1. Tom Clarke VP, Research & Technology National Center for State Courts

2. Historical Recap Courts have focused on ad hoc policies within local trusted networks for sharing data with other agencies. Courts have based their public access policies on the CCJ/COSCA Guidelines published in 2002. Many states restrict public access to juvenile data, but there is no overall consensus. Many states have been forced to consider access by social agencies for the first time only when actual exchanges were recently proposed.

3. Abuse & Neglect Access Policies 2 states presume open access in all juvenile cases. 14 states presume open access, with judicial discretion to close cases. 10 states presume closed access, with judicial discretion to open cases. 6 states presume closed access, with some exceptions. 21 states presumed closed access--period.

4. Delinquency Access Policies 35 states permit or require open access with some age and offense restrictions. 15 states have closed access. There are lots of special conditions and details about access that vary across states.

5. Traditional Technical Approach Two strategies are typically used for enforcement: Bilateral MOU’s between local agencies for policies. Application-embedded access rules for enforcement. At best, application rules enforce coarse (less granular) access policies using broad role definitions. At worst, lists of personnel in roles are not kept up to date, allowing inappropriate access. The policy focus was on public access, either at the courthouse or online.

6. Emerging Problems in Data Sharing Justice and social agencies are sharing more data of all kinds than ever before. Justice and social agencies are sharing more data outside their local trusted networks. Privacy and access rules are often complex and detailed. Privacy and access rules often require analysis of context and purpose for use. Manual training is often insufficient to ensure proper enforcement of complex business rules.

7. New Solutions The national justice community has established best practices for creating access and privacy rules for sharing information between government agencies. Global Justice Information Sharing Committee (GAC) Privacy Products: impact analysis, policy templates, technical enforcement models Other government communities and private industry are working on similar technical approaches. The emphasis is on privacy protection, based on the Fair Information Practices or FIPs.

8. Built on Open Standards Data Content: National Information Exchange Model or NIEM (earlier the GJXDM) Messaging: Justice Reference Architecture or JRA Various open web services technical standards Security: Global Federated Identity and Privilege Management or GFIPM Privacy: Based on NIEM, JRA and GFIPM, adds XACML capability

9. New Technical Approach Establish policies with as much granularity as needed: Subject attributes Purpose attributes Context attributes Resource attributes Obligation attributes Attributes are metadata: data about data. Data types are “tagged” using standard codes to facilitate appropriate automated rule enforcement.

10. New Technical Approach Advanced technical methods are used to establish “trust” across networks using open standards. Organizations manage their own members and assert attributes about them to others. Third party organizations provide rule identification, deconfliction, and enforcement capabilities: Policy Administration Points (PAP) Policy Decision Points (PDP) Policy Enforcement Points (PEP)

11. Business Advantages Organizations can automate enforcement of complex and very granular (detailed) access and privacy rules. Enforcement infrastructures can be reused in multiple contexts for multiple exchanges. Rules can be changed without impacting the underlying agency applications. Rules are enforced even when the data “travels” beyond the agencies or agency staff involved in the original exchange.

12. Implementation Issues The technology is still relatively new (but most major vendors now support the underlying technical standards in their off-the-shelf products). State and federal HHS agencies have not participated in the communities developing the technical standards nor any of the implementation pilots. The Healthcare community is just now beginning to implement some of the same automated privacy policy enforcement capabilities. Establishing the initial privacy enforcement infrastructure is relatively expensive, but subsequent reuse is relatively inexpensive.

13. New Supporting Capabilities The federal HHS has just decided to use NIEM for the data content of some exchanges. A new family and Juvenile domain now exists in NIEM for juvenile content. A NIEM-compliant data model for exchanges between courts and state HHS agencies now exists.

14. But How Real Is It? A court pilot project in Orange County, California is testing these automated privacy enforcement capabilities right now and partnering with the California Administrative Office of the Courts on further uses. Georgia and Alabama law enforcement agencies are piloting similar capabilities. Corrections and probation/parole pilots will start later this year in jurisdictions to be determined. To date, no HHS agency has participated and no juvenile data has been included in these pilots.