Ethical and legal obligations compel professionals in the justice system, when sharing information, to protect privacy, civil rights, and civil liberties interests. The U.S. Department of Justice’s Global Justice Information Sharing Initiative’s (Global) Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities (or “Privacy Guide”) is a practical resource that supports privacy protection requirements for physical and automated information sharing environments.
Its purpose is to guide privacy policy development while supporting information sharing.
- The following seven steps highlight the privacy policy development process, as recommended in the Privacy Guide, including preparation, drafting, and implementation.
Privacy Guide section references are also included along with each step. The Privacy Guide is available at www.it.ojp.gov/privacy
.
Step 1. Understanding Foundational Concepts (Section 4)
- Become familiar with applicable terms: privacy, civil rights, civil liberties, information quality, and security
- Learn how privacy issues arise and the purpose of a privacy policy
Step 2.Assembling the Project Team (Section 5)
- Designate the project champion or sponsor
- Secure support and justify resources
- Appoint the project team leader
- Build the project team and stakeholders
- Identify the roles within the entity (e.g., privacy and security officers)
Step 3. Establishing a Charter (Section 6)
- Draft components:Vision, mission, and values statements
- Goals and objectives for the creation of the privacy policy
- Write the charter
Step 4. Understanding Information Exchanges (Section 7)
- Identify information exchanges—what information is collected, used, maintained, and shared
- Examine privacy risks by performing a Privacy Impact Assessment
Step 5. Performing the Legal Analysis (Section 8)
- Identify legal authorities applicable to the entity’s privacy protection efforts
- Address legal and technological gaps in the privacy policy
Step 6. Writing the Privacy Policy (Section 9 and Appendix C)
- Develop an outline and draft policy language to meet core privacy policy concepts
- Include legal references identified in Step 5
- Perform a policy review to determine whether the draft policy adequately addresses current privacy standards and protection recommendation
Step 7. Implementing the Privacy Policy (Section 10)
- Obtain formal adoption of the policy
- Make the policy available to decision makers, practitioners, and the public
- Train personnel and authorized users
- Specify methods for auditing and compliance monitoring
- Incorporate revisions and updates identified through the monitoring process