651-F:6 Security of Data. –
I. The center shall utilize effective and technologically advanced computer software and hardware designs to prevent unauthorized access to the information contained in the system. The center shall restrict access to its facilities, operating environment, and documentation to authorized organizations and personnel.
II. The center shall store information in the system in such a manner that it cannot be modified, destroyed, accessed, or purged without authorization.
III. The center shall institute procedures to protect criminal intelligence and terrorism intelligence information from unauthorized access, theft, sabotage, fire, flood, or other natural or human-made disaster.
IV. The center shall adopt procedures for implementing its authority to screen, reject for employment, transfer, or remove personnel authorized to have direct access to the system and may only authorize and utilize a remote, off-premises system database to the extent that it complies with these security requirements and is under the exclusive control of the center.
V. The center shall adopt procedures to assure that only information relevant to the center's purpose, as defined in this chapter, is retained. Such procedures shall provide for the periodic review of information and the destruction of any information which is misleading, obsolete, or otherwise unreliable, and shall require that any recipient agencies be advised of such changes which involve errors or corrections. All information retained as a result of periodic review shall reflect the name of the reviewer, date of review, and an explanation of the decision to retain. Information retained in the system shall be reviewed and validated for continuing compliance with system submission criteria before the expiration of its retention period, which in no event shall be longer than 5 years.
VI. The center shall make remote terminal access to intelligence information available to a participating agency, provided the agency has adequate policies and procedures in place to insure that the information is accessible only to authorized users. Such access shall be on a case-by-case basis only.
VII. There shall be no purchase or use of any electronic, mechanical, or other device for surveillance purposes that is in violation of the provisions of the Electronic Communications Privacy Act of 1986, RSA 570-A:1 through RSA 570-A:11, or any other applicable federal or state statute related to civil rights, personal privacy, personally identifiable data, or wiretapping and surveillance.
VIII. The intelligence operations of the center shall not interfere with the lawful activities of any other federal or state department or agency.
IX. In addition to the penalties set forth in RSA 651-F:7, the center shall adopt internal sanctions for unauthorized access, utilization, or disclosure of information contained in the system.
X. The center and any participating inter-jurisdictional agencies shall maintain information documenting each submission to the system. Each submission shall demonstrate compliance with center entry criteria. Such submissions shall be made available for reasonable audit and inspection by center representatives who shall conduct participating agency inspections and audits in such a manner as to protect the confidentiality and sensitivity of participating agency intelligence records.