HomeMy WebLinkAboutReports - 2024.01.18 - 40937
AGENDA ITEM: Data Use Agreement for the National Pretrial Reporting Program with the U.S.
Department of Justice's Bureau of Justice Statistics
DEPARTMENT: Public Services - Community Corrections
MEETING: Board of Commissioners
DATE: Thursday, January 18, 2024 6:00 PM - Click to View Agenda
ITEM SUMMARY SHEET
COMMITTEE REPORT TO BOARD
Resolution #2023-3693
Motion to approve the National Pretrial Reporting Program’s data transfer agreement with the U.S.
Department of Justice’s Bureau of Justice Statistics and authorize the Chair of the Board to execute
the agreement.
ITEM CATEGORY SPONSORED BY
Contract Penny Luebs
INTRODUCTION AND BACKGROUND
Community Corrections is seeking to enter into a Data Use Agreement with the Bureau of Justice
Statistics (BJS) to participate in the National Pretrial Reporting Program. The project has been
vetted and approved as secure by Oakland County IT Department regarding the data security for
releasing personal identifying information (PII) of individuals on Community Corrections
programming.
The National Pretrial Reporting Program (NPRP) was established by the U.S. Department of
Justice’s Bureau of Justice Statistics (BJS) to improve administrative / research data in the United
States by collecting criminal justice data from jails and pretrial services agencies, including all
aspects of case processing from filing through case disposition. The United States lacks criminal
justice data consolidation and systems as it relates to pretrial outcomes for defendants during the
arrest to final sanction phase. The lack of this data is an obstacle in evaluating programming, case
outcomes, and research. Research Triangle Institute International, with support from the National
Center for State Courts (NCSC), the National Association of Pretrial Services Agencies (NAPSA),
Applied Research Services (ARS), and Pragmatica Inc., have developed a partnership where data
from states and counties, including local courts, jails, and pretrial services agencies which can be
linked and stored from many domains. Entities that submit data will be from the 200 largest counties
in the United States, and can utilize data to assess their own practices, compare their agencies to
other national data, and provide researchers with data on pretrial detention, release, misconduct,
and appearance. The Oakland County Sheriff’s Office will also supply data to NPRP. The data
supplied in the project is specific to those in programming from 2019 only. It will require the initial
release of PII, but after linking data across agencies, BJS will strip and archive all PII from the data.
Statistical reports are aggregate and not on an individual level of reporting, thereby protecting PII.
The data use agreement and data transfer protocols have been vetted and approved by Information
Technology, Corporation Counsel, and Risk Management. The data requested is readily available
within Community Corrections, so the cost of data extraction is nominal and can be performed by
the current position of the User Support Specialist II.
BUDGET AMENDMENT REQUIRED: No
Committee members can contact Michael Andrews, Policy and Fiscal Analysis Supervisor at
248.425.5572 or andrewsmb@oakgov.com, or the department contact persons listed for additional
information.
CONTACT
Eric Schmidt, Chief Community Corrections Public Services
ITEM REVIEW TRACKING
Aaron Snover, Board of Commissioners Created/Initiated - 1/18/2024
AGENDA DEADLINE: 01/18/2024 6:00 PM
ATTACHMENTS
1. Attachment I_NPRP technical FAQs 2022 flyer
2. Attachment II_NPRP_Data_Extraction_Guide_jail_psa_1.26.23
3. Attachment III_bjs_data_protection_guidelines
4. Attachment IV_Requirements for BJS Access and Use of County's PII for signature 20231030
- clean
5. Attachment V_CJIS Requirements
6. MI Oakland County Community Corrections NPRP DUA - clean signed KMS
COMMITTEE TRACKING
2024-01-09 Public Health & Safety- Recommend to Board
2024-01-18 Full Board - Adopt
Motioned by: Commissioner Ajay Raman
Seconded by: Commissioner Ann Erickson Gault
Yes: David Woodward, Michael Gingell, Penny Luebs, Karen Joliat, Christine Long, Robert
Hoffman, Philip Weipert, Gwen Markham, Angela Powell, Marcia Gershenson, William Miller III,
Yolanda Smith Charles, Charles Cavell, Brendan Johnson, Ajay Raman, Ann Erickson Gault,
Linnie Taylor (17)
No: None (0)
Abstain: None (0)
Absent: Kristen Nelson, Michael Spisz (2)
Passed
U.S. Department of Justice
Office of Justice Programs
Bureau of Justice Statistics
National Pretrial Reporting Program JULY 2022
From 1988 through 2009, the Bureau of Justice
Statistics (BJS) collected and reported on court
processing data for felony cases in a sample of the 75
largest counties through the State Court Processing
Statistics (SCPS) program. SCPS was discontinued due
to staffing shortages and limited financial resources.
The new National Pretrial Reporting Program
(NPRP) seeks to collect data on the pretrial process
and to answer basic questions such as the number
of, demographics of, and charges associated with
defendants detained versus those released. Through
the NPRP, BJS seeks to expand the former SCPS data
collection to cover a sample of the 200 largest counties,
with a focus on pretrial release and detention. BJS has
partnered with RTI International, the National Center
for State Courts (NCSC), the National Association of
Pretrial Service Agencies (NAPSA), Applied Research
Services, Inc. (ARS), and Pragmatica, Inc. to collect
complete case processing data on adults charged with
felonies in the sampled counties, including pretrial
service, court, jail, and criminal history data.
What information will be collected?
We are seeking information on seven primary domains
of felony case-level data:
1.Current arrest charges (e.g., offense type, number
of charges)
2.Defendant demographic characteristics (e.g., age,
sex, race)
3.Prior criminal justice involvement (e.g., prior
arrests, prior convictions)
4.Pretrial release decision (e.g., released on recognizance,
released with financial conditions, detained)
5.Pretrial misconduct (e.g., failure to appear, arrest for
new charges, technical violation of pretrial release)
6.Disposition (e.g., jury trial, court trial, guilty plea)
7.Sentencing (e.g., term of incarceration and/or
probation, fines or fees, restitution).
What is the population of interest and the
reference year for the NPRP?
For courts, any person charged with at least one felony
charge between January 1, 2019 and December 31,
2019. For jails, any person booked with at least one
felony charge between January 1, 2019 and December
31, 2019. For pretrial service agencies, any person
referred for supervision between January 1, 2019 and
December 31, 2019.
How do you submit data?
Data providers should contact nprp@rti.org or call
1-800-647-9670 when they are ready to submit data.
The RTI Data Management Team will create a private,
password-protected user account for the Data POC to
upload data to AWS GovCloud S3 secure server. This
AWS GovCloud location will only be accessible from
the designated IP address, email address, and password
combination provided by your Data POC. Once data
access has been set up, your Data POC will log into
their private account to transfer requested data to a
secure central data storage system on AWS GovCloud.
How will the data be used?
Once received, BJS will use the data to publish reports
similar to the Felony Defendants in Large Urban
Counties series, available at bjs.ojp.gov. All reporting
will be in the aggregate, and no information identifying
your jurisdiction will be published.
BJS anticipates that courts, pretrial service agencies,
jails, and other stakeholders will find the NPRP data
useful in assessing their own practices or comparing
their agency to other similarly sized ones. The data
collection will include information from different
systems, such as the local courts, jails, pretrial service
agencies, and criminal history records generated by law
ATTACHMENT I
National Pretrial Reporting Program
2@BJSGovAskBJS@usdoj.govConnect with us:bjs.ojp.gov/subscribe@BJSGov
enforcement. The linking of these data allows BJS to
examine the movement of defendants and cases from
filing through pretrial detention or release, potential
misconduct during release, and adjudication and
sentencing. NAPSA and NCSC will work with the local
courts and pretrial service agencies to assist RTI in
understanding the data.
Example of pretrial release statistics from the SCPS
program we plan to collect in NPRP:
What will be archived from the NPRP?
BJS plans to archive the data under restriction at the
National Archive of Criminal Justice Data (NACJD).
Interested users must complete a Restricted Data Use
Agreement, specify the reasons for the request to
access the data, and obtain Institutional Review Board
approval or notice of exemption for their research.
State and county identifiers will not be included in the
archived file. There will be no personally identifiable
information (PII) included in the file. Data will be
edited so that individuals will not be re-identified in
the data. For example, dates will be set to the 1st or
15th of each month, rather than the exact day.
How do you define a felony charge?
A felony charge is defined as any charge that carries 1
year or more of incarceration as a potential sentence.
Type of pretrial release for felony defendants in
the 75 largest counties, 2009
Source: Bureau of Justice Statistics, State Court Processing
Statistics, 2009.
Type of pretrial release
Percent of released defendants
0 10 20 30 40 50
Emergency
Property bond
Full cash bond
Unsecured bond
Deposit bond
Conditional
Recognizance
Surety bond
How will you standardize charges across
counties?
The charges provided by each court and agency will
be mapped to National Crime Information Center
(NCIC) standard codes. After being mapped to the
NCIC, we will crosswalk the NCIC codes to BJS’s
National Corrections Reporting Program (NCRP).
What is the timeline for the NPRP?
BJS first determined the capacity of agencies to extract
data from their systems and the policies that may
be reflected in the data. To aid this effort, RTI and
NCSC conducted a series of policy and data capacity
interviews or surveys with courts, jails, and pretrial
service agencies. BJS expects that data collection in the
125 sampled counties will commence in the summer of
2022.
Why should you participate?
Collecting and analyzing case-level data regarding
pretrial release fills a critical information gap faced
by policymakers, court and jail staff, and other
stakeholders. The NPRP collection will provide
information about how many individuals are detained
without a bond set or how many are detained with
a bond set but did not post the bond. Additionally,
these data will provide statistics on pretrial release and
detention rates as well as pretrial misconduct rates.
Further, our analyses will provide other important
statistics about the use of bail schedules, pretrial risk
assessments, and bail reviews to help provide a national
picture of the use of these tools.
How can you find out more?
Erica Grasmick, NPRP Project Manager
Bureau of Justice Statistics
202-307-1402 | Erica.Grasmick@usdoj.gov
Matthew DeMichele, NPRP Principal Investigator
RTI International
919-541-6452 | mdemichele@rti.org
Cynthia Lee, NPRP Project Manager
National Center for State Courts
757-259-1583 | clee@ncsc.org
Jim Sawyer, NPRP Project Manager
National Association of Pretrial Service Agencies
202-957-4250 | Execdirector@napsa.org
December 2022
Electronic Data Extract Guide
Jails and Pretrial Services Agencies
Prepared by
Matthew DeMichele
Suzanne Strong
Milton Cahoon
RTI International
3040 E. Cornwallis Road
Research Triangle Park, NC 27709
OMB Control Number: 1121-0339 Expiration Date: 4/30/22
ATTACHMENT II
ii
Contents
Section Page
1. National Pretrial Reporting Program Overview 1-1
2. Data Preparation Instructions 2-1
2.1 Identifying Eligible Cases .......................................................................... 2-1
2.2 File Structure .......................................................................................... 2-2
2.3 File Format .............................................................................................. 2-2
2.4 Supporting Documentation ........................................................................ 2-2
3. Data Submission Instructions 3-3
3.1 Will the data be secure and kept confidential? ............................................. 3-4
3.1.1 Data Transmission .......................................................................... 3-4
3.1.2 Data Storage and Access ................................................................. 3-4
3.1.3 Data Publication ............................................................................. 3-5
3.2 When is the submission due? ..................................................................... 3-5
3.3 What if I am unable to provide all the requested data? ................................. 3-5
3.4 What happens after we submit the data? .................................................... 3-5
3.5 Who do I contact if I have questions? ......................................................... 3-6
Appendix
Appendix A: Requested Data Elements, Definitions, and Formats 1
2-1
1. National Pretrial Reporting Program Overview
The goal of the Bureau of Justice Statistics’ (BJS) National Pretrial Reporting Program
(NPRP) is to collect information on persons charged with felony cases in state courts, and to
collect contextual data on those persons from case filing to case disposition and sentencing.
The NPRP will collect case-level information on pretrial release and detention, financial and
other conditions associated with pretrial release, and any failures to appear, technical
violations, or new arrests that occur during pretrial release.
The project will be completed in several phases by RTI International, with support from
project partners National Center for State Courts (NCSC), National Association of Pretrial
Services Agencies (NAPSA), Applied Research Services (ARS), and Pragmatica, Inc. The first
phase collected information from states and counties about the systems that may collect
and store these data. Such systems included courts, local jails, and pretrial services
agencies. Data capacity surveys were conducted with each agency in the largest 200
counties in the U.S. The surveys allowed RTI and BJS to identify the data providers,
understand their systems capabilities, and identify variables that potentially could be used
to link the data across agencies.
The remaining phases involve a staged data collection from the 75 largest counties, and a
sample of 50 of the remaining 125 counties. RTI and BJS have developed a sampling plan to
maximize responsiveness and data representativeness and minimize respondent burden and
project costs.
2. Data Preparation Instructions
This section outlines how to prepare and submit your NPRP data extract submission.
2.1 Identifying Eligible Cases
Jails. Please include one record for each admission of an offender arrested for and booked
into the jail for at least one felony charge in calendar year 2019. If the offender appears in a
later admission with a felony charge, please include that as a separate admission. If your
jail management system organizes bookings in some other way, please contact the NPRP
staff listed in Section 3.5.
Pretrial services agencies. Please include one record for each defendant with at least one
new felony charge filed in your system as a new case in calendar year 2019, even if that
person was already a client. If you are unable to determine whether the charges included a
felony at the opening of the case, please contact the NPRP staff listed in Section 3.5.
2-2
2.2 File Structure
BJS is interested in a person-case and following that person-case from arrest and booking
into jail, through pretrial processing to court case outcomes. This is an individual- and case-
level data collection. You can provide data in any format that is convenient for you, but we
ask that you please provide supporting documentation, if available.
2.3 File Format
There is no required format for the data you submit; use whatever is most
convenient for you. All file formats will be accepted. Some common file formats include:
• Text files (fixed width, delimited)
• Excel or .csv files
• Access database extracts
• SQL server database
• Data analysis software files (e.g., SAS, STATA, SPSS, or R data files)
The suggested coding classifications and value labels are provided in Appendix A. You are
not asked to recode or manipulate your data prior to submission. If you have questions
about any of the data elements requested, please contact the persons listed in Section 3.5.
We recognize that systems vary in terms of the ability to store, extract, and share data, and
we are prepared to assist you.
Appendix A is a guide as to how we expect to recode and standardize the data you submit
so that jail, pretrial services, and court data all have similar formats. Additionally, data from
your jurisdiction will be combined with data from up to 75 other counties to get a robust
perspective of pretrial case processing in the U.S. During the data standardization process,
RTI and NCSC may be in contact with jurisdiction personnel to request clarification on data
fields and meanings to ensure that all submitted data are processed correctly.
2.4 Supporting Documentation
If possible, we ask that you provide supporting documentation with your submission.
Specifically, we request:
• Date range of the data (e.g., 01/01/2019 through 12/31/2019)
• Date that the data extract was pulled
• Data point of contact (POC) (i.e., name, organization, address, telephone, and email
address)
• File format of the data extract
• Known data limitations or quality issues
3-3
o Missing data:
System-missing (requested data element is not available in the
system)
Unit-missing (requested data element is available, but mostly blank or
missing)
o Other common data issues include
Misspellings
Redundancy or duplication (e.g., two date fields for one event)
• Data formatting information
o Data dictionaries, including variable/column names, variable description,
expected variable values
o Any known discrepancies in the names of data elements in Appendix A and
how your system labels the data elements
3. Data Submission Instructions
RTI will create a private, password-protected user account for each Data POC to upload data
to Amazon Web Services (AWS) Simple Storage Service (S3). This AWS S3 storage location
will only be accessible from designated network subnets. The Data POC will need to provide
their subnet range or specific IP address from which they will be accessing AWS S3 from so
the access control rules may be updated to grant access to the Data POC from their
network. A free and easy way to discover your IP address is to go to
https://www.iplocation.net/ Once data access has been set up, the Data POC will log into
their private account to transfer the requested data to a secure central data storage system
on AWS S3. RTI will not accept data submitted via unencrypted email.
Data security note: All data are encrypted in transit to AWS and at rest within AWS (SSL in
transit and AES 256-encryption at rest), complying with the FIPS 140-2 standard. The
secure AWS S3 repository will hold all raw data files received from the courts, jails, and
pretrial services agencies until they are processed, linked, de-identified, and subsequently
deleted by RTI data analysts. RTI controls access to the data storage system; all access to
data resources will be logged, and the entire infrastructure will be reviewed and regularly
scanned for vulnerabilities. The data storage system will be configured to deny public access
by default, and we will use Amazon’s Macie service to regularly scan and evaluate the
security status of the storage. All RTI and NCSC staff granted access to data files (identified
and deidentified files) will be required to sign a Staff Data Security Agreement. This pledge
outlines staff responsibilities for protecting the confidentiality of all information identifiable
3-4
to a private person that is collected during the project. The RTI Principal Investigator is
responsible for maintaining up-to-date record of signed pledges.
3.1 Will the data be secure and kept confidential?
Consistent with its statutory obligations (34 U.S.C. § 10134), BJS only uses information
collected under its authority for statistical or research purposes. Further, BJS is required by
law to protect the confidentiality of all personally identifiable information (PII) it collects or
acquires in conjunction with BJS-funded projects (34 U.S.C. § 10231), and must maintain
the appropriate administrative, physical, and technical safeguards to protect the identifiable
information against improper use or unauthorized disclosure. BJS will not use or reveal data
identifiable to a private person, except as authorized under 28 CFR § 22.21 and § 22.22.
The BJS Data Protection Guidelines summarize the federal laws, regulations, and other
authorities that govern information acquired under BJS’s authority, and are published on the
BJS website: https://www.bjs.gov/content/pub/pdf/BJS_Data_Protection_Guidelines.pdf.
RTI and NCSC are required to adhere to these same requirements as a condition of funding.
3.1.1 Data Transmission
RTI and NCSC project staff will receive data sets in a secure manner via an encrypted AWS
GovCloud S3 server, appropriate for files with PII. RTI will create a private, password-
protected user account that relies on an email address and IP address for each agency to
upload data to the AWS S3 storage location. This AWS S3 storage location will only be
accessible for the email and IP address granted access to the server. Any data set(s)
electronically transmitted to BJS will be over the DOJ’s Office of Justice Programs (OJP)
secure transfer site.
3.1.2 Data Storage and Access
The secure AWS S3 repository will hold all raw data files received from the agencies until
they are processed, linked, and subsequently deleted by RTI. Once received and linked with
other available records, raw data files will be stripped of PII and replaced with an
anonymous identifier. RTI will retain a PII-anonymous identifier crosswalk in case a revised
file is submitted later. This file will be encrypted, password protected, and stored on a
secure RTI server in the event the AWS S3 storage location is breached. Access to the S3
instance will be restricted to individuals with an identified business need. RTI controls
access to the data storage system; all access to data resources will be logged, and the
entire infrastructure will be reviewed and regularly scanned for vulnerabilities. PII is
encrypted while in transit, and access to the data will be limited to those employees who
3-5
have a need for such data and have signed a confidentiality pledge. The pledge includes an
agreement to comply with all data security and human subjects' protection requirements.
3.1.3 Data Publication
BJS only publishes de-identified data at the aggregate level in its project findings, reports,
data files, and other statistical products. BJS archives its published data and related data
documentation (e.g., user guides) at the National Archive of Criminal Justice Data (NACJD),
located at the University of Michigan. To the extent practical, BJS removes, masks, or
collapses direct and indirect identifiers prior to sending data to NACJD to protect
confidentiality. NACJD takes additional precautions to protect confidentiality, including
conducting a comprehensive disclosure risk review to determine the appropriate level of
security that should be applied to the data. For more information on data requiring
additional security protections, please see:
https://www.icpsr.umich.edu/icpsrweb/content/NACJD/restricted.html.
We understand that your agency may have preexisting policies in place around data
sharing, and we will work with your agency to meet any data transfer or agreement
requirements you may have. While each of the identified data elements was selected to help
fully understand the processing of case data, we recognize that not all data elements may
be collected or readily available electronically for public use. Please notify us if you limit the
amount or type of data you can release.
3.2 When is the submission due?
We ask that all participating agencies review this request, and provide a data extract to RTI
within 2 months. Please reach out to the staff identified in Section 3.5 if you need additional
time to submit your data.
3.3 What if I am unable to provide all the requested data?
The data extract guide is intended for use by pretrial services agencies and jails. We do not
expect that any one organization has all of the data elements requested in Appendix A. If
your agency does not collect any of the information in Appendix A, or it would be too
burdensome to provide the data, please contact the staff in section 3.5.
3.4 What happens after we submit the data?
RTI or NCSC will review the contents of the data files and conduct a series of checks to the
data elements requested in the Appendix A. This should be completed within 2-4 weeks of
submission. RTI or NCSC will then contact the Data POC to review and confirm the findings
3-6
from the review. We may also have questions about variable values or labels and will take
all steps to understand your data submission.
3.5 Who do I contact if I have questions?
You may reach out to any of the following RTI staff members for questions or support in
submitting your data:
• Bryan Rhodes – NPRP Data Acquisition Lead
o Email: brhodes@rti.org or nprp@rti.org
o Phone: 1-800-647-9670
• Ian Silver – NPRP Project Director
o Email: isilver@rti.org or nprp@rti.org
o Phone: 1-800-647-9670
A-1
Appendix A:
Requested Data Elements, Definitions, and Standard Formats
The following series of tables includes the data elements for the NPRP. The name of the variable and the description provided
should help you to locate a similar data element in your data management systems. We are also including a standard format,
which is how we expect to standardize the data you submit.
Please contact anyone in Section 3.5 if you have any questions about the following data elements.
Table 1. Individual Identifiers and Demographic Data
Name Definition Standard Formats
First name The individual’s first name Text, character, string
Middle name (if available) The individual’s middle name Text, character, string
Last name The individual's last name Text, character, string
State ID number The individual’s unique, fingerprint-
supported state identification number
FBI Number
The unique identification number given by
the Federal Bureau of Investigation’s
Interstate Identification Index to each
offender (if available)
Other personal identifiers if SID and FBI
number are not available
If SID and FBI number are not available,
please provide any other unique identifier
assigned to a person, such as a Social
Security Number or Driver’s License Number
Other system identifiers assigned to a
person
Include any other unique identifiers that
specify the individual in your data system.
For example, booking ID, inmate ID, or client
ID
A-2
Name Definition Standard Formats
Date of birth or age
The individual’s date of birth. If not available,
individual’s age (and please include age at
what reference period in the documentation.
For example, age at arrest, age at booking,
age at filing)
mm/dd/yyyy
Sex The individual’s biological sex/sex assigned at
birth Male, Female, Other, Unknown
Race The individual’s race(s)
(OMB race categories) White, Black or
African American, Asian, Native Hawaiian or
Other Pacific Islander, American Indian or
Alaska Native, Other, Unknown.
Ethnicity The individual’s ethnicity (OMB ethnicity categories) Hispanic or
Latino; Not Hispanic or Latino; Unknown
A-3
Table 2. Jail/Detention Information
Name Definition Standard Formats
Date of offense Date the alleged offense occurred mm/dd/yyyy
Date of arrest Date the individual was arrested for the
offense mm/dd/yyyy
Arrest charge(s) Arrest charges or the charges for which the
person is incarcerated pretrial State statute number, text description
Arrest charge level
The level of charges. For inclusion in NPRP,
the individual should have at least one felony
charge
Felony, Felony A, Misdemeanor,
Misdemeanor II
Date of booking into facility for arrest
charges
Date individual was booked into the jail for
the arrest for the current case or charge mm/dd/yyyy
Date of pretrial risk assessment(s)
Date the pretrial risk assessment conducted.
If multiple assessments are conducted for
one individual, please include all, with dates.
Include description in data documentation
mm/dd/yyyy
Risk assessment score
The risk assessment category assigned to the
defendant. If multiple scores are available for
one individual, please include all. Please
include a description of the risk assessment
score in the data documentation
Date bond set by court or other official The date the bond was set by court, law
enforcement, or other justice official mm/dd/yyyy
A-4
Name Definition Standard Formats
Type of bond set
The type of bond specified by the court, law
enforcement, or other justice official. Please
include in the data documentation the types
of bonds available and how they are
recorded in your system
Cash, percentage, surety, property, personal
recognizance, unspecified
Type of detention ordered
Court ordered no bond or no release. We
would like to know if person is held because
court ordered no bond as compared to a
person held because a bond is ordered but
not posted
No bond
Amount of bond If a financial bond is ordered, include the
bond amount Numeric
Conditions of bond
Any conditions ordered for the bond. Please
include in the data documentation the
available bond conditions that are tracked in
your system
No contact with victim, drug and alcohol
testing, drug and alcohol treatment, curfew,
maintain employment, other, etc
Date bond posted If possible, the date the bond was posted mm/dd/yyyy
Type of bond posted If possible, the type of bond posted Surety/bail bonds company, cash bond,
property bond, other
Date of pretrial release from facility
Date individual was released from facility
(pretrial). Please note in documentation if
this date can be determined, or if there is
only one field for any type of release
mm/dd/yyyy
A-5
Name Definition Standard Formats
Pretrial release reason If offender was released pretrial, how
offender was released
Posted bond, released on recognizance,
transferred to house arrest/electronic
monitoring, released to pretrial supervision
Date of final release from jail, or date
defendant changed from pretrial status to
sentenced/convicted status
The date the jail released or changed the
status of the defendant after a final verdict
was entered in the court case (e.g.,
conviction, dismissal)
mm/dd/yyyy
A-6
Table 3. Pretrial Supervision, Failures to Appear, New Arrests, and Technical Violations
Name Definition Standard Formats
Date agency began supervising client The date the agency began supervision of the
defendant mm/dd/yyyy
Charges
If available, the defendant’s charges. Please
include in the documentation the source of
the charges (e.g., arrest charges, court filing)
State statute number, text description
Charge level
If available, the level of charge. For inclusion
in NPRP, the defendant should have at least
one felony charge
Felony, Felony A, Misdemeanor,
Misdemeanor II
Date of pretrial risk assessment(s)
Date the pretrial risk assessment conducted.
If multiple assessments are conducted for
one defendant, please include all, with dates.
Include description in data documentation
mm/dd/yyyy
Risk assessment score
The risk assessment category assigned to the
defendant. Please include a description of
the risk assessment score in the data
documentation
Level of pretrial supervision
The level of supervision determined by the
court or the supervising agency. These vary
greatly; please include in the data
documentation the method used to
determine how intensely you monitor clients
A-7
Name Definition Standard Formats
Conditions of supervision
Include all conditions of supervision ordered
by the court. If possible, please list additional
conditions added by your agency separately
from those ordered by the court
In-person reporting, telephone reporting,
home visits, curfew, other
Violation(s) of supervision
How the defendant violated supervision, if
applicable. There should be one type of
violation entered per occurrence. If a
defendant incurs multiple violations on the
same date, list each violation separately.
Include the violations tracked by your agency
in the data documentation
Fail to report, fail to comply, fail drug test,
fail to appear, new arrest, other
Date(s) of violation of supervision
The date(s) the client violated supervision. If
the date is for a failure to appear, please
indicate the type of hearing missed, if
possible
mm/dd/yyyy
Date supervising agent filed a violation
report
Date the supervising agent reported the
violation to the court or other administrative
agency. Please provide data documentation
about when and how these reports are filed
mm/dd/yyyy
Outcome of violation of supervision Outcome of the violation Continued on supervision, bail revoked
Date of violation of supervision outcome Date pretrial release was revoked mm/dd/yyyy
Date pretrial supervision ended The date the agency stopped supervising the
defendant mm/dd/yyyy
A-8
Name Definition Standard Formats
Final outcome of supervision Outcome of the pretrial supervision Successful case closed, unsuccessful case
closed, other
Table 4. Potential linking identifiers
Name Definition Standard Formats
Court case number The court case number for the defendant
Jail person identifier The inmate id number for the jail
Pretrial agency case number The number assigned to the person or to the
case under supervision
Table 5. Manner of Disposition and Outcomes
Name Definition Standard Formats
Manner of disposition Type of hearing for the disposition Plea, court trial, jury trial, other
Type of disposition Type of disposition for the case or charge
Nolle prosequi, dismissal, acquittal, not
guilty, probation before judgment, guilty,
Alford plea, no contest plea, other
A-9
Table 6. Sentencing
Name Definition Standard Formats
Total sentence to incarceration – type of
facility Type of facility ordered for the sentence Prison, jail, other
Total length of incarceration
Length of the sentence to a facility. Please
specify the unit of time for the sentence in
the data documentation
Number (specify)
Sentence suspended
Whether any time of the sentence ordered is
suspended. Please include detail in the data
documentation
Y/N
Length of sentence suspended Portion of the sentence that is suspended Number (specify)
Credit for time served
Whether the defendant received credit for
time served incarcerated pretrial. Please
include in the documentation whether
electronic monitoring or house arrest counts
towards credit time
Y/N
Length of credit for time served
Length of time the defendant received credit
for time served. Please include in the data
documentation the unit of time
Number (specify)
Total sentence to probation Indicator whether the defendant was
sentenced to probation Y/N
A-10
Name Definition Standard Formats
Total length of sentence to probation
Total length of time the defendant was
sentenced to probation. Please specify the
unit of time for the sentence in the data
documentation
Number (specify)
Conditions of probation Conditions imposed as part of probation
Counseling, drug treatment, drug testing,
domestic violence program, anger
management, other
Other sentence imposed
Indicator whether another sentence was
imposed. Please include details about
available sentence types in your data
documentation (e.g., community service may
be a type of sentence or part of a probation
order)
Y/N
Length of other sentence imposed
Length of the other sentence ordered. Please
specify the unit of time for the sentence in
the data documentation
Number (specify)
Monetary sentence ordered
Court ordered fines as part of sentence.
Please include detail in the data
documentation how monetary fines are
tracked
Amount of monetary sentence ordered Amount of the monetary sentence ordered Number
Restitution Whether restitution was ordered. Y/N
A-11
Name Definition Standard Formats
Restitution
If available, was restitution to the victim or
the state. Please include detail in the data
documentation.
Victim, State
Court costs Whether court costs were ordered to be paid
by the defendant Y/N
U.S. Department of Justice
Office of Justice Programs
Bureau of Justice Statistics
Washington, D.C. 20531
BUREAU OF JUSTICE STATISTICS
DATA PROTECTION GUIDELINES
OVERVIEW
The Bureau of Justice Statistics (BJS) is a federal statistical agency1 and the nation’s primary
source for criminal justice data.2 BJS is a component of the Office of Justice Programs (OJP) in
the U.S. Department of Justice (DOJ). BJS’s mission is to collect, analyze, publish, and
disseminate statistical information on crime, criminal offenders, victims of crime, and the
operation of justice systems at all levels of government. These data are critical to federal, state,
and local policymakers in combating crime and ensuring that justice is both efficient and
evenhanded.
The BJS Data Protection Guidelines, developed in coordination with OJP’s Office of the General
Counsel and Office of the Chief Information Officer, are intended to provide a summary of the
many federal statutes, regulations, and other authorities that govern BJS.3 As discussed in greater
detail below, the guidelines require BJS to: adhere to strict confidentiality requirements
regarding data collected at BJS’s direction; ensure that the collected data be used only for
statistical purposes; commit to wide dissemination of BJS data for public benefit; and strive to
maximize the utility, objectivity, and integrity of the information BJS disseminates and archives
for public use.
I.DATA PROTECTIONS IN FEDERAL STATUTES
Pursuant to its statutory responsibilities, BJS must maintain the confidentiality of all information
identifiable to a private person4 (personally identifiable information, or PII) that it collects.
1The Office of Management and Budget (OMB) recognizes BJS as one of thirteen principal federal statistical
agencies that have statistical work as their principal mission.
2 For the purpose of this document, “information” and “data” are used synonymously.
3 This document is intended to provide a general overview of the statutory, regulatory, and policy framework under
which BJS employees and its data collection agents operate. Nothing herein is intended to, or does, create any rights,
substantive or procedural, enforceable at law by any party in any matter civil or criminal. Any specific questions
regarding the application of these statutes, regulations, policies, and guidelines should be addressed in writing to
BJS directly. The BJS Data Protection Guidelines will be reviewed and updated periodically to reflect changes to
current or newly implemented statutes, regulations, and other authorities and the most current version will be
available on the BJS website - https://www.bjs.gov/content/pub/pdf/BJS_Data_Protection_Guidelines.pdf.
4 Under BJS’ confidentiality regulations, “information identifiable to a private person means information which
either— (1) Is labelled by name or other personal identifiers, or (2) Can, by virtue of sample size or other factors, be
reasonably interpreted as referring to a particular private person. 28 C.F.R. § 22.2(e).
1
ATTACHMENT III
2
Specifically, in accordance with BJS’s authorizing statute, the Director of BJS “shall be
responsible for the integrity of data and statistics and shall protect against improper or illegal use
or disclosure.” 34 U.S.C. § 10132(b).
Further, under 34 U.S.C. § 10231(a), no officer or employee of the federal government,
including BJS employees or award recipients that operate as BJS data collection agents,5 may
use or reveal any research or statistical information furnished in connection with a BJS data
collection, including data identifiable to any specific private person, by any person for any
purpose other than the purpose for which it was furnished.
Additionally, under that statute, statistical information provided to BJS that is identifiable to a
private person is immune from legal process, and may not, without the consent of the person
furnishing such information, be admitted as evidence or be used for any purpose in any action,
suit, or other judicial, legislative, or administrative proceedings. Any person violating these
confidentiality provisions may be punished by a fine not to exceed $10,000 in addition to any
other penalty imposed by law.
Further confidentiality protections for statistical data are contained in 18 U.S.C § 1905.
Penalties for violating this statue include mandatory termination from employment, as well as a
fine, term of imprisonment of not more than one year, or both.
II.DATA USE RESTRICTIONS IN FEDERAL STATUTES AND REGULATIONS
BJS operates under a statute which specifically states that it may only use the data it collects for
statistical or research purposes. Title 34 U.S.C. § 10134, states that “[d]ata collected by the
Bureau shall be used only for statistical or research purposes, and shall be gathered in a manner
that precludes their use for law enforcement or any purpose relating to a private person6 or public
agency other than statistical or research purposes.” The term “statistical purpose,” as defined in
Section 502(9)(A) of the E-Government Act of 2002, means “the description, estimation, or
analysis of the characteristics of groups, without identifying the individuals or organizations that
comprise such groups.” 7 Statistical purposes exclude “any administrative, regulatory, law
enforcement, adjudicatory, or other purpose that affects the rights, privileges, or benefits of a
particular identifiable respondent.” Id. at 502(5)(A).
5 For the purpose of these guidelines, the term “award recipient” refers to the entity (e.g., a private organization or
an institution of higher learning) that receives funding from BJS through a cooperative agreement, grant, contract,
subaward award, or subcontract to perform exclusively statistical or research activities (e.g., collecting, receiving,
handling, maintaining, transferring, processing, storing, or disseminating data). The term “data collection agent”
refers to an individual who works under BJS’s authority through such an award to collect or maintain information
collected in conjunction with the funded project(s). Both the entity that receives the funding and the data collection
agents that operate under the conditions of the award are subject to the requirements described in the BJS Data
Protection Guidelines and may be used interchangeably herein.
6 The term “private person” means “any individual (including an individual acting in his official capacity) and any
private partnership, corporation, association, organization, or entity (or any combination thereof)." 34 U.S.C. §
10251(a)(27).
7 Section V of the E-Government Act of 2002 is also known as the “Confidential Information Protection and
Statistical Efficiency Act of 2002,” (CIPSEA). See, 44 U.S.C. § 3501 note.
3
All BJS data collection agents working with identifiable information collected or maintained at
BJS’s direction are required to comply with all confidentiality requirements of 34 U.S.C. §
10231, the privacy certification requirements of 28 C.F.R. § 22.23, and the requirement to
destroy identifiable data as set forth in 28 C.F.R. § 22.25.
III. FOIA REQUESTS AND FEDERAL CONFIDENTIALITY PROTECTIONS
BJS data collections also have protections under a broader federal statute that affects the
confidentiality of information in the Privacy Act of 1974 and the Freedom of Information Act
(FOIA), 5 U.S.C. § 552. Although FOIA is generally cited as establishing the public’s right of
access to federal records and information, there are nine established FOIA exemptions which
permit executive branch agencies to withhold certain types of information from release. For
example, one such exemption may allow BJS to withhold information when public release would
reveal information accusing a person of a crime.8 Another example may allow BJS to refuse to
disclose information if the information sought would “disclose investigatory records compiled
for law enforcement purposes, or if the disclosure might have similar implications.”9
IV. FEDERAL REGULATIONS ON THE CONFIDENTIALITY OF IDENTIFIABLE
DATA
Data collected by BJS and its data collection agents are maintained under the confidentiality
provisions outlined in 28 C.F.R. Part 22.10 Relevant provisions include −
• Data identifiable to a private person may be used or revealed only for research or statistical
purposes, or where prior consent is obtained from an individual
• Identifiable information will be used or revealed only to employees on a need-to-know basis,
and only if the recipient is legally bound to use it solely for research and statistical purposes
and to take adequate administrative and physical precautions to ensure confidentiality
• BJS award recipients are required by federal law, as a condition of funding, to submit a
Privacy Certificate that describes the precautions in place to adequately safeguard the
administrative and physical security of identifiable data, as applicable
• Individuals, including BJS data collection agents, with access to data on a need-to-know
basis are advised in writing of the confidentiality requirements and must certify in writing to
abide by these requirements.
8 5 U.S.C. § 552b(b)(5).
9 5 U.S.C. § 552b(b)(7).
10 While the confidentiality provisions of Part 22 discussed herein are extensive, these regulations do not apply to
any records from which identifiable research or statistical information was originally obtained; or to any records
which are designated under existing statutes as public; or to any information extracted from any records designated
as public.
V. INFORMATION SYSTEM SECURITY AND PRIVACY REQUIREMENTS
4
BJS/OJP maintains a robust IT security program in compliance with the DOJ Cybersecurity
Program11 and the DOJ IT Cybersecurity and Privacy Rules of Behavior (ROB) for General
Users12 to facilitate the privacy, security, confidentiality, integrity, and availability of BJS/OJP’s
computer systems, networks, and data in accordance with applicable federal and Department
policies, procedures, and guidelines. BJS award recipients are similarly required to maintain the
appropriate administrative, physical, and technical safeguards to protect identifiable data and
ensure that information systems are adequately secured and protected against unauthorized
disclosure.
11 The provisions of DOJ Order 0904, Cybersecurity Program, apply to all DOJ components, personnel, and IT
systems used to process, store, or transmit Depar tmental information, as well as to contractors and other users of IT
systems supporting the operations and assets of DOJ. The provisions discussed herein provide a summary of DOJ’s
information technology security requirements and policies.
12 The DOJ IT Security ROB for General Users apply to all DOJ components, personnel, and contractors and pertain
to the use, security, and acceptable level of risk for DOJ systems and applications. The provisions discussed herein
provide an overview of DOJ’s information technology security requirements and policies. For a more extensive
description of specific DOJ policies, requirements, roles, and responsibilities, consult the DOJ IT Security ROB for
General Users in full.
Specifically, BJS and its award recipients are required to, where applicable −
•Assess and secure information systems in accordance with the Federal Information Security
Modernization Act of 2014 (FISMA; Pub. L. No. 113-283) Pub. L. No. 107-347)
•Adhere to National Institute of Standards and Technology (NIST) guidelines to categorize
the sensitivity of all information collected or maintained on behalf of BJS
•Once the system has been categorized, secure data in accordance with the Risk Management
Framework specified in NIST SP 800-37 rev. 2
•Employ adequate controls to ensure data are not comingled with any other dataset or product
without the express written consent of BJS (applicable to BJS data collection agents)
•Reduce the volume of personally identifiable information collected, used, or retained to the
minimum necessary
•Limit access to identifiable data to only those individuals who must have such access,
including requisite IT security administrators
•Limit the use of identifiable data to only the purposes for which its use was approved
•Ensure all cooperative agreements and contracts involving the processing and storage of PII
comply with DOJ policies on remote access and security incident reporting
•Employ formal sanctions for anyone failing to comply with DOJ policies and procedures, in
accordance with applicable laws and regulations
5
• Complete data security and confidentiality trainings.
All on-site, physical BJS data files are stored in a secure building in Washington, D.C. which
houses only OJP (including BJS) and is staffed by armed guards 24 hours a day, 7 days a week.
Federal employees and contractors must pass through an electronic badge swipe to verify their
identity, and non-federal visitors must be sponsored by DOJ employees, pass through a metal
detector, record information in a central log book, and wear a visitor's badge. Onsite servers
containing BJS data are stored in a locked room with access limited only to OJP IT personnel,
and require a badge swipe to enter. Data stored on CD-ROMs reside in a locked office with
limited key access to authorized individuals, and all data use in the room is logged.
Technical control of BJS data is maintained through a system of firewalls and encryption. OJP
employs an Intrusion Detection System at the perimeter of the network to supplement its
defense-in-depth approach to security. BJS maintains data on a secure hard drive behind the
DOJ firewall, and the data are encrypted to meet Federal Information Process Standard (FIPS)
Publication 140-2 requirements. Access to this drive and its files require username and password
verification. Access to individual files is restricted to BJS project staff and the requisite OJP IT
security administrators.
Furthermore, OJP is required to periodically assess its security controls to determine their
effectiveness, monitor and correct deficiencies, reduce or eliminate vulnerabilities in IT systems,
and monitor IT system security controls.
BJS award recipients must employ similar administrative, physical, and technical controls to
adequately secure their FISMA-defined information systems from unauthorized disclosure. OJP
also reserves the right to audit during the project period any FISMA-defined information system
used by BJS data collection agents to collect, receive, handle, maintain, transfer, process, store,
or disseminate data products in support of the project to assess compliance with federal laws and
regulations related to data management and security.
The Cybersecurity Enhancement Act of 2015 (codified in relevant part at 6 U.S.C. §
151) requires the Department of Homeland Security (DHS) to provide cybersecurity protection
for federal civilian agency information technology systems and to conduct cybersecurity
screening of the Internet traffic going in and out of these systems to look for viruses, malware,
and other cybersecurity threats. DHS has implemented this requirement by instituting procedures
such that, if a potentially malicious malware signature were found, the Internet packets that
contain the malware signature would be further inspected, pursuant to any required legal process,
to identify and mitigate the cybersecurity threat. In accordance with the Act’s provisions, DHS
conducts these cybersecurity screening activities solely to protect federal information and
information systems from cybersecurity risks. To comply with the Act’s requirements and to
increase the protection of information from cybersecurity threats, OJP facilitates, through the
DOJ Trusted Internet Connection and DHS’s EINSTEIN 3A system, the inspection of all
information transmitted to and from OJP systems including, but not limited to, respondent data
collected and maintained at BJS’s direction.
6
VI. DISSEMINATION OF DATA
The BJS authorizing statute reads, in relevant part, that BJS is authorized to “provide information
to the President, the Congress, the judiciary, state, tribal, and local governments, and the general
public on justice statistics.”13 A robust dissemination program is essential to the execution of this
statutory mandate. BJS uses its website for data dissemination, including public access to data
releases of aggregate statistics in the form of updated time series, cross-tabulations of aggregated
characteristics of respondents, analytic reports, briefs of key findings, and technical reports.
Aggregated data are typically made available in spreadsheet format and through online tabulation
tools.14
Micro (raw) data published under BJS’s authority and the related study documentation are made
available to external parties at the University of Michigan’s National Archive of Criminal Justice
Data (NACJD) for statistical and research purposes, though the level and format of access
depends on the type of data being requested (see Section VII).
BJS follows established information dissemination practices, including those outlined in OMB’s
Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of
Information Disseminated by Federal Agencies15 as well as those outlined in BJS’s Data Quality
Guidelines.
BJS also adheres to OMB’s Statistical Policy Directive No. 4, Release and Dissemination of
Statistical Products Produced by Federal Statistical Agencies, and the standards on
dissemination of information products set forth in OMB’s Statistical Policy Directive No. 2,
Standards and Guidelines for Statistical Surveys.
VII. DATA ARCHIVAL PRACTICES
BJS archives data at the NACJD to encourage and support the facilitation of research in the field
of criminal justice. To the extent necessary and practical, BJS removes, masks, or collapses
direct and indirect identifiers prior to sending data to NACJD to protect respondent
confidentiality. In consultation with BJS, NACJD takes additional precautions to mitigate
compromising the confidentiality of data, including conducting a comprehensive disclosure risk
review to determine the appropriate level of security that should be applied to the data. In
addition to the NACJD disclosure risk review, BJS may also request to suppress additional
variables due to the sensitive nature of the data and/or to further protect confidentiality, if
appropriate. Data that do not contain personally identifiable information are available for public
access download. Prior to public release, NACJD routinely checks all data collections for
conditions that could violate the confidentiality of data. NACJD protects respondent
confidentiality by removing, masking, blanking, or collapsing direct or indirect variables and
records within public-use versions of the dataset.
13 34 U.S.C. § 10132(c)(10).
14 Some older publications that are not machine readable may only be available on the BJS website via scanned pdf
files.
15 67 Fed. Reg. 8,452 (February 22, 2002).
7
NACJD applies stringent security to restricted data where some risk of respondents’ identity
disclosure remains (e.g., variables used in conjunction with one another or linking to other data
files) and provides four access options for these types of data: restricted access; physical data
enclave; online analysis; virtual data enclave.16 Prospective users of such data must follow
NACJD’s application and approval processes, including the submission of a research proposal
and additional measures as required such as IRB approval or waiver, information about users of
the data, a restricted data use agreement, and a data security plan. Additionally, users of data in
the physical enclave must travel to the University of Michigan to analyze data on a NACJD
computer in a secure room without internet and printer capabilities, and output is screened to
ensure results are aggregated to a level that prevents individual identification.
BJS datasets stored at OJP and archived at the NACJD are periodically audited to determine if
their security profiles have changed and protections need to be updated based on changes in
policy, updates to OJP systems, or the availability of other linked data.
VIII. DATA DISPOSITION PRACTICES
BJS and its award recipients follow federal regulations requiring the disposition of data
containing identifiable information.17 Where applicable, BJS complies with all federal
government data destruction guidelines regarding the technical and physical wiping of data from
servers and destruction of existing CD-ROMs or paper documents. BJS award recipients are
required to return to BJS or destroy PII collected in conjunction with BJS-funded activities upon
delivery of the data to BJS and project completion.
16 The NACJD website provides specific details about its processes and requirements related to receiving and
handling restricted data, including types of access and application requirements.
17 28 C.F.R. § 22.25.
IX. INCIDENT RESPONSE PROCEDURES
DOJ has established incident response plans and notification procedures in the event of an actual
or suspected data breach involving PII and/or loss of any devices containing these data. These
procedures apply to all BJS employees and its award recipients, and all PII regardless of format
(e.g., paper, electronic, etc.), and follow the requirements set forth in applicable federal statutes,
policies, regulations, and other authorities, including the Privacy Act of 1974, the E-Government
Act of 2002, the FISMA, and OMB Memorandum M-17-12, Preparing for and Responding to a
Breach of Personally Identifiable Information.
In the event of a real or suspected data security incident by BJS or one of its data collection
agents, BJS shall follow the requirements set forth in OMB Memorandum M-17-12, Preparing
for and Responding to a Breach of Personally Identifiable Information, including -
• Notify, within one hour of discovery, the appropriate DOJ officials and law enforcement
agencies
8
• Provide DOJ forensics and law enforcement personnel, including the DOJ Inspector
General, access to media and devices required for investigation, as appropriate
• Assist with digital forensic and other investigations on electronic devices and/or
associated media, as required
• Record the handling and transfer of media and devices to support forensic and other
investigations
• Notify individuals potentially impacted by the incident.
In the event of a breach involving PII, BJS may consult with the appropriate DOJ officials to develop
mitigation options and assess the need to provide additional measures of protection, including
analyzing whether a particular data loss appears to be resulting in identify theft and providing credit
monitoring services to those impacted by the data incident.
Additionally, to further assist investigative and remedial efforts, BJS may disclose a limited amount
of PII to the appropriate agencies, entities, and persons to assist in DOJ’s response efforts or to
prevent, minimize, or remedy harm to impacted individuals when it suspects or has confirmed an
incident involving PII collected or maintained under BJS’s authority. BJS may also provide a limited
amount of PII to another federal agency or federal entity to assist their response efforts.
X. INDEMNIFICATION
Any person who unlawfully discloses PII collected or maintained under BJS’s authority shall be
in violation of, and punished under the provisions of, the confidentiality statutes referenced
above in Section I. “Data Protections in Federal Statutes.”
BJS will not agree to insure, defend, or indemnify the data provider. BJS will, consistent with
DOJ authorities, cooperate with the other party in the investigation and resolution of
administrative claims and/or litigation arising from conduct related to the provisions of the
separate data use agreement.
XI. BJS STATISTICAL STANDARDS AND PRACTICES
Among BJS’s fundamental responsibilities as a statistical agency is its duty to protect the trust of
individual respondents and data providers by ensuring the confidentiality and exclusive statistical
use of their responses.18 As the nation’s premier source of reliable criminal justice data, BJS is
committed to employing robust data security protocols and data stewardship practices to protect
the privacy and confidentiality of the data collected and maintained.
18 See, also, OMB M-15-03 Statistical Policy Directive No. 1: Fundamental Responsibilities of Federal Statistical
Agencies and Recognized Statistical Units.
9
To uphold public trust in the integrity of the data and ensure continued cooperation from data
providers and respondents, BJS adheres to a set of statistical principles and practices19 that guide
its mission to compile, analyze, and disseminate information on crime, criminal offenders,
victims of crime, and the operation of justice systems at all levels of government. These
principles and standards include maintaining −
• Relevance to policy issues
• Credibility among and cooperation with data users
• Trust among data providers
• A clearly defined and well-accepted mission
• Independence from political and other undue external influence
• Necessary authority to protect independence
• Use of multiple data sources that meet user needs
• Openness about the sources of data and their limitations
• Wide dissemination of data
• Respect for the privacy and autonomy of data providers
• Protection of the confidentiality of data providers’ information
• Commitment to quality and professional standards of practice
• Coordination and cooperation with other federal statistical agencies.
.
19 The BJS Statistical Principles and Practices were informed by Principles and Practices for a Federal Statistical
Agency, 6th edition, National Research Council (2017), issued by the National Research Council of the National
Academy of Sciences, which has guided managerial and technical decisions made by national and international
statistical agencies for decades.
XI. BJS DATA QUALITY GUIDELINES
BJS has implemented and published the BJS Data Quality Guidelines that govern all justice data
that BJS produces and disseminates for the general public in accordance with the provisions of
the DOJ Information Quality Guidelines and OMB government-wide guidance for information
dissemination, including the Paperwork Reduction Act (44 U.S.C. § 3501 et seq.). The BJS Data
Quality Guidelines apply to a wide variety of substantive information and dissemination
activities and topics, including −
10
• Privacy and maintaining confidentiality of data
• Initiating surveys, censuses, and other data collections
• Survey design and data collections
• Data transparency, analysis, and processing
• Content and verification of BJS data
• Dissemination.
The BJS Data Quality Guidelines were established to ensure and maximize the utility,
objectivity, and integrity of the information BJS disseminates and to provide a framework to give
persons an opportunity to seek and obtain correction of information maintained and disseminated
by BJS that does not comply with these guidelines.
Issue Date: May 20, 2016
Updated: January 12, 2021
ATTACHMENT IV
REQUIREMENTS FOR BJS REGARDING ACCESS AND USE
OF COUNTY’S PII (Personally Identifiable Information)
This Attachment governs the requirements for BJS regarding its access, use, and storage of County’s
PII.
1. DEFINITIONS
1.1 Security Breach means the unauthorized access, acquisition, theft, or disclosure of
County’s PII by or from BJS.
1.2 PII (Personally Identifiable Information) has the meaning provided in this Agreement.
1.3 County’s PII means PII that is provided by County to BJS pursuant to this Agreement.
2. OBLIGATIONS
2.1 BJS shall not use or disclose County’s PII other than as permitted or required by this
Agreement or as required by law.
2.2 BJS shall implement administrative, physical, and technical safeguards (including written
policies and procedures) that reasonably and appropriately protect the confidentiality,
integrity, and availability of PII that it creates, receives, maintains or transmits on behalf of
the County.
2.3 BJS shall mitigate, to the extent practicable, any harmful effect known to BJS of the use
or disclosure of PII in violation of law or this Agreement.
2.4 BJS shall adhere to the BJS Security Incident Response Procedures to respond to a
suspected or actual security incident involving PII provided under this agreement. These
procedures follow Department of Justice requirements in DOJ Instruction 0900.00.01:
Reporting and Response Procedures for a Breach of Personally Identifiable Information,
available at https://www.justice.gov/file/4336/download. If BJS or BJS’s employees or
agents discover a Security Breach, BJS shall notify the County without unreasonable
delay, but no later than within forty-eight (48) hours of discovery. For this purpose,
“discovery” means the first day on which the Security Breach is known to BJS or BJS’s
employee or agents or should have been known by exercising reasonable diligence. BJS
shall be deemed to have knowledge of a Security Breach if the Security Breach is known
or should have been known by exercising reasonable diligence by any person, other than
the person committing the Security Breach. The notification to the County shall include
the following: (a) describe the Security Breach in general terms; (b) describe the type of
personal information that is the subject of the Security Breach; (c) identify each
individual whose PII has been breached or has reasonably believed to have been
breached; (d) describe in general terms, what BJS has done to prevent additional Security
Breaches; and (e) provide any other available information in BJS’s or subcontractor’s
possession that may be necessary to comply with Security Breach notification laws.
2.5 If the County and BJS /DOJ determine that BJS/DOJ will provide the notice of the Security
Breach to the affected individuals and/or to governmental authorities, BJS will follow
DOJ’s established notification procedures to determine the appropriate notification and risk
mitigation services, following the procedures described in DOJ Instruction 0900.01. Such
procedures including providing guidance to affected individuals on how to mitigate their
own risk of harm, for example how to obtain a free credit report, whether they should
consider closing accounts, how to place a fraud alert on credit reports or a credit freeze on
their credit file, and how to access resources provided on the Federal Trade Commission
Identify Theft website. BJS/DOJ will also work with the County to determine whether
there are services BJS can provide to mitigate risk of specific harm associated with or
resulting from the particular breach, for example establishing a Help Line that allows
affected individuals to call or obtain more information or offering credit monitoring
services.
ATTACHMENT V
CJIS REQUIREMENTS
(Criminal Jus�ce Informa�on Security)
Attachment V governs the requirements for BJS with Access to Criminal Justice Information
governed by the CJI Security Policy of the FBI.
1. Definitions
1.1 Criminal Justice Information (CJI) means data or information governed by the CJIS
Security Policy.
1.2 Criminal Justice Information Services (CJIS) means the Criminal Justice Information
Services, a division in the Federal Bureau of Investigation (FBI) that sets a minimum
standard of security requirements to protect and safeguard CJI.
1.3 CJIS Security Policy means the Policy that governs the security of CJI. The CJIS
Security Policy provides guidance for the creation, viewing, modification, transmission,
dissemination, storage, and destruction of CJI. This Policy applies to every individual—
contractor, private entity, noncriminal justice agency representative, or member of a
criminal justice entity—with access to, or who operate in support of, criminal justice
services and information.
2. Obligations
BJS shall comply with the current version of the CJIS Security Policy, which may be
amended from time to time by the CJIS Advisory Policy Board of the FBI. A link to the
current FBI standards is available: https://www.fbi.gov/services/cjis/cjis-security -policy-
resource-center
DATA USE AGREEMENT
BETWEEN THE BUREAU OF JUSTICE STATISTICS
AND OAKLAND COUNTY
FOR THE NATIONAL PRETRIAL REPORTING PROGRAM
I. PURPOSE
The purpose of this Data Use Agreement (hereinafter referred to as the Agreement) is
for Oakland County, by and through its Community Corrections Division, (the
“County”) to provide to the Bureau of Justice Statistics (BJS), located within the
Office of Justice Programs (OJP) of the U.S. Department of Justice (DOJ), (the
Parties) with data on case-level information regarding felony criminal cases from
filing to disposition, focusing on pretrial release and detention on a one-time basis for
the National Pretrial Reporting Program. The data that BJS obtains from the County
will contribute to BJS’s objectives to describe characteristics of the state pretrial
process at the national level. RTI International (“Data Collection Agent”) will link
data obtained from jails, pretrial service agencies, and courts within each jurisdiction.
The Data Collection Agent will then securely transfer the data to BJS for linking to
criminal history. The data elements requested will include defendant identifiers,
demographics, charge information, pretrial release conditions, pretrial outcomes,
adjudication and sentencing outcomes. To support its statistical mission, BJS makes
its published deidentified microdata available for secondary analysis or linkage
purposes to researchers, other federal statistical agencies, and other external parties,
as appropriate. “Deidentified” microdata refers to data that do not include directly
Personally Identifiable Information (PII) and has had the appropriate statistical
disclosure limitation techniques applied to protect respondent confidentiality. Such
data provision is done in a manner that is fully consistent with federal law and BJS’s
statutory obligations to protect confidentiality.
This Agreement includes and incorporates the following attachments:
•The National Pretrial Reporting Program project description (Attachment I)
•List of data variables and reference years that the County will provide to BJS
(Attachment II)
•BJS Data Protection Guidelines (Attachment III)
•Requirements for BJS Regarding Access and use of the County’s PII
(Attachment IV)
•CJIS Requirements (Attachment V)
If there are any inconsistencies between this document and the attachments listed
above, the terms and conditions of this document will take precedence, then
Attachment IV, Attachment III, Attachment II, and Attachment I, in that order.
II. AUTHORITY
The Director of BJS is statutorily authorized to “utilize, with their consent, the
records . . . [and] information of other Federal, State, local and private agencies and
instrumentalities. . .” 34 U.S.C. § 10132.
The County may provide data to BJS under the Urban Cooperation Act of 1967, 1967
Public Act 7, MCL 124.501 et seq.
III. GOVERNANCE
This Agreement and the performance of the parties’ obligations hereunder will be
governed by and construed and enforced in accordance with federal law and in any
appropriate federal court in the state of Michigan.
IV. DEFINITIONS
Key terms in this Agreement (e.g., incident, personally identifiable information
(“PII”), information identifiable to a private person, etc.) will maintain their
definitions as provided by federal law and policy, to include: statutes, regulations, and
other guidance provided by the Office of Management and Budget (OMB) and the
DOJ.
The term “data collection agent” refers to RTI International, BJS’s award recipient
who works under BJS’s authority to complete statistical or research activities (e.g.,
data collection, analysis, storage, and dissemination) in conjunction with the funded
project(s).
V. EFFECTIVE PERIOD
This Agreement and any amendments shall become effective when executed by both
Parties with a resolution passed by the County. The approval and terms of this
Agreement and any amendments, except as specified below, shall be entered in the
official minutes of the County. An executed copy of this Agreement and any
amendments shall be filed by the Oakland County Clerk with the Secretary of State.
This Agreement shall remain in effect for five years from the effective date, or until
terminated by one or both of the parties.
VI. MODIFICATION OR TERMINATION
Either party may modify this Agreement at any time by a written modification that is
approved and signed by the appropriate authorities of each party. Either party may
terminate this Agreement by a written modification submitted 60 days before the new
end date.
The County shall retain the right to terminate this Agreement at any time should BJS
or its data collection agent violate the terms of the Agreement.
VII. DATA CONFIDENTIALITY
Data collected by BJS are maintained under the confidentiality provisions outlined in
28 C.F.R. Part 22 and 34 U.S.C. §§ 10134 and 10231. Relevant provisions include the
following—
•BJS shall utilize the data it collects from the County only for research and
statistical purposes
•Data collected by BJS shall be gathered in a manner that precludes their use for
law enforcement or any purpose relating to a private person or public agency
other than a statistical or research purpose
•BJS shall provide access to the County’s data file and the information contained
in it to other federal entities outside of BJS and RTI International only to the
extent that the entity has a need to know, consistent with the above referenced
federal statutes and regulations
•No direct PII shall be disclosed to persons or entities outside of BJS or RTI
without the express permission of the County
•Any reports, analyses, or other summaries of the information contained in the
County’s data files that are made publicly available shall not contain PII or any
information that can reasonably be expected to lead to the identification of an
individual or other person identified therein.
RTI International will be involved in the collection and handling of data provided
under this Agreement. RTI International is required by law to follow the same
federal confidentiality statutes and regulations that govern how BJS protects
information collected under its authority. BJS shall also ensure that RTI and any other
entity that receives the County’s data complies with the terms and conditions of this
Agreement. For additional information regarding data protection responsibilities, see
the BJS Data Protection Guidelines.
VIII. DATA SECURITY AND PRIVACY
BJS shall maintain the appropriate administrative, physical, and technical safeguards
to protect PII collected or maintained under its authority in accordance with
applicable DOJ IT security policies and regulations, OMB guidance, and federal law.
BJS shall ensure that any agreements or contracts involving the storing or processing
of the County’s data include compliance with the applicable terms and conditions of
this Agreement.
The BJS Data Protection Guidelines summarize the specific technical requirements
that BJS is required to follow, including –
•Ensure that information systems that maintain PII are adequately secured and
protected against unauthorized disclosure in accordance with the Federal
Information Security Modernization Act of 2014 (FISMA; Pub. L. No. 113-283)
•Adhere to National Institute of Standards and Technology (NIST) guidelines to
categorize the sensitivity of all information collected or maintained on behalf of
BJS
•Once the system has been categorized, secure data in accordance with the
accepted Risk Management Framework
•Employ adequate controls to ensure data are not comingled with any other dataset
or product without the express written consent of BJS (applicable to BJS data
collection agents)
•Reduce the volume of personally identifiable information (PII) collected, used, or
retained to the minimum necessary
•Limit access to PII to only those individuals who must have such access,
including requisite IT security administrators
•Limit the use of PII to only the purposes for which it was approved
•Ensure all cooperative agreements and contracts involving the processing and
storage of PII comply with DOJ policies on remote access and security incident
reporting
•Employ sanctions for anyone failing to comply with DOJ policies and procedures,
in accordance with applicable laws and regulations
•Ensure that all BJS and RTI International employees complete data security and
confidentiality training, as applicable.
To comply with the Cybersecurity Enhancement Act of 2015 (codified in relevant
part at 6 U.S.C. § 151), OJP facilitates, through the DOJ Trusted Internet Connection
and the Department of Homeland Security’s EINSTEIN 3A system, the inspection of
all information transmitted to and from OJP systems including, but not limited to,
data collected and maintained by BJS.
IX. DISPOSITION OF DATA
Where applicable, BJS shall follow federal regulations at 28 C.F.R. § 22.25 related to
the disposition of data containing PII or information identifiable to a private person,
unless the data are still needed for statistical purposes. RTI International is required to
return PII to BJS and destroy PII upon project completion.
X. DATA ARCHIVING
BJS archives its published deidentified microdata to facilitate and support research in
the field of criminal justice. BJS plans to archive the NPRP microdata at its official
archive, the National Archive of Criminal Justice Data (NACJD) or its successor(s).
BJS will remove direct PII from the raw data files prior to archiving and BJS and
NACJD will conduct a comprehensive risk assessment to ensure data confidentiality
is protected.
Data that do not contain PII may be available for public access download. Prior to
public release, NACJD routinely checks all data collections for conditions that could
violate the confidentiality of data. NACJD protects respondent confidentiality by
removing, masking, blanking, or collapsing direct or indirect variables and records
within public-use versions of the dataset. If additional confidentiality protections are
required for the deidentified data, the data may be archived in a restricted-use setting
and made available to approved external researchers after they complete a
comprehensive application process.
BJS and the NACJD operate strict controls and data security procedures to mitigate
potential privacy risks. For more information, see:
https://www.icpsr.umich.edu/web/pages/NACJD/restricted.html
XI. INCIDENT RESPONSE PROCEDURES
In the event of a real or suspected data incident involving PII collected or maintained
by BJS or its data collection agents pursuant to this Agreement, BJS shall follow the
requirements in Attachment IV and the DOJ’s established incident response
procedures and rules of behavior. These procedures include the timely internal and
external notification to the appropriate DOJ officials, law enforcement agencies, and
individuals potentially impacted by the incident; assessment of the potential risk of
harm; and development of appropriate mitigation options. BJS contractors that collect
or maintain PII under BJS’s authority are similarly required to maintain procedures to
effectively respond to an incident. In the event of a suspected incident, BJS may
disclose information to the appropriate agencies, entities, and persons to respond to an
incident involving PII maintained by BJS or to assist another agency in its response to
an incident. The BJS Data Protection Guidelines provide more details about DOJ’s
incident response procedures.
XII. PENALTIES FOR UNAUTHORIZED DISCLOSURE
Each party shall be responsible for any and all acts or omissions of its own staff,
employees, and officers.
Violations of the confidentiality provisions of 34 U.S.C. § 10231 shall constitute a
violation of this Agreement and may be punished by a fine not to exceed $10,000, in
addition to any other penalty imposed by federal law. RTI International is also subject
to these penalties. Further confidentiality protections for statistical data are contained
in 18 U.S.C § 1905. Penalties for violating this statute include mandatory termination
from employment, as well as a fine, term of imprisonment of not more than one year,
or both.
In the event BJS or its data collection agents fails to comply with any of the material
terms of this Agreement, the County shall have the right to terminate the Agreement,
in addition to pursuing all penalties available under federal law. Additionally, at the
direction of the County, BJS shall forthwith return or dispose of all information
provided by the County.
XIII. LIABILITY/INDEMNIFICATION:
Except as otherwise provided in this Agreement, each party shall be responsible for
any liability arising from its own conduct and retains immunity and all defenses
available to them pursuant to federal law, and neither party agrees to insure, defend,
or indemnify the other party. In the event RTI International violates the
confidentiality requirements in 34 U.S.C. § 10231, they shall be subject to applicable
federal penalties in addition to other penalties imposed by BJS, including possible
termination of funding.
In the event of a dispute between the parties, the parties shall use their best efforts to
resolve the dispute in an informal fashion through consultation and communication
that is mutually acceptable to both parties.
XIV. APPROVALS
By their signatures below, the authorized officials approve this Agreement:
BUREAU OF JUSTICE STATISTICS
________________________________ ________11/07/23_______________
Kevin M. Scott, Acting Director, BJS Date
IN WITNESS WHEREOF, David T. Woodward, Chairperson, Oakland County
Board of Commissioners, hereby acknowledges that he has been authorized by a
resolution of the Oakland County Board of Commissioners to execute this Agreement
on behalf of Oakland County, and hereby accepts and binds Oakland County to the
terms and conditions of this Agreement.
EXECUTED: ___________________________________ DATE: _______________
David T. Woodward, Chairperson
Oakland County Board of Commissioners
WITNESSED: ___________________________________ DATE: ______________
Oakland County Board of Commissioners
County of Oakland