Juvenile Records: Courts, Access, and Technological Enforcement

Tom ClarkeVP, Research & Technology

National Center for State Courts

Historical RecapCourts have focused on ad hoc policies within

local trusted networks for sharing data with other agencies.

Courts have based their public access policies on the CCJ/COSCA Guidelines published in 2002.

Many states restrict public access to juvenile data, but there is no overall consensus.

Many states have been forced to consider access by social agencies for the first time only when actual exchanges were recently proposed.

Abuse & Neglect Access Policies2 states presume open access in all juvenile

cases.14 states presume open access, with judicial

discretion to close cases.

10 states presume closed access, with judicial discretion to open cases.

6 states presume closed access, with some exceptions.

21 states presumed closed access--period.

Delinquency Access Policies35 states permit or require open access with

some age and offense restrictions.

15 states have closed access.

There are lots of special conditions and details about access that vary across states.

Traditional Technical ApproachTwo strategies are typically used for

enforcement:Bilateral MOU’s between local agencies for

policies.Application-embedded access rules for

enforcement.At best, application rules enforce coarse (less

granular) access policies using broad role definitions.

At worst, lists of personnel in roles are not kept up to date, allowing inappropriate access.

The policy focus was on public access, either at the courthouse or online.

Emerging Problems in Data SharingJustice and social agencies are sharing more

data of all kinds than ever before.Justice and social agencies are sharing more

data outside their local trusted networks.Privacy and access rules are often complex

and detailed.Privacy and access rules often require

analysis of context and purpose for use.Manual training is often insufficient to ensure

proper enforcement of complex business rules.

New SolutionsThe national justice community has established

best practices for creating access and privacy rules for sharing information between government agencies.Global Justice Information Sharing Committee (GAC)Privacy Products: impact analysis, policy templates,

technical enforcement modelsOther government communities and private

industry are working on similar technical approaches.

The emphasis is on privacy protection, based on the Fair Information Practices or FIPs.

Built on Open StandardsData Content: National Information

Exchange Model or NIEM (earlier the GJXDM)

Messaging: Justice Reference Architecture or JRAVarious open web services technical standards

Security: Global Federated Identity and Privilege Management or GFIPM

Privacy: Based on NIEM, JRA and GFIPM, adds XACML capability

New Technical ApproachEstablish policies with as much granularity as

needed:Subject attributesPurpose attributesContext attributesResource attributesObligation attributes

Attributes are metadata: data about data.Data types are “tagged” using standard codes

to facilitate appropriate automated rule enforcement.

New Technical ApproachAdvanced technical methods are used to

establish “trust” across networks using open standards.

Organizations manage their own members and assert attributes about them to others.

Third party organizations provide rule identification, deconfliction, and enforcement capabilities:Policy Administration Points (PAP)Policy Decision Points (PDP)Policy Enforcement Points (PEP)

Business AdvantagesOrganizations can automate enforcement of

complex and very granular (detailed) access and privacy rules.

Enforcement infrastructures can be reused in multiple contexts for multiple exchanges.

Rules can be changed without impacting the underlying agency applications.

Rules are enforced even when the data “travels” beyond the agencies or agency staff involved in the original exchange.

Implementation IssuesThe technology is still relatively new (but most major

vendors now support the underlying technical standards in their off-the-shelf products).

State and federal HHS agencies have not participated in the communities developing the technical standards nor any of the implementation pilots.

The Healthcare community is just now beginning to implement some of the same automated privacy policy enforcement capabilities.

Establishing the initial privacy enforcement infrastructure is relatively expensive, but subsequent reuse is relatively inexpensive.

New Supporting CapabilitiesThe federal HHS has just decided to use

NIEM for the data content of some exchanges.

A new family and Juvenile domain now exists in NIEM for juvenile content.

A NIEM-compliant data model for exchanges between courts and state HHS agencies now exists.

But How Real Is It?A court pilot project in Orange County,

California is testing these automated privacy enforcement capabilities right now and partnering with the California Administrative Office of the Courts on further uses.

Georgia and Alabama law enforcement agencies are piloting similar capabilities.

Corrections and probation/parole pilots will start later this year in jurisdictions to be determined.

To date, no HHS agency has participated and no juvenile data has been included in these pilots.