Virginia Administrative Code (Last Updated: January 10, 2017) |
Title 6. Criminal Justice and Corrections |
Agency 20. Department of Criminal Justice Services |
Chapter 120. Regulations Relating to Criminal History Record Information Use and Security |
Section 130. Physical access
-
A. Access to areas in which criminal history record information is collected, stored, processed, or disseminated shall be limited to authorized persons. Control of access shall be ensured through the use of locks, guards, or other appropriate means. Authorized personnel shall be clearly identified.
B. Procedures shall be established to detect an unauthorized attempt or access. Furthermore, a procedure shall be established to be followed in those cases in which an attempt or unauthorized access is detected. Such procedures shall become part of the orientation of employees working in criminal history record information area or areas and shall be reviewed periodically to ensure their effectiveness.
C. Criminal justice agencies shall provide direct access to criminal history record information only to authorized officers or employees of a criminal justice agency and, as necessary, other authorized personnel essential to the proper operation of the criminal history record information system.
D. Criminal justice agencies shall institute, where computer processing is not utilized, procedures to ensure that an individual or agency authorized to have direct access is responsible for (i) the physical security of criminal history record information under its control or in its custody and (ii) the protection of such information from unauthorized access, disclosure, or dissemination.
E. Procedures shall be instituted to protect any central repository of criminal history record information from unauthorized access, theft, sabotage, fire, flood, wind, or other natural or man-made disasters.
F. For criminal justice agencies that have their criminal history files automated, it is highly recommended that "backup" copies of criminal history information be maintained, preferably off-site. Further, for larger criminal justice agencies having automated systems, it is recommended that the criminal justice agencies develop a disaster recovery plan. The plan should be available for inspection and review by the department.
G. System specifications and documentation shall be carefully controlled to prevent unauthorized access and dissemination.
Historical Notes
Derived from VR240-02-1 § 3.3, eff. April 1, 1986; amended, Volume 06, Issue 04, eff. January 1, 1990; Volume 10, Issue 07, eff. February 1, 1994; Volume 33, Issue 03, eff. November 4, 2016.