Right of Access Contract.

(2)(a) The bureau shall review the Right of Access Provider Contract to determine whether the provider may conduct a right of access program.

(b) The bureau may request additional information from the provider to determine whether the provider may conduct a right of access program.

(c) If the bureau determines that a provider is qualified to conduct a right of access program, it shall notify the provider in writing.

(d) If the bureau determines the provider is not qualified to conduct a right of access program, it shall notify the provider of the bureau's decision in writing.

(1)(a) All agencies and entities shall submit to audits conducted by the bureau.

(b) Upon request, an agency and entity shall complete the Pre-audit Request within 30 days from the date it is sent by the bureau.

(c) An agency and entity shall complete the Audit Survey within 30 days from the date it is sent out by the bureau.

(d) The bureau shall review the information submitted by the agency and entity to determine if the agency and entity is in compliance with applicable state and federal statutes, rules, and regulations.

(e) The bureau shall notify the agency and entity of the audit results in writing and give the agency, entity, or provider an opportunity to rectify any issues it found during the audit.

(f) The bureau may suspend or revoke an agency's access to UCJIS or an entity's access to criminal background check information if it fails to comply with the audit or rectify issues found during the audit.

  (1) Anyone who has reason to believe that records have been misused may submit a written complaint to the bureau.

  (2)(a) The bureau shall conduct a review of its records to determine if there is any evidence to support the complaint.

  (b) If the bureau finds evidence indicating records may have been accessed, used, disclosed, or disseminated, the bureau shall notify the agency TAC or entity point of contact and request that an internal review be conducted.

  (3) The agency or entity shall be responsible for conducting an internal review to determine if there has been misuse of a record and submit its findings to the bureau within 30 days.

  (4)(a) If the agency or entity determines there was misuse, the agency or entity shall submit a corrective action plan to the bureau.

  (b) The bureau shall review the corrective action plan to determine if the action taken by the agency or entity was sufficient to address the misuse.

  (5) If the bureau finds that an agency, entity, TAC, user, non-user, or employee of an agency or entity misused records, the bureau may:

  (a) suspend or revoke the access of the agency, entity, TAC, user, non-user, or employee of an agency or entity; and

  (b) refer the matter to the appropriate law enforcement agency for investigation and prosecution.

  (6) The bureau may suspend or revoke access to records by an agency, entity, TAC, user, non-user, or employee of an agency or entity if the agency, entity, TAC, user, non-user, or employee of an agency or entity fails to comply with any terms of the signed agreement.

  (1)(a) An agency or entity denied access to records may appeal the bureau's decision by sending a written request for review to the bureau within 30 days of the date of the denial of access.

  (b) An agency or entity may appeal the bureau's decision to deny a TAC, user, or non-user access to records by sending a written request for review to the bureau within 30 days of the date of the denial of access.

  (2) A request for review shall include:

  (a) a description of the grounds for review; and

  (b) supporting documentation.

  (3)(a) The bureau director or the director's designee shall review the request for review and issue a written decision within 30 days from the date of the appeal.

  (b) If the bureau's decision to deny an agency or entity is upheld, the bureau shall notify the agency or entity of the right to appeal to the district court by complying with the requirements in Section 63G-4-402.

  (c) If the bureau's decision to deny a TAC, user, or non-user is upheld, there shall be no further right of appeal.