IACP Releases Technology Policy Framework

Last month IACP released its Technology Policy Framework. The Framework was developed to help identify useful technologies for public safety and associated metrics for value and performance. The Framework was also motivated by the need to address integration challenges such as infrastructure, multiple platforms, security, technical support, and hardware. A key factor in IACP’s effort is the importance of maintaining public trust, and the implications of new technologies for potentially violating that trust and losing the public’s approval.

IACP identified the following “universal principles” * to guide policy development for technologies “that can, or have the potential to monitor, capture, store, transmit and or share data, including audio, video, visual images, or other personally identifiable information which may include the time, date, and geographic location where the data were captured”:

• Specification of Use —Agencies should define the purpose, objectives, and requirements for implementing specific technologies, and identify the types of data captured, stored, generated, or otherwise produced.

• Policies and Procedures —Agencies should articulate in writing, educate personnel regarding, and enforce agency policies and procedures governing adoption, deployment, use, and access to the technology and the data it provides. These policies and procedures should be reviewed and updated on a regular basis, and whenever the technology or its use, or use of the data it provides significantly changes.

• Privacy and Data Quality —The agency should assess the privacy risks and recognize the privacy interests of all persons, articulate privacy protections in agency policies, and regularly review and evaluate technology deployment, access, use, data sharing, and privacy policies to ensure data quality (i.e., accurate, timely, and complete information) and compliance with local, state, and federal laws, constitutional mandates, policies, and practice.

• Data Minimization and Limitation— The agency should recognize that only those technologies, and only those data, that are strictly needed to accomplish the specific objectives approved by the agency will be deployed, and only for so long as it demonstrates continuing value and alignment with applicable constitutional, legislative, regulatory, judicial, and policy mandates.

• Performance Evaluation— Agencies should regularly monitor and evaluate the performance and value of technologies to determine whether continued deployment and use is warranted on operational, tactical, and technical grounds.

• Transparency and Notice —Agencies should employ open and public communication and decision ‐ making regarding the adoption, deployment, use, and access to technology, the data it provides, and the policies governing its use. When and where appropriate, the decision ‐ making process should also involve governing/oversight bodies, particularly in the procurement process. Agencies should provide notice, when applicable, regarding the deployment and use of technologies, as well as make their privacy policies available to the public. There are practical and legal exceptions to this principle for technologies that are lawfully deployed in undercover investigations and legitimate, approved covert operations.

• Security —Agencies should develop and implement technical, operational, and policy tools and resources to establish and ensure appropriate security of the technology (including networks and infrastructure) and the data it provides to safeguard against risks of loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. This principle includes meeting state and federal security mandates (e.g., the FBI’s CJIS Security Policy 7 ), and having procedures in place to respond if a data breach, loss, compromise, or unauthorized disclosure occurs, including whether, how, and when affected persons will be notified, and remedial and corrective actions to be taken.

• Data Retention, Access and Use —Agencies should have a policy that clearly articulates that data collection, retention, access, and use practices are aligned with their strategic and tactical objectives, and that data are retained in conformance with local, state, and/or federal statute/law or retention policies, and only as long as it has a demonstrable, practical value.

• Auditing and Accountability —Agencies and their sworn and civilian employees, contractors, subcontractors, and volunteers should be held accountable for complying with agency, state, and federal policies surrounding the deployment and use of the technology and the data it provides. All access to data derived and/or generated from the use of relevant technologies should be subject to specific authorization and strictly and regularly audited to ensure policy compliance and data integrity. Sanctions for non‐compliance should be defined and enforced.

These universal principles are intended to provide structural guidance for developing agency-specific policies and operating procedures that should address the following factors:

• Purpose
• Policy
• Definitions
• Management, including strategic alignment, objectives and
performance, classification of
data and privacy impact
• Operations, including installation, deployment, and training,
operational use, and record
• Data Collection, Access, Use, and Retention, including
information sharing and security
• Oversight, Evaluation, Auditing, and Enforcement.

These guidelines will be very helpful to agencies who are adopting new technologies, especially where the technology has implications not seen previously. Even if the outcome is not perfect (and it never is) a good faith effort to adopt this framework is likely to be viewed favorably when the inevitable challenges occur. If you are procuring a new technology from a vendor, be sure to ask if it has been evaluated with respect to the framework.

*Universal principles taken verbatim from the IACP Technology Policy Framework which can be found here: