Administrative Code

Virginia Administrative Code
10/25/2021

Part III. Criminal History Record Information Security

6VAC20-120-110. Applicability.

A. This chapter is applicable to criminal justice information systems operated within the Commonwealth of Virginia. These regulations on security are not applicable to court records or other records expressly excluded by § 9.1-126 of the Code of Virginia.

B. This part establishes a minimum set of security standards that shall apply to any manual or automated recordkeeping system that collects, stores, processes, or disseminates criminal history record information.

C. Where individuals or noncriminal justice agencies are authorized to have direct access to criminal history record information pursuant to a specific agreement with a criminal justice agency to provide service required for the administration of criminal justice, the service support agreement will embody the restrictions on dissemination and the security requirements contained in this chapter and the Code of Virginia.

Statutory Authority

§§ 9.1-102 and 9.1-131 of the Code of Virginia.

Historical Notes

Derived from VR240-02-1 § 3.1, eff. April 1, 1986; amended, Virginia Register Volume 6, Issue 4, eff. January 1, 1990; Volume 10, Issue 7, eff. February 1, 1994; Volume 33, Issue 3, eff. November 4, 2016.

6VAC20-120-120. Responsibilities.

A. In addition to those responsibilities mandated by state and federal laws, the Department of State Police shall have the responsibility for the implementation of this chapter in regard to the operation of the Central Criminal Records Exchange.

B. The implementation of this chapter, except as set forth in subsection A of this section, shall be the responsibility of the criminal justice agency as designated and authorized by the county or municipality in cases of political subdivisions. Nothing in this chapter shall be deemed to affect in any way the exercise of responsibility conferred on counties and municipalities of the state under Title 15.2 of the Code of Virginia. The determination of the suitability of the actual procedures instituted by the criminal justice agency will be the subject of study in any audit by the department, mandated by § 9.1-131 of the Code of Virginia.

Statutory Authority

§§ 9.1-102 and 9.1-131 of the Code of Virginia.

Historical Notes

Derived from VR240-02-1 § 3.2, eff. April 1, 1986; amended, Virginia Register Volume 6, Issue 4, eff. January 1, 1990; Volume 10, Issue 7, eff. February 1, 1994; Volume 33, Issue 3, eff. November 4, 2016.

6VAC20-120-130. Physical access.

A. Access to areas in which criminal history record information is collected, stored, processed, or disseminated shall be limited to authorized persons. Control of access shall be ensured through the use of locks, guards, or other appropriate means. Authorized personnel shall be clearly identified.

B. Procedures shall be established to detect an unauthorized attempt or access. Furthermore, a procedure shall be established to be followed in those cases in which an attempt or unauthorized access is detected. Such procedures shall become part of the orientation of employees working in criminal history record information area or areas and shall be reviewed periodically to ensure their effectiveness.

C. Criminal justice agencies shall provide direct access to criminal history record information only to authorized officers or employees of a criminal justice agency and, as necessary, other authorized personnel essential to the proper operation of the criminal history record information system.

D. Criminal justice agencies shall institute, where computer processing is not utilized, procedures to ensure that an individual or agency authorized to have direct access is responsible for (i) the physical security of criminal history record information under its control or in its custody and (ii) the protection of such information from unauthorized access, disclosure, or dissemination.

E. Procedures shall be instituted to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or man-made disasters.

F. For criminal justice agencies that have their criminal history files automated, it is highly recommended that "backup" copies of criminal history information be maintained, preferably off-site. Further, for larger criminal justice agencies having automated systems, it is recommended that the criminal justice agencies develop a disaster recovery plan. The plan should be available for inspection and review by the department.

G. System specifications and documentation shall be carefully controlled to prevent unauthorized access and dissemination.

Statutory Authority

§§ 9.1-102 and 9.1-131 of the Code of Virginia.

Historical Notes

Derived from VR240-02-1 § 3.3, eff. April 1, 1986; amended, Virginia Register Volume 6, Issue 4, eff. January 1, 1990; Volume 10, Issue 7, eff. February 1, 1994; Volume 33, Issue 3, eff. November 4, 2016.

6VAC20-120-140. Personnel.

In accordance with applicable law, ordinances, and regulations, the criminal justice agency shall:

1. Screen and have the right to reject for employment, based on good cause, personnel to be authorized to have direct access to criminal history record information;

2. Have the right to initiate or cause to be initiated administrative action leading to the transfer or removal of personnel authorized to have direct access to this information where these personnel violate the provisions of this chapter or other security requirements established for the collection, storage, or dissemination of criminal history record information; and

3. Ensure that all employees working with or having access to criminal history record information shall be made familiar with the substance and intent of this chapter. Designated employees shall be briefed on their roles and responsibilities in protecting the information resources in the criminal justice agency. Special procedures connected with security shall be reviewed periodically to ensure their relevance and continuing effectiveness.

Statutory Authority

§§ 9.1-102 and 9.1-131 of the Code of Virginia.

Historical Notes

Derived from VR240-02-1 § 3.4, eff. April 1, 1986; amended, Virginia Register Volume 6, Issue 4, eff. January 1, 1990; Volume 10, Issue 7, eff. February 1, 1994; Volume 33, Issue 3, eff. November 4, 2016.

6VAC20-120-150. Telecommunications.

Direct or remote access to computer systems for the purpose of accessing criminal history record information shall require that the direct or remote access device use dedicated telecommunication lines. The use of any nondedicated means of data transmission to access criminal history record information shall generally be prohibited. Exceptions may be granted for systems which obtain expressed approval of the department based on a determination that the system has adequate and verifiable policies and procedures in place to ensure that access to criminal history record information is limited to authorized system users. The Department of State Police shall further approve of any access to the Virginia Criminal Information Network (VCIN), in accordance with State Police regulations governing the network. Nothing in this regulation shall be construed to affect the authority of the Department of State Police to regulate access to VCIN.

In those systems where remote access of criminal history record information is permitted, remote access devices must be secure. Remote access devices capable of receiving or transmitting criminal history record information shall be attended during periods of operation. In cases in which the remote access device is unattended, the device shall, through security means, be made inoperable, for purposes of accessing criminal history record information.

Telecommunications facilities used in connection with the remote access device shall also be secured. The remote access device shall be identified on a hardware basis to the host computer. In addition, appropriate identification of the remote access device operator shall be required. Equipment associated with the remote access device shall be reasonably protected from possible tampering or tapping.

Statutory Authority

§ 9.1-102 and Article 3 (§ 9.1-126 et seq.) of Chapter 1 of Title 9.1 of the Code of Virginia.

Historical Notes

Derived from VR240-02-1 § 3.5, eff. April 1, 1986; amended, Virginia Register Volume 6, Issue 4, eff. January 1, 1990; Volume 10, Issue 7, eff. February 1, 1994.

6VAC20-120-160. Computer operations.

A. Where computerized data processing is employed, effective and technologically advanced software and hardware design shall be instituted to prevent unauthorized access to this information.

B. Computer operations, whether dedicated or shared, that support criminal justice information systems shall operate in accordance with procedures developed or approved by the participating criminal justice agencies.

C. Criminal history record information shall be stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged, or overlaid in any fashion by noncriminal justice terminals.

D. Operational programs shall be used that will prohibit inquiry, record updates, or destruction of records from terminals other than criminal justice system terminals that are so designated.

E. The destruction of record shall be limited to designated terminals under the direct control of the criminal justice agency responsible for creating or storing the criminal history record information.

F. Operational programs shall be used to detect and log all unauthorized attempts to penetrate criminal history record information systems, programs, or files.

G. Programs designed (i) for the purpose of prohibiting unauthorized inquiries, unauthorized record updates, or unauthorized destruction of records or (ii) for the detection and logging of unauthorized attempts to penetrate criminal history record information systems shall be known only to the criminal justice agency employees responsible for criminal history record information system control or individuals and agencies pursuant to a specific agreement with the criminal justice agency to provide such security programs. The program or programs shall be kept under maximum security conditions.

H. Criminal justice agencies having automated criminal history record files shall designate a system administrator to maintain and control authorized user accounts, system management, and the implementation of security measures.

I. The criminal justice agency shall have the right to audit, monitor, and inspect procedures established pursuant to this chapter.

Statutory Authority

§§ 9.1-102 and 9.1-131 of the Code of Virginia.

Historical Notes

Derived from VR240-02-1 § 3.6, eff. April 1, 1986; amended, Virginia Register Volume 6, Issue 4, eff. January 1, 1990; Volume 10, Issue 7, eff. February 1, 1994; Volume 33, Issue 3, eff. November 4, 2016.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.