(a) Policing databases should be as accurate, complete, and current as reasonably possible.
(b) A policing database should not be considered to have met this standard unless, at a minimum, the agency controlling it requires:
- (1) standardized procedures for entering data;
- (2) training of and supervision over those who enter data; and
- (3) periodic determinations, by an auditor outside the agency when possible, of whether the information in the database is accurate and is authorized to be retained in policing databases under §§ 6.01 and 6.02.
(c) Policing agencies should establish a procedure that allows persons identified in policing databases to correct or delete inaccurate information pertaining to them, as promptly as possible.
(d) To facilitate use of the correction procedure described in subsection (c), individuals whose information is in a policing database:
- (1) should be notified of that fact whenever the information is used as a basis for an adverse action against them involving a deprivation of liberty or property; and
- (2) should be entitled to obtain through open records laws or other appropriate channels the information pertaining to them, unless such access would demonstrably compromise legitimate policing objectives.
a. Steps to ensure accuracy. Significant negative consequences, including mistaken arrests or stops, loss of employment, and unnecessary stigmatization, can flow from the inclusion of erroneous information in a database. For example, at any given moment, there are tens of thousands of individuals at risk of detention or arrest because of invalid warrants. Erroneous or outdated arrest records can make obtaining housing, a job, or government benefits difficult or impossible.
To avoid those consequences, it is essential that databases contain accurate, complete and current information. But there are significant obstacles to achieving that goal. To begin with, the information that is entered in the database may be faulty for any number of reasons. Second, even if the information is accurate, it usually is entered into the database by human beings, who easily can make errors. Names can be misspelled or identities confused. Even technological inputs can be inaccurate, as when a GPS monitoring system misstates a car’s location because the satellite feed has been blocked. Third, information can become outdated.
Policing agencies have a duty to ensure the accuracy of any databases they maintain. This Section requires that agencies implement standardized procedures for inputting data and training and supervising those who carry out that task. It also requires that periodic checks on the database be conducted, by an outside auditing entity if possible, to monitor both the accuracy of data and its relevance to legitimate law-enforcement endeavors. If these requirements are not met, policing databases should not be accorded a presumption of reliability. The practical effect of this provision is that litigants and others should be able to challenge information contained in records systems that do not follow procedures designed to reduce error.
b. Correction procedures. To provide an additional protection against the negative consequences that can flow from the inclusion of erroneous information in a database, the policy authorizing the database should require that policing agencies provide a mechanism for correcting database errors. No-fly lists, gang-member lists, and arrest records are notorious for including inaccurate information or information that once was accurate but becomes out of date. Even diligent police agencies may not catch all errors or promptly remove erroneous information, and some agencies may fail to do so out of inertia or bias. Individuals should have the ability to eliminate erroneous information about them from the database as promptly as possible. Most jurisdictions have a process for correcting one’s criminal record, and some courts have recognized a due process interest in such a procedure.
c. Notice. This Section also requires that a policing agency notify individuals, either immediately or within a short period of time, when information about them in a policing agency’s database has led to an adverse action. (This notice requirement is independent of the provisions in § 3.05 that address notice to individuals who are subject to prosecution or information-gathering practices and in § 6.06(c) that require notice of data breaches). “Adverse action” is defined as a deprivation of liberty or property by government agents and would clearly encompass a delay or special screening at an airport based on a no-fly list or a stop on the street based on a gang-member list. Without such a notification requirement, an individual may be detained repeatedly or otherwise deprived of property or liberty because, unbeknownst to the individual, he or she has been identified erroneously as a person who warrants monitoring. This notification requirement should apply both when the subject is identified and when, as might be the case when the adverse action is based on an address or phone number, the subject is identifiable. Consistent with Principles of the Law, Data Privacy § 8, this Section also provides that, subsequent to such notice or independently of it, individuals who provide verifiable identification are entitled to view information about them in the policing database and, if the information is inaccurate, to take advantage of the correction procedure. However, in situations in which the individual has not been subject to an adverse action and is simply attempting to discover whether he or she is in a database, § 6.03(d)(2) requires that the individual use the formal process established by federal or state open records and privacy statutes for accessing information in government files. Further, agencies can decline to answer such requests if they can demonstrate that disclosure will demonstrably affect legitimate law-enforcement objectives, such as preventing the detection or capture of a suspect or protecting an informant when, for instance, the information is of such a nature that its source is obvious. In practice, this exception would prevent access to most open casefiles and some watchlists, but it generally would not prevent access to programmatic databases, which contain data obtained through suspicionless police actions, and it typically should permit access to closed casefiles and watchlists like those purporting to identify gang members or violent offenders.
1. Statutory and administrative approaches to ensuring accuracy. Statutes and regulations aimed at ensuring accuracy of databases have existed for some time. On the most general level, all privacy acts require reasonable efforts to maintain accuracy. See, e.g., 5 U.S.C. § 552a(e)(5) (agencies are to “maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.”). Specific to criminal-justice issues, the Code of Federal Regulations seeks to ensure “that criminal history record information wherever it appears is collected, stored, and disseminated in a manner to ensure the accuracy, completeness, currency, integrity, and security of such information and to protect individual privacy.” 28 C.F.R. § 20.1 et seq. (2017). The regulations require that criminal-disposition information appear in the database within 90 days of the decision and that the local agencies transmitting the information query the central state database to confirm the information’s accuracy. Id. They also state that “[c]riminal justice agencies shall institute a process of data collection, entry, storage, and systematic audit that will minimize the possibility of recording and storing inaccurate information and upon finding inaccurate information of a material nature, shall notify all criminal justice agencies known to have received such information.” Id. Finally, the regulations require that states provide individuals the right to access and review for accuracy and completeness their criminal-history records, and be afforded an opportunity to make corrections. Id. See also Dep’t Homeland Security Privacy Office, Ann. Privacy Rep. 4 (July, 2006), [https://perma.cc/J3SX-H7QR].
Consistent with those regulations, all states also have quality-control statutes. See Bureau of Justice Statistics, U.S. Dep’t of Justice, Compendium of State Privacy and Security Legislation: 2002 Overview (Nov. 2003) [https://perma.cc/8KXS-8X8K] (surveying state laws); see also Recommendations for Fusion Centers: Preserving Privacy and Civil Liberties While Protecting Against Crime and Terrorism, The Constitution Project 20-21 (2012), [https://perma.cc/2H6L-6JAJ] (describing state policies regarding correction of misinformation). However, in obvious tension with this Section, the federal government has exempted the National Criminal Information Center from the quality-control requirements applicable to other agencies because much of its information comes from state and local sources that, the government asserts, cannot be monitored easily. 28 C.F.R. § 19.96(b)(6) (2012). According to the Department of Justice, state retention and auditing practices have been and remain deficient, and “[m]uch more needs to be done to achieve uniformity in the improvement of record quality and completeness.” U.S. Dept. of Justice, The Attorney General’s Report on Criminal History Background Checks 126 (June, 2006), [https://perma.cc/4UH4-WM3F]. Although this report is now 15 years old, significant inaccuracy problems remain. See Wayne Logan & Andrew Ferguson, Policing Criminal Justice Data, 101 Minn. L. Rev. 541, 559-563 (2016).
Several solutions to the database-inaccuracy problem have been proposed: (1) a “national accreditation process for criminal history record repositories,” which would function much the same way that crime laboratories are accredited, U.S. Dept. of Justice, supra, at 126; (2) improved federal enforcement of the data-quality requirements that exist, perhaps by using funding as leverage, Logan & Andrew Ferguson, supra, at 596-604; (3) dictating that certain types of data, e.g., data from gang-member databases, is never admissible in a criminal proceeding, see, e.g., Rebecca A. Hustader, Immigration Reliance on Gang Databases: Unchecked Discretion and Undesirable Consequences, 90 N.Y.U. L. Rev. 671 (2014); (4) improved audits similar to those used in the healthcare system, cf. Nicole Gray Weiskoff & Chunhua Weng, Methods and Dimensions of Electronic Health Record Data Quality Assessment: Enabling Reuse for Clinical Research, 20 J. Am. Med. Informatics Ass’n 144, 145 (2013); (5) a loss of the presumption of database reliability if the state does not require regular auditing processes, Erin Murphy, Databases, Doctrine and Constitutional Criminal Procedure, 37 Fordham Urb. L.J. 803, 832 (2010); and (6) providing for a civil remedy if government fails to take corrective action.
Although all of those proposed solutions have some merit, this Section focuses on the latter three—auditing, a presumption against reliability if reliability-enhancing processes are not adopted, and the creation of a robust data-correction process. Auditing is a good first step to ensuring accuracy and completeness. But as Professor Erin Murphy points out, “it is arguably impossible to regulate databases substantively—to truly inquire whether a particular series of tests or entries or searches were accurate, fair, and correct.” Thus, she continued, “it is much easier to impose procedural requirements upon databases—to inquire into the existence and thoroughness of protocols for those processes and to presume inadequate or defective any database system maintained without them.” Murphy, supra, at 829. That recommendation is adopted in this Section.
The import of such a rule could be significant. In both Arizona v. Evans, 514 U.S. 1 (1994), and Herring v. United States, 555 U.S. 135 (2009), the defendant was arrested based on outdated arrest-warrant information in criminal-record databases. Although members of the Court were aware that those databases contain thousands of invalid arrest warrants, the Court refused to apply the exclusionary rule in either case. In Herring, however, Chief Justice Roberts stated that exclusion might be required if there were proof of knowing, reckless error, or if there were evidence of “systemic errors” that called into question the accuracy of the entire database. 555 U.S. at 147-148. Failure to monitor a database adequately in the manner set out in this Section could be considered rebuttable evidence of the type of “systemic error” to which Chief Justice Roberts referred. In any event, that would be the import of this Section.
2. Correction process. The third means of assuring accuracy adopted in this Section is a meaningful data correction process. Given the possible consequences of erroneous database information—wrongful arrests, restrictions on travel, damage to reputation—several commentators have argued that the Due Process Clause requires the government to provide a procedure for correcting database errors. See, e.g., Barry Friedman, Unwarranted: Policing Without Permission 259 (2017); Justin Florence, Making the No Fly List Fly: A Due Process Model for Terrorist Watchlists, 115 Yale L.J. 2148 (2006); Shaudee Navid, They’re Making a List but Are They Checking It Twice?: How Erroneous Placement on Child Offender Lists Offends Due Process, 44 U.C. Davis L. Rev. 1641 (2011). Consistent with this Section, the Principles of the Law, Data Privacy, provide that—with some exceptions that apply when the burden or risk of correction would outweigh the risks to the individual of failing to correct—“[d]ata controllers shall provide data subjects with a reasonable process by which they can challenge the accuracy of their personal data.” Principles of the Law, Data Privacy § 8(d)(1) (Am. L. Inst. 2000). If the challenge is successful, the data controller is to correct the error in all copies that it possesses; if the challenge is not successful, the Principles provide that “[w]hen reasonably practicable, the data subject shall be entitled to add a statement of disagreement to the record where the data is contained[;]” a statement that should accompany the data if transmitted to another entity. Id. § 8(d)(2).
As the Commentary to the Principles of the Law, Data Privacy, notes, various federal and state laws provide for both a corrective process and individual access to records. In addition to the federal regulations requiring a correction process noted above, the federal Privacy Act provides that government agencies “shall [permit an] individual” whose record is maintained by the agency: (1) “to review the record” and (2) “request amendment of a record.” 5 U.S.C. § 552a(d)(2) (2012) (originally styled as the Computer Matching and Privacy Protection Act of 1988). The Act also states that “if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law, or for which he would otherwise be eligible, as a result of the maintenance of . . . material [in a record], such material shall be provided to such individual” unless a confidential informant’s identity would be revealed. 5 U.S.C. § 552a(k)(2). Similarly, the Fair Credit Reporting Act requires that an entity must, upon request of the consumer, disclose “information in the consumer’s file at the time of the request,” and provide a “right to dispute information in the file.” 15 U.S.C. § 1681g(c)(1)(B) (2012). Summarizing the best practices recommended in reports, guidelines, and model codes regarding consumer data in the United States, Canada, and Europe, the Federal Trade Commission suggested that mandatory disclosures be made, inter alia, of the uses to which the data will be put, potential recipients of the data, and the nature of the data and means by which it is collected, and that consumers be allowed both to correct inaccurate data and to seek monetary damages for violation of privacy standards. Fair Information Practice Principals, Federal Trade Commission (June 25, 2007), http://www.ftc.gov/reports/privacy3/fairinfo.shtm.
Most states also provide express statutory remedies for those seeking to correct law-enforcement records. See Ohio Rev. Code Ann. § 1347.09(A)(1) (West 2017) (providing for a data-correction process, and requiring notification of any corrections to parties designated by the individual); Soderlund v. Merrigan, 955 A.2d 107, 113-114 (Conn. App. Ct. 2008) (surveying cases allowing for a cause of action based on the view that failure to correct a record is a ministerial action not subject to immunity). However, they do not always require notification and are split as to whether the remedy is administrative or judicial. See Cal. Penal Code § 11126 (West 2017) (requiring an agency to respond to inquiries about whether a record exists and, if so, requiring that the individual first attempt to resolve any inaccuracy with the agency directly before moving on to an administrative proceeding); Colo. Rev. Stat. § 24-72-307 (2017) (requiring the individual to first make a written request for correction to the state’s custodian before allowing appeal in the district court of the jurisdiction where the record is located); Ga. Code Ann. § 35-3-37(e) (2017) (requiring the individual to file a complaint with the agency responsible for the record but allowing appeal to a court of original jurisdiction); Minn. Stat. § 13.08, 13.085 (2017) (providing for both injunctive action to compel compliance and administrative action for violations of state data practices). The Uniform Criminal Records Accuracy Act, proposed by the Uniform Law Commission, provides that subjects of records may seek correction of a criminal history record, that review of that request must take place with 40 days, and that, if correction is deemed necessary, it must be made within 14 days of that decision; further, notification of the correction must be sent to other agencies with which the information has been shared as well as to any person the subject identifies as having received the inaccurate information. Uniform Criminal Records Accuracy Act, §§ 303, 401-403 (Unif. L. Comm’n 2018).
The primary obstacle to both the due-process and the statutory-based corrective actions is a practical one. As Kenneth Karst noted long ago, “[d]iscovery of the inaccuracy depends on the subject’s access to his own file and his awareness of the need to inspect it. Even when a record is freely accessible to its subject, there is no assurance that the subject will know of its existence or its content.” Kenneth L. Karst, “The Files” Legal Controls over the Accuracy and Accessibility of Stored Personal Data, 31 L. & Contemp. Probs. 342, 358 (1966). Subsection (d)(1) addresses this obstacle by imposing an affirmative duty on the police to notify individuals that they are in a database when the database is used as a basis for a police action against them, such as a stop, preferably at the time of the action. This requirement is particularly important in connection with watchlists, such as no-fly lists and gang-member lists, which are notoriously expansive. Cf. Elhady v. Kable, 391 F.Supp.3d 562, 581-583 (E.D. Va. 2019) (holding that delays and special screenings at airports experienced by individuals thought to be on the federal Terrorist Screening Database were not “de minimis” and that these deprivations infringed procedural due process, given the absence of an “ascertainable standard for inclusion or exclusion” and “independent review” of placements on list); Gonzalez v. Immigr. & Customs Enf’t, 416 F. Supp. 3d 995 (C.D. Cal. May 7, 2019) (barring the Immigration and Customs Enforcement from issuing detainers based on information found in certain of its databases because they “often contain incomplete data, significant errors, or were not designed . . . to determine a person’s removability.”), rev’d in part, 975 F.2d 788, 822-223 (9th Cir. 2020) (requiring “additional findings of fact” regarding whether there was “systemic error” in the agency’s records). Unless individuals know about their presence on such lists, they cannot contest the accuracy of the information.
As an additional privacy measure, subsection (d)(2) provides that individuals should be able to inquire as to whether they are in a policing database, even if they have not received such notification. Granting access to one’s criminal record is a standard provision in open records laws. See, e.g., Va. Freedom of Information Act, § 22.3700 et seq. But this subsection applies to all information about a person in policing databases. The Principles of the Law, Data Privacy, similarly provide that “[d]ata subjects shall be entitled to obtain confirmation from a data controller as to whether or not the data controller or any data processor acting on behalf of the data controller stores personal data about them” and that, if such data is being stored, “this data subject shall be entitled to obtain access to the personal data.” Principles of the Law, Data Privacy § 8(a) and (b) (Am. L. Inst. 2000). However, those Principles also state that such access need not be provided when “the balance of interests between the data controller and the data subject weigh against access and an opportunity for correction,” id. § 8(e)(3), which, in the context of policing databases, this Section defines as situations in which disclosure would prevent capture of a suspect or endanger an informant. The federal Privacy Act makes a similar accommodation. Privacy Act, 5 U.S.C. § 552a(d)(5) (“nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.”).