Introduction
When managing archives in criminal justice and public safety contexts, it’s essential to distinguish between Criminal Justice Information (CJI) and non-CJI data. The CJIS Security Policy enforces specific requirements for how CJI is classified, retained, and protected. By contrast, non-CJI data may not require the same level of control. This blog examines how to handle CJI vs non-CJI classification and retention to ensure compliance and operational efficiency.
What is CJI?
CJI includes sensitive data collected, created, or exchanged by criminal justice agencies. Examples include:
- Arrest records, booking and incarceration data.
- Biometric identifiers (fingerprints, DNA profiles).
- Investigative reports, NCIC data, and surveillance logs.
Non-CJI may include general administrative documents, training material, or public records not subject to CJIS controls.
Classification Strategies
1. Policy-Driven Classification
- Establish clear policies for identifying what qualifies as CJI.
- Map categories of CJI vs non-CJI in a data classification framework.
2. Metadata Tagging
- Use metadata to tag documents as CJI or non-CJI at ingestion.
- Automate tagging through content analysis, keywords, or AI-assisted classification.
3. Separation of Data Types
- Maintain logical or physical separation between CJI and non-CJI archives.
- Apply stricter controls to CJI repositories while reducing overhead on non-CJI archives.
Retention Strategies
For CJI
- Strict Retention Rules: Follow federal, state, and local mandates.
- Defensible Deletion: Ensure data is destroyed securely when retention expires.
- Audit Readiness: Keep records of retention and deletion actions.
For Non-CJI
- Apply pragmatic retention schedules aligned with business needs.
- Use ROT cleanup (redundant, obsolete, trivial data) to reduce storage costs.
- Non-CJI may be retained for operational efficiency but does not require CJIS audit-level controls.
Challenges
- Mixed Datasets: Some records may contain both CJI and non-CJI, requiring granular classification.
- Automation Accuracy: Automated classification must be validated to avoid mislabeling sensitive records.
- Training & Awareness: Staff must be trained to identify CJI consistently.
Best Practices
- Develop Clear Policies: Define and document classification and retention standards.
- Automate Where Possible: Use AI/ML-assisted tagging but ensure human oversight.
- Segment Archives: Separate CJI from non-CJI for stronger control.
- Audit Regularly: Validate classification and retention decisions against policy.
- Educate Personnel: Train archive admins and staff on differentiating CJI and non-CJI.
Conclusion
Distinguishing between CJI and non-CJI in classification and retention is critical for compliance with CJIS Security Policy. By adopting structured policies, automated tagging, and defensible retention practices, agencies can safeguard sensitive criminal justice data while streamlining management of less sensitive information.