Juvenile Records: Courts, Access, and Technological Enforcement

1. Juvenile Records: Courts, Access, and Technological Enforcement Tom Clarke VP, Research & Technology National Center for State Courts

2. Historical Recap • Courts have focused on ad hoc policies within local trusted networks for sharing data with other agencies. • Courts have based their public access policies on the CCJ/COSCA Guidelines published in 2002. • Many states restrict public access to juvenile data, but there is no overall consensus. • Many states have been forced to consider access by social agencies for the first time only when actual exchanges were recently proposed.

3. Abuse & Neglect Access Policies • 2 states presume open access in all juvenile cases. • 14 states presume open access, with judicial discretion to close cases. • 10 states presume closed access, with judicial discretion to open cases. • 6 states presume closed access, with some exceptions. • 21 states presumed closed access--period.

4. Delinquency Access Policies • 35 states permit or require open access with some age and offense restrictions. • 15 states have closed access. • There are lots of special conditions and details about access that vary across states.

5. Traditional Technical Approach • Two strategies are typically used for enforcement: • Bilateral MOU’s between local agencies for policies. • Application-embedded access rules for enforcement. • At best, application rules enforce coarse (less granular) access policies using broad role definitions. • At worst, lists of personnel in roles are not kept up to date, allowing inappropriate access. • The policy focus was on public access, either at the courthouse or online.

6. Emerging Problems in Data Sharing • Justice and social agencies are sharing more data of all kinds than ever before. • Justice and social agencies are sharing more data outside their local trusted networks. • Privacy and access rules are often complex and detailed. • Privacy and access rules often require analysis of context and purpose for use. • Manual training is often insufficient to ensure proper enforcement of complex business rules.

7. New Solutions • The national justice community has established best practices for creating access and privacy rules for sharing information between government agencies. • Global Justice Information Sharing Committee (GAC) • Privacy Products: impact analysis, policy templates, technical enforcement models • Other government communities and private industry are working on similar technical approaches. • The emphasis is on privacy protection, based on the Fair Information Practices or FIPs.

8. Built on Open Standards • Data Content: National Information Exchange Model or NIEM (earlier the GJXDM) • Messaging: Justice Reference Architecture or JRA • Various open web services technical standards • Security: Global Federated Identity and Privilege Management or GFIPM • Privacy: Based on NIEM, JRA and GFIPM, adds XACML capability

9. New Technical Approach • Establish policies with as much granularity as needed: • Subject attributes • Purpose attributes • Context attributes • Resource attributes • Obligation attributes • Attributes are metadata: data about data. • Data types are “tagged” using standard codes to facilitate appropriate automated rule enforcement.

10. New Technical Approach • Advanced technical methods are used to establish “trust” across networks using open standards. • Organizations manage their own members and assert attributes about them to others. • Third party organizations provide rule identification, deconfliction,and enforcement capabilities: • Policy Administration Points (PAP) • Policy Decision Points (PDP) • Policy Enforcement Points (PEP)

11. Business Advantages • Organizations can automate enforcement of complex and very granular (detailed) access and privacy rules. • Enforcement infrastructures can be reused in multiple contexts for multiple exchanges. • Rules can be changed without impacting the underlying agency applications. • Rules are enforced even when the data “travels” beyond the agencies or agency staff involved in the original exchange.

12. Implementation Issues • The technology is still relatively new (but most major vendors now support the underlying technical standards in their off-the-shelf products). • State and federal HHS agencies have not participated in the communities developing the technical standards nor any of the implementation pilots. • The Healthcare community is just now beginning to implement some of the same automated privacy policy enforcement capabilities. • Establishing the initial privacy enforcement infrastructure is relatively expensive, but subsequent reuse is relatively inexpensive.

13. New Supporting Capabilities • The federal HHS has just decided to use NIEM for the data content of some exchanges. • A new family and Juvenile domain now exists in NIEM for juvenile content. • A NIEM-compliant data model for exchanges between courts and state HHS agencies now exists.

14. But How Real Is It? • A court pilot project in Orange County, California is testing these automated privacy enforcement capabilities right now and partnering with the California Administrative Office of the Courts on further uses. • Georgia and Alabama law enforcement agencies are piloting similar capabilities. • Corrections and probation/parole pilots will start later this year in jurisdictions to be determined. • To date, no HHS agency has participated and no juvenile data has been included in these pilots.