http://frwebgate2.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=2402929503+0+0+0&WAISaction=retrieve

Federal Register: March 3, 1999 (Volume 64, Number 41)]
[Proposed Rules]
[Page 10262-10265]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr03mr99-23]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

28 CFR Part 25

[AG Order No. 2209-99]
RIN 1105-AA51


National Instant Criminal Background Check System Regulation

AGENCY: Federal Bureau of Investigation, Department of Justice.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The United States Department of Justice (``DOJ'') proposes to
amend the DOJ regulation implementing the

[[Page 10263]]

National Instant Criminal Background Check System (``NICS'') pursuant
to the Brady Handgun Violence Prevention Act (``Brady Act''), to
establish a retention period of 90 days for information relating to
allowed firearm transfers in the system transaction log of background
check transactions (``NICS Audit Log''). Audits of the use of the NICS
are considered essential to safeguard the privacy of the sensitive
information checked by the system and to ensure that the system is
operating in the manner required by the Brady Act. Audits will help
prevent invasions of privacy that result from misuse of the system. For
example, audits will enable the detection of felons who assume the
identity of a qualified person to buy guns illegally and persons who
misuse the system to perform background checks unrelated to gun
purchases (such as employment checks). In addition, the proposed rule
clarifies that the retention period begins to run on the day after the
request for a NICS check is received. The proposed rule also clarifies
that only the FBI has direct access to the NICS Audit Log and that, in
furtherance of the purpose of auditing the use and performance of the
NICS, the FBI may extract and provide information from the NICS Audit
Log to the Bureau of Alcohol, Tobacco and Firearms (``ATF'') for use in
ATF's inspections of Federal Firearms Licensee (``FFL'') records,
provided that ATF destroys NICS Audit Log information about allowed
firearm transfers within the applicable retention period and maintains
a written record certifying the destruction. By using the preexisting
ATF inspection system to audit use of the NICS by FFLs, it will be
unnecessary to propose a system under which the FBI would perform
recurring audits of FFLs. Such a system could lead to duplication of
effort and expense resulting from FBI auditors traveling to FFL
premises to review the same records that ATF reviews during its routine
inspections of FFLs.

DATES: Written comments must be received on or before June 1, 1999.

ADDRESSES: All comments concerning this proposed rule should be sent
to: Mr. Emmet A. Rathbun, Unit Chief, Federal Bureau of Investigation,
Module C-3, 1000 Custer Hollow Road, Clarksburg, West Virginia 26306-
0147.

FOR FURTHER INFORMATION CONTACT: Mr. Emmet A. Rathbun, Unit Chief,
Federal Bureau of Investigation, telephone number (304) 625-2000.

SUPPLEMENTARY INFORMATION: This proposal would amend the National
Instant Criminal Background Check System Regulation (28 CFR, Part 25,
Subpart A), published in the Federal Register on October 30, 1998 (63
FR 58303). The proposed amendments are to the portions of the NICS
regulation providing for the retention and use of information in the
NICS Audit Log pertaining to allowed firearm transfers, 28 CFR
25.9(b)(1) and (2) (63 FR 58311).

Record Retention Period

    The Brady Act requires the Attorney General to ensure the privacy
and security of information in the NICS and the proper operation of the
system. The purpose of maintaining the NICS Audit Log is to help carry
out this function by facilitating audits of the use and operation of
the NICS. At the same time, to prevent the establishment of a national
firearms registry, the Brady Act requires the destruction of NICS
records (other than the NICS Transaction Number (``NTN'') and the date
the NTN was assigned) relating to allowed firearm transfers. Although
an eighteen-month retention period for information about allowed
firearm transfers was initially proposed in the notice of proposed
rulemaking for the NICS regulation, the final NICS rule took into
account the comments on this subject and balanced the competing
interests by reducing the retention period to no more than six months.
    The preamble to the final NICS regulation described the question of
the period of record retention as follows: ``In light of the statutory
requirement that records for allowed transfers be destroyed, and the
countervailing statutory requirement to provide for system privacy and
security, the Department determined that the general retention period
for records of allowed transfers in the NICS Audit Log should be the
minimum reasonable period for performing audits on the system, but in
no event more than six months. Section 25.9(b) in the final rule was
revised to reflect this and to provide that such information may be
retained for a longer period if necessary to pursue identified cases of
misuse of the system. The Department further determined that the FBI
shall work toward reducing the retention period to the shortest
practicable period of time less than six months that will allow basic
security audits of the NICS. By February 28, 1999, the Department will
issue a notice of a proposed revision of the regulation setting forth a
further reduced period of retention that will be observed by the
system.'' (63 FR 58304.) The purpose of this notice is to propose a
period of retention less than six months that will be observed by the
system.
    Audits of the NICS will include (1) quality control audits of NICS
examiners and call center operators to ensure the accuracy of the
responses given to FFLs; (2) audits of the system's data processing to
aid in the resolution of technical system problems; (3) audits of the
use of the NICS by state agencies serving as points of contact
(``POCs'') for the NICS and/or using the NICS in connection with
issuing firearms licenses or permits, to ensure that such agencies are
accessing the NICS only for authorized purposes; and (4) audits of the
use of the NICS by FFLs to ensure that FFLs are accessing the NICS only
for authorized purposes and are not sending the NICS false data to
evade the system.
    Auditing the users (FFLs and POCs) of the NICS is essential to
safeguard the security and privacy of personal information in the
system. The NICS will perform background checks that access a
tremendous amount of criminal history, mental health, military
background, and other information about individuals. Access to such
sensitive information for background checks on individuals should only
be available for purposes authorized by law. Misuse of that information
could lead to significant invasions of privacy. The Brady Act
recognized the sensitivity of system information by requiring the
Attorney General to issue regulations ``to ensure the security and
privacy of the information of the system.'' The Brady Act also provides
that disclosures of information from the NICS are subject to the
restrictions of the Privacy Act. Without the capacity to audit the use
of the system, there will be no way of determining whether FFLs are
requesting checks for purposes other than checking on the background of
a prospective gun purchaser. Many businesses and individuals would be
very interested in having easy access to these government databases
through FFLs to do employment or other unauthorized checks on persons.
While it is true that a NICS check will not disclose what record was
the reason for a denial, the mere fact that the system response is
``denied'' (indicating that at least one disqualifying record exists)
may be enough to cause employers or others to take adverse action
against the person checked. A ``delayed'' response might also have a
detrimental impact on the subject of the check if a person misusing the
system does not wait to see if a ``proceed'' follows or concludes,
unfairly, that the response means the individual checked has some kind
of stigmatizing ``record.'' The FBI must take appropriate steps to
identify and guard against such invasions of privacy.
    In addition, the Brady Act requires the Attorney General to
establish a system that will inform FFLs whether

[[Page 10264]]

available information demonstrates that a person seeking to acquire a
firearm is disqualified by law from possessing firearms. The background
check system established to perform this function is based upon names
and other personally identifying information that can be falsified.
Therefore, it is equally important to be able to audit NICS
transactions to ensure that FFLs are not misusing the NICS by
deliberately submitting false information to the system. The ability to
audit the background checks requested by FFLs, by comparing the
information submitted to the NICS with information retained by the FFL,
will deter attempts to evade the system. In other words, audits will
help ensure that the system is operating in the manner required by the
Brady Act.
    There is no formula for determining with precision what retention
period is the minimum necessary to allow adequate audits of the NICS,
and because the NICS is a new system, there is no historical data
regarding the use of the NICS from which any definite conclusion about
retention periods can be drawn. What can be said with certainty is
that, at six months, the NICS retention period is already less than
half of the retention period established for auditing the users of the
Interstate Identification Index (``III''), the information system
managed by the FBI that makes up the vast majority of the records
checked by the NICS. It is also undeniable that, the shorter the
period, the less likely it is that even random audits will uncover or
deter system misuse.
    In determining the period of retention that will allow for a
minimal opportunity to detect misuse of the system by FFLs and POCs,
the Department recognizes the need for both: (1) a sufficient period of
system activity to be audited; and (2) time to administer the audits. A
time period for administering the audits is necessary to: identify
those system records that will be used in the audit; conduct the audit;
and review the results of the audit to determine whether there are any
identified cases of misuse of the system. Accordingly, the Department
has concluded that the shortest practicable period of time for
retaining records of allowed transfers that would permit the
performance of basic security audits of the NICS is 90 days.
    Under the proposed rule, therefore, section 25.9(b)(1) provides
that in cases of allowed transfers, all information in the NICS Audit
Log relating to the person or the transfer, other than the NTN assigned
to the transfer and the date the number was assigned, will be destroyed
not more than 90 days after the date the request for the NICS check was
received. The proposed rule also changes section 25.9(b)(1) to provide
that the retention period begins to run on the day after ``the date the
request for the NICS check was received,'' instead of the date the
``transfer was allowed.'' This change provides a uniform date from
which to begin the retention period.

Accomplishing the Audits

    Quality control, data processing, and POC audits can all be
accomplished by FBI employees or contractors without the need for
outside assistance. In order to audit the use of the NICS by FFLs,
however, the FBI is developing a plan, in coordination with ATF, under
which information from the NICS Audit Log will be provided to ATF for
use in conjunction with its compliance inspections of FFL records. FFLs
are subject to inspections by ATF pursuant to the provisions of the Gun
Control Act (``GCA''), 18 U.S.C. 923(g)(1)(B)(ii). By using the
preexisting ATF inspection system to audit use of the NICS by FFLs, it
will be unnecessary to propose a system under which the FBI would
perform recurring audits of FFLs. Such a system could lead to
duplication of effort and expense resulting from FBI auditors traveling
to FFL premises to review the same records that ATF reviews during its
routine inspections of FFLs. It is least intrusive and most efficient
to have regular review of FFL NICS records performed by ATF as part of
its inspection program.
    The information comparisons by ATF of NICS Audit Log data with FFL
records of NICS checks will detect and deter misuse of the NICS by FFLs
and ensure FFL compliance with the Brady Act and the GCA. Under this
plan, ATF will not have direct access to the information in the NICS
Audit Log. The information will be extracted from the NICS Audit Log by
the FBI and provided to ATF for the FFLs to be inspected.
Irregularities relating to the use of the NICS by an FFL discovered
during an ATF inspection will be referred to the FBI. Under this plan,
ATF will destroy the NICS Audit Log information about allowed firearm
transfers within the applicable retention period and maintain a written
record certifying destruction of the records. The information provided
to ATF from the NICS Audit Log will be the same information that ATF is
already authorized to review when inspecting FFL records under the GCA.
    The proposed rule, therefore, amends paragraph 25.9(b)(2) to
clarify that while only the FBI has direct access to the NICS Audit
Log, the FBI, in furtherance of the purpose of conducting audits of the
use and performance of the NICS, may extract and provide information
from the NICS Audit Log to ATF for use in ATF's inspections of FFL
records, provided that ATF destroys information about allowed firearm
transfers within the retention period for such information set forth in
paragraph 25.9(b)(1) and maintains a written record certifying the
destruction.

Applicable Administrative Procedures and Executive Orders

Regulatory Flexibility Analysis

    The Attorney General, in accordance with the Regulatory Flexibility
Act (5 U.S.C. 605(b)), has reviewed this final regulation and by
approving it certifies that this regulation will not have a significant
economic impact on a substantial number of small entities. While many
FFLs are small businesses, they are not subject to any additional
burdens by the proposed plan to audit their use of the NICS.

Executive Order 12866

    The proposed rule has been drafted and reviewed in accordance with
Executive Order 12866, section 1(b), Principles of Regulation. The
Department of Justice has determined that this proposed rule is a
``significant regulatory action'' under section 3(f) of Executive Order
12866, Regulatory Planning and Review, and thus it has been reviewed by
the Office of Management and Budget (``OMB'').

Executive Order 12612

    This proposed rule will not have a substantial direct effect on the
states, on the relationship between the national government and the
states, or on the distribution of power and responsibilities among the
various levels of government. Therefore, in accordance with Executive
Order 12612, it is determined that this proposed rule does not have
sufficient federalism implications to warrant the preparation of a
Federal Assessment.

Unfunded Mandates Reform Act of 1995

    This proposed rule will not result in the expenditure by state,
local, and tribal governments, in the aggregate, or by the private
sector, of $100,000,000 or more in any one year, and it will not
significantly or uniquely affect small governments. Therefore, no
actions were deemed necessary under the provisions of the Unfunded
Mandates Reform Act of 1995.

[[Page 10265]]

Small Business Regulatory Enforcement Fairness Act of 1996

    This final rule is not a major rule as defined by the Small
Business Regulatory Enforcement Fairness Act of 1996. 5 U.S.C. 804.
This rule will not result in an annual effect on the economy of
$100,000,000 or more, a major increase in costs or prices, or have
significant adverse effects on competition, employment, investment,
productivity, innovation, or on the ability of United States-based
companies to compete with foreign-based companies in domestic and
export markets.

List of Subjects in 28 CFR Part 25

Administrative practice and procedure, Business and industry, Computer
technology, Courts, Firearms, Law enforcement officers, Penalties,
Privacy, Reporting and recordkeeping requirements, Security measures,
Telecommunications.
    Accordingly, Sec. 25.9 of part 25 of title 28 of the Code of
Federal Regulations is proposed to be amended as follows:

PART 25--DEPARTMENT OF JUSTICE INFORMATION SYSTEMS

Subpart A--The National Instant Criminal Background Check System

    1. The authority section for Subpart A continues to read as
follows:

    Authority: Pub. L. 103-159, 107 Stat. 1536.

Sec. 25.9  [Amended]

    2. In Sec. 25.9, paragraph (b) is revised to read as follows:
* * * * *
    (b) The FBI will maintain an automated NICS Audit Log of all
incoming and outgoing transactions that pass through the system.
    (1) The NICS Audit Log will record the following information: type
of transaction (inquiry or response), line number, time, date of
inquiry, header, message key, ORI, and inquiry/response data (including
the name and other identifying information about the prospective
transferee and the NTN). In cases of allowed transfers, all information
in the NICS Audit Log related to the person or the transfer, other than
the NTN assigned to the transfer and the date the number was assigned,
will be destroyed not more than 90 days after the date the request for
the NICS check is received. NICS Audit Log records relating to denials
will be retained for 10 years, after which time they will be
transferred to a Federal Records Center for storage. The NICS will not
be used to establish any system for the registration of firearms,
firearm owners, or firearm transactions or dispositions, except with
respect to persons prohibited from receiving a firearm by 18 U.S.C. 922
(g) or (n) or by state law.
    (2) The NICS Audit Log will be used to analyze system performance,
assist users in resolving operational problems, support the appeals
process, or support audits of the use of the system. Searches may be
conducted on the NICS Audit Log by time frame, i.e., by day or month,
by FFL, or by a particular state or agency. Information in the NICS
Audit Log pertaining to allowed transfers may only be directly accessed
by the FBI for the purpose of conducting audits of the use and
performance of the NICS. Permissible uses include extracting and
providing information from the NICS Audit Log to ATF in connection with
ATF's inspections of FFL records, provided that ATF destroys the
information about allowed transfers within the retention period for
such information set forth in Sec. 25.9(b)(1) and maintains a written
record certifying the destruction. Such information, however, may be
retained and used as long as needed to pursue cases of identified
misuse of the system. The NICS, including the NICS Audit Log, may not
be used by any Department, agency, officer, or employee of the United
States to establish any system for the registration of firearms,
firearm owners, or firearm transactions or dispositions. The NICS Audit
Log will be monitored and reviewed on a regular basis to detect any
possible misuse of the NICS data.
* * * * *
    Dated: February 27, 1999.
Janet Reno,
Attorney General.
[FR Doc. 99-5343 Filed 3-1-99; 2:36 pm]
BILLING CODE 4410-06-P