Criminal History Record Information FAQ

This FAQ is intended to provide clarification to CASB sample policy GBI, Criminal History Record Information, and the district-specific, administrative protocols that are required when handling criminal history record information (CHRI), pursuant to the FBI’s and CBI’s rules for noncriminal justice agencies. This FAQ is for informational purposes only and does not constitute legal advice. Specific questions should be referred to the school district’s legal counsel.

Q: What is criminal history record information?

A: Criminal history record information (CHRI) means information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, information, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release. The term does not include identification information such as fingerprint records if such information does not indicate the individual's involvement with the criminal justice system. 

CHRI is a subset of criminal justice information (CJI), which is the term used to refer to all of the data provided by the FBI to law enforcement and civil agencies as necessary to perform their work. Due to its comparatively sensitive nature, additional controls are required for the access, use, and dissemination of CHRI. See FBI, CJIS Security Policy.

In other words, CHRI refers to state- and nation-wide, name-based or fingerprint-based criminal history records.

Q: Why has the district received an audit from CBI?

A: The CJIS Security Policy written and maintained by the FBI is the standard by which all criminal justice agencies nationwide, including the Colorado Bureau of Investigation (CBI), must protect the sensitive data they possess and share with authorized agencies. This policy requires the CBI to implement audit and accountability controls to ensure that authorized agencies or users with access to CHRI are handling the data appropriately. [1]

The CBI conducts audits for all noncriminal justice agencies (NCJAs) that have access to CHRI, not just school districts. Audits may be performed on a routine basis (CBI is required to audit all NCJAs which had direct access to the state system at least every 3 years) or if auditable events--significant events which may indicate that the authorizing agency’s security measures are insufficient or have caused a security violation--have occurred. 

Q: What procedures should be in place to protect access to criminal history record information?

A: Districts must maintain compliance with the FBI Criminal Justice Information Services (CJIS) Security Policy and must allow CBI to conduct audits of their CHRI procedures to prevent any unauthorized access, use, or dissemination of information. According to the CJIS Security Policy, school districts must have procedures in place addressing personnel sanctions, controlling access to hardware and media, incident response, digital media sanitation and disposal, and media protection. These procedures are described in the FBI’s Criminal Justice Information Services (CJIS) Security Policy. 

Q: Does CASB sample policy, GBI, Criminal History Record Information meet the requirements of the FBI Criminal Justice Information Services (CJIS) Security Policy?

A: Yes, based on feedback from the CBI, CASB created a new policy, GBI, that better aligns with the FBI’s Criminal Justice Information Services (CJIS) Security Policy and has updated the following sample policies to ensure compliance: 

Core policies (for districts)

• GBEB, Staff Conduct (And Responsibilities)

• GCE/GCF-R, Professional Staff Recruiting/Hiring - Regulation

• GDE/GDF-R, Support Staff Recruiting/Hiring - Regulation

BOCES policy

• GDE/GDF, Support Staff Recruiting/Hiring

CASB sample policy GBI addresses and meets the majority of the requirements for handling CHRI, but districts must ensure that they have written, district-specific procedures in place regarding: (1) the retention of CHRI and (2) the district’s specific incident response plan. These two topics are not addressed in CASB sample policy GBI because they reflect administrative-level decisions that are not best met in board-level policy.

Q: How long may a district maintain/retain criminal history record information? What should be the district's protocol for retaining CHRI?

A: There is no legal requirement for the length of time that a district must or may retain criminal history record information and there is no retention schedule for criminal history record information listed in the Colorado School District Records Management Manual (as developed and maintained by the Colorado State Archives Department); this decision is left to the district’s discretion. 

CASB suggests that districts consider applying the retention schedule for personnel job records, as outlined in the Colorado School District Record Management Manual Schedule No. 15 - Personnel Records, as appropriate or as best meets the district’s local needs and circumstances.

Q: What is the penalty for obtaining unauthorized access to criminal history record information? What should be the district's incident response protocol?

A: Unauthorized access to criminal history record information by any personnel can result in significant disciplinary action, up to and including loss of access privileges, civil and criminal prosecution, and/or termination.

CASB sample policy GBI addresses the district’s requirement and responsibility to report incident information to appropriate authorities, including the CBI’s Information Security Officer, but districts must also have a written incident response protocol in place detailing the reporting chain of command within the district in the event of an information security event or incident.This protocol should identify to whom district personnel must report information security incidents and which district personnel is/are responsible for reporting to CBI’s Information Security Officer. Per districts’ CBI-CJIS Systems Access for Noncriminal Justice Agency agreements, districts must have a designated Agency Coordinator (TAC) and Local Agency Security Officer (LASO); CASB suggests that the district identify the personnel serving in these roles in their internal incident response protocol.

Q: Where can I find more information about criminal history record information use and management requirements? 

A: CBI provides a free-of-charge solution called CJIS Online that meets the requirement that authorized agencies offer security awareness training to personnel within 6 months of hiring and handling CHRI. Designated Agency Coordinators (TACs) would use this solution to issue training to all users who access CHRI or have access to secure areas where CHRI is stored. Districts may contact CBI directly at cdps.cbi.audit@state.co.us for more information on this training.

Additional information may be found here:

• FBI, CJIS Security Policy Resource Center

• CBI, CJIS Security Policy Resources

Districts can also contact CASB’s Legal Team at memberlegal@casb.org for general guidance on compliance or with questions about CASB’s sample policy GBI, Criminal History Record Information. For in-depth issues, districts should contact their local attorneys.

Released: November 2020

[1] Specifically, policies and procedures contained in Title 5 United States Code Section 552 and 552a; 28 CFR 20.33(b); 28 CFR 50.12(b); Public Law 92-544; state statutes; the CJIS Security Policy; and the National Crime Prevention and Privacy Compact (Compact Council) mandates the FBI and CBI to assess the performance of agencies in their use, continual maintenance, dissemination, confidentiality, and security of criminal history record information for noncriminal justice purposes.