Access Governance Board Agenda August 19, 2021 9:00 AM – 11:30 AM (Eastern Time)

Join Webinar Webinar ID: 953 9157 8173 Passcode: 744177 Phone: (786) 635-1003

I. Welcome, Call to Order – Judge Hilliard, Access Governance Board Chair

II. Roll Call, Determination of Quorum – Lakisha Hall

III. Updating Agency Access Agreement – Group Discussion

IV. Amendments to Fla. R. Gen. Prac. & Jud. Admin. 2.420 – Group Discussion

V. Classification of Medical Malpractice as VOR on the Matrix – Group Discussion

VI. Requests to Amend the Standards and Matrix A. Florida Department of Law Enforcement – Charlie Schaeffer B. Justice Administrative Commission – Cris Martinez C. Office of Criminal Conflict and Civil Regional Counsel – Jeffrey Deen D. Agency for Persons with Disabilities – Meghan Kirkley E. Bureau of Victim Compensation – Michelle Crum F. Capital and Criminal Appeals Division – Thomas Duffy G. C.O.R.E. Program – Lisa Tantillo

VII. Other Business – Group Discussion

VIII. Next Meeting – Judge Hilliard A. November 4, 2021

IX. Adjourn

Agenda Item III. Updating Agency Access Agreement AGENCY REGISTRATION AGREEMENT TO VIEW RECORDS ONLINE COUNTY CLERK OF COURT

REQUEST FORM: *Agency/Firm/Company Name: *Agency Head Name *Agency Head Title *Agency Head E-mail Address *Agency Address *City/State/Zip *Agency Head Phone Alt. Phone *Required 1. This Agreement is for an Agency, Company, Law Firm or Commercial Bulk Purchaser (“Agency”) to view electronic court records as authorized pursuant to the current Florida Supreme Court Administrative Order authorizing access to electronic court records as: Authorized state or local government agency/entity (would Guardian ad Litem fall under this category) School Board Certified law enforcement officers of federal or state law enforcement agencies State Attorney’s Office, Public Defender’s Office, Office of Criminal Conflict and Civil Regional Counsel Florida Attorney General’s Office Law Firm Department of Children and Families, or authorized service providers of the agency Commercial purchaser of bulk records 2. The undersigned appoints the following as Gatekeeper: *Gatekeeper Name: *Gatekeeper E-mail Address *Gatekeeper Address *City/State/Zip *Gatekeeper Phone Alt. Phone *Required 3. The undersigned affirms the contact and other information on this Agreement is correct. If Agency needs to designate a different Gatekeeper or update contact information, Agency must provide an updated request on a form provided by Clerk, which, upon submission to Clerk, is incorporated in this Agreement.

Agency Registration to View Records Online version 1.0 October 2017 Page 1 of 3 Approved by the Florida Courts Technology Commission

4. Clerk Responsibilities a. Clerk will endeavor to provide uninterrupted access to the site, which may be interrupted for maintenance, network or power failures, or security issues. b. Clerk will provide the Gatekeeper with a unique login ID and password and directions on how to change the password; assign additional login IDs and passwords as requested by the Gatekeeper; and process other Gatekeeper requests for Agency’s individual users. c. Clerk will maintain and modify the site as required by the current version of the Standards for Access to Electronic Court Records and the Access Security Matrix, which also allows Clerk to limit information and documents viewable online. 5. Agency Responsibilities a. To provide Gatekeeper oversight and compliance of the Gatekeeper’s responsibilities as set forth below. b. To provide updated contact information for Agency by submitting a Request Form. c. To the extent Agency has authority to and does view confidential information in the electronic court record, Agency shall take all steps necessary to prevent public access to the confidential information. d. To provide computer hardware and software and/or making modifications to existing equipment for access to the site. 6. Gatekeeper Administration The Gatekeeper is charged with the following responsibilities: a. Managing the eligible user accounts for Agency, including adding or requesting eligible users to be added by utilizing Clerk’s authorized Gatekeeper Management Request Form. b. Ensuring on a continual basis that all individuals with user accounts are eligible users. c. Immediately removing or notifying Clerk when any individual user has ceased to be an eligible user. d. Monitoring individual users to ensure that individual use conforms with a valid agency purpose and is in accordance with the current version of the Standards for Access to Electronic Court Records and the Access Security Matrix. e. Notifying Clerk immediately upon discovery of a password or other security breach, including the discovery that any assigned password is known by an unauthorized person (whether used or not), so that the existing login ID may be deactivated and replacement login information issued. 7. Limitations and Liability a. Agency releases Clerk and Clerk’s employees and agents from any liability and any damages resulting from or related to (1) interrupted service of any kind; (2) Agency’s equipment; (3) use of, or viewing of, electronic court records; and (4) Agency's unauthorized public disclosure of confidential information available to Agency under the Access Security Matrix and access as provided in this Agreement. b. Nothing in this Agreement may be construed as waiving the sovereign immunity Agency Registration to View Records Online version 1.0 October 2017 Page 2 of 3 Approved by the Florida Courts Technology Commission

of the Clerk or the Clerk’s employees and agents or of the Agency’s sovereign immunity, if applicable, or modifying the recovery limits against the Clerk or Agency as set forth in section 768.28(5), Florida Statutes. 8. This Agreement, regardless of where actually accepted or delivered, is deemed to have been accepted and delivered by the parties in the State of Florida and any dispute arising from it will be governed by Florida law. Any suit for any claim, breach, or dispute arising out of this Agreement will be maintained in the county where the subject court records are maintained. 9. Any notice or communication given or sent pursuant to this Agreement may be delivered in person, by mail, or by email to the address provided on this form above. 10. Termination a. If the Agency breaches the provisions in this Agreement, the Clerk has the right to terminate this Agreement immediately and pursue any other remedy available at law or in equity. b. This Agreement will be terminated immediately if funding is withdrawn for any reason. The Agency acknowledges that Clerk has no control over appropriations that may be provided by any governmental entity for the continuation of the services under this Agreement. 11. If any part of this Agreement is found to be invalid, then it will have no effect, but the remaining provisions will continue in full force and effect.

Date: State of Agency Head Signature County of Agency Head Printed Name

Sworn to and subscribed before me on

Notary Public (Seal) Personally known or produced identification

Agency Registration to View Records Online version 1.0 October 2017 Page 3 of 3 Approved by the Florida Courts Technology Commission

Agenda Item IV. Amendments to Fla. R. Gen. Prac. & Jud. Admin. 2.420 Supreme Court of Florida 500 South Duval Street Tallahassee, Florida 32399-1925

CHARLES T. CANADY JOHN A. TOMASINO CHIEF JUSTICE CLERK OF COURT RICKY POLSTON JORGE LABARGA SILVESTER DAWSON C. ALAN LAWSON June 16, 2021 MARSHAL CARLOS G. MUÑIZ JOHN D. COURIEL JAMIE R. GROSSHANS JUSTICES

Honorable Lisa Munyon Chair, Florida Courts Technology Commission Ninth Judicial Circuit Orange County Courthouse 425 N. Orange Avenue Orlando, Florida 32801

Re: Standards for Access to Electronic Court Records and Access Security Matrix

Dear Judge Munyon:

At the direction of the Court, I am writing to you in your capacity as Chair of the Florida Courts Technology Commission to ask that the Commission update the Standards for Access to Electronic Court Records and Access Security Matrix as necessary in accord with the Court’s direction in In re: Amendments to Florida Rule of Judicial Administration 2.420, 46 Fla. L. Weekly S22 (Fla. Jan. 21, 2021).

Amended Rule of General Practice and Judicial Administration 2.420, which will become effective July 1, 2021, provides that “the clerk of court shall not be required to designate and maintain information as confidential unless the filer” files a notice of Honorable Lisa Munyon June 16, 2021 Page: 2 confidential information, the filer files a motion to determine confidentiality, the filing is deemed confidential by court order, or the case is confidential by law. Id. However, “[t]he only civil cases to which this new rule applies are civil case types originating in the circuit, county, or small claims courts (identified by the Court Type Designators CA, CC, and SC in the uniform case numbering system), except those case types listed as ‘Viewable on Request’ in the Standards for Access to Electronic Court Records and Access Security Matrix.” Id. And in its opinion adopting the amendments, the Court explained that currently “the Access Security Matrix identifies the following case types as Viewable on Request: ‘County Criminal Appeals Sexual Abuse,’ ‘Jimmy Ryce Act,’ ‘Circuit Civil Private (Sexual Abuse & Medical Malpractice),’ ‘Felony – sexual cases,’ ‘Sexual Violence,’ ‘Extradition,’ ‘Misdemeanor – sexual cases,’ and ‘Misdemeanor-Misc.’ ” Id. at n.3. A copy of the Court’s opinion is included for your convenience.

Thank you in advance for your consideration of this matter, and please do not hesitate to contact me or Justice Polston if you have any questions.

Sincerely,

John A. Tomasino

JAT/dw/sb cc: Honorable Ricky L. Polston Mr. Roosevelt Sawyer, Chief Information Officer Ms. Diane West, Supreme Court Central Staff Director Supreme Court of Florida

______

No. SC20-1765 ______

IN RE: AMENDMENTS TO FLORIDA RULE OF JUDICIAL ADMINISTRATION 2.420.

January 21, 2021

PER CURIAM.

The Court, on its own motion, amends Florida Rule of Judicial

Administration 2.420(d) (Public Access to and Protection of Judicial Branch

Records; Procedures for Determining Confidentiality of Court Records) to eliminate the requirement that the clerk of court independently designate as confidential information filed in certain civil cases. See Fla. R. Jud. Admin.

2.140(d). We have jurisdiction. See art. V, § 2(a), Fla. Const.

In 2010, the Court adopted a comprehensive set of amendments to Florida

Rule of Judicial Administration 2.420 and the Florida Rules of Appellate

Procedure to enact “a procedure that ensures the confidentiality of a narrow set of court records,” as a “necessary prerequisite to the Court’s ongoing effort to provide the public with electronic access to court records.” In re Amends. to Fla. Rule of

Jud. Admin. 2.420 & Fla. Rules of App. Pro., 31 So. 3d 756, 757 (Fla. 2010). Among these amendments, we adopted a new subdivision (d) of rule 2.420 and explained that the rule “sets forth the procedure for the clerks of court to designate court records as confidential.” Id. at 765. We stated, “Subdivision (d)(1) requires the clerk of court to designate and maintain as confidential information governed by existing subdivisions (c)(1) through (c)(6) and information that is confidential or exempt under a subdivision (d)(1)(B) exemption . . . . The clerk’s responsibility under the new [subdivision (d)(1)] is independent of the responsibility of the filer.”

Id.

Since subdivision (d)(1) was adopted, however, news media organizations in

Florida have reported concerning delays in their access to nonconfidential court records, in part due to the requirement that the clerks of court independently review all new filings for confidential information.1 This Court has previously expressed its commitment to safeguard the public’s right of access to court records.

See, e.g., In re Amends. to Fla. Rule of Jud. Admin. 2.420—Sealing of Court

Records & Dockets, 954 So. 2d 16, 17 (Fla. 2007) (“[T]he public’s constitutional

1. In December 2018, Thomas & LoCicero PL, on behalf of a coalition of news media organizations, published a report summarizing a journalist’s attempts to gain access to new case filings at various clerks’ offices throughout the state. See Thomas & LoCicero PL, Report: Tour of Florida Courthouses to Access Court Records (Dec. 10, 2018). The report concludes that access to court records, both in person and online, was routinely delayed. The report also suggests the primary reason for the delays is because the clerks of court are responsible for reviewing and redacting every filing prior to allowing access.

- 2 - right of access to court records must remain inviolate, and this Court is fully committed to safeguarding this right.”). Accordingly, to address timely access to court records, we now amend subdivision (d)(1) to provide that, in certain civil cases, the clerk of court does not have an independent responsibility to identify and designate information as confidential. Instead, that is the sole responsibility of the filer.

In a limited group of civil cases, the clerk of court will designate information or documents as confidential only when: the filer of the confidential information or document files a Notice of Confidential Information within Court Filing pursuant to Florida Rule of Judicial Administration 2.420(d)(2); the filer files a Motion to

Determine Confidentiality of Court Records pursuant to Florida Rule of Judicial

Administration 2.420(d)(3); the filing is deemed confidential by court order; or the case itself is confidential by law. The only civil cases to which this new rule applies are civil case types originating in the circuit, county, or small claims courts

(identified by the Court Type Designators CA, CC, and SC in the uniform case numbering system),2 except those case types listed as “Viewable on Request

2. In 1998, the Chief Justice issued an Administrative Order implementing a uniform case numbering system for Florida courts. In re Uniform Case Numbering System, Fla. Admin. Order (July 6, 1998). In the circuit and county courts, the uniform case number includes a two-letter “Court Type Designator” identifying the case type. The full list of Case Type Designators is outlined in the Appendix to the

- 3 - (VOR)”3 in the Standards for Access to Electronic Court Records and Access

Security Matrix, as adopted by the supreme court in Administrative Order

AOSC14-19 or the then-current standards for access.

We note that the amendments adopted in this opinion do not impact the existing procedure requiring the clerk of court to designate and maintain court

Administrative Order, and includes circuit civil cases (CA), county civil cases (CC), and small claims cases (SC).

3. The Access Security Matrix highlights certain case types as “Viewable on Request (VOR)”: [T]o ensure that information is properly removed prior to public access, some case types and document types have a special electronic security called viewable on request. Selecting an image of a court document in cases or documents coded viewable on request will not allow the user to view the record at that point. Instead, a request is generated to a clerk, who performs a second examination of the document to remove personal identification information and information about the victims of sexual or child abuse crimes. After the clerk has completed, the requestor then receives a notice that the document is available for viewing. Once a document has been requested and reviewed, it is available for all future access without requiring a request/review. Access Security Matrix, https://www.flcourts.org/content/download/690684/file/access-security-matrix-v9- november%202020.pdf (last updated Nov. 2020). Currently, the Access Security Matrix identifies the following case types as Viewable on Request: “County Criminal Appeals Sexual Abuse,” “Jimmy Ryce Act,” “Circuit Civil Private (Sexual Abuse & Medical Malpractice),” “Felony - sexual cases,” “Sexual Violence,” “Extradition,” “Misdemeanor - sexual cases,” and “Misdemeanor- Misc.”

- 4 - records as confidential in all non-civil cases, including criminal cases,4 guardianship and probate cases, adoption proceedings, or juvenile dependency or juvenile delinquency cases. In non-civil cases, subdivision (d)(1) continues to require “the clerk of court to designate and maintain as confidential information governed by . . . subdivisions (c)(1) through (c)(6) and information that is confidential or exempt under a subdivision (d)(1)(B) exemption.” In re Amends. to

Fla. Rule of Jud. Admin. 2.420 & the Fla. Rules of App. Pro., 31 So. 3d at 765.

We also emphasize that any party, non-party, or attorney who does not comply with the requirements in rule 2.420 may be subject to sanctions under subdivision

(i) (Sanctions) of rule 2.420.

Accordingly, the Florida Rules of Judicial Administration are amended as reflected in the appendix to this opinion.5 New language is indicated by underscoring; deletions are indicated by struck-through type. To allow an opportunity for public comments, these amendments will not take effect until July

1, 2021, at 12:01 a.m. In particular, we invite comments from the Florida Bar

4. The amendments we adopt in this opinion have no impact on the clerk’s obligation to designate and maintain information and documents as confidential under article I, section 16(b) of the Florida Constitution.

5. We refer these amendments to the Florida Courts Technology Commission to update the Standards for Access to Electronic Court Records and Access Security Matrix as necessary.

- 5 - Rules of Judicial Administration Committee and the Florida Court Clerks and

Comptrollers. Interested persons shall have seventy-five days from the date of this opinion in which to file comments with the Court.6

It is so ordered.

CANADY, C.J., and POLSTON, LABARGA, LAWSON, MUÑIZ, COURIEL, and GROSSHANS, JJ., concur.

THE FILING OF A MOTION FOR REHEARING SHALL NOT ALTER THE EFFECTIVE DATE OF THESE AMENDMENTS.

Original Proceeding – Florida Rules of Judicial Administration

6. All comments must be filed with the Court on or before April 6, 2021, with a separate request for oral argument if the person filing the comment wishes to participate in oral argument, which may be scheduled in this case. If filed by an attorney in good standing with The Florida Bar, the comment must be electronically filed via the Florida Courts E-Filing Portal (Portal) in accordance with In re Electronic Filing in the Supreme Court of Florida via the Florida Courts E-Filing Portal, Fla. Admin. Order No. AOSC13-7 (Feb. 18, 2013). If filed by a nonlawyer or a lawyer not licensed to practice in Florida, the comment may be, but is not required to be, filed via the Portal. Comments filed via the Portal must be submitted in Microsoft Word 97 or higher. See In re Electronic Filing in the Florida Supreme Court, Fla. Admin. Order No. AOSC17-27 (May 9, 2017). Any person unable to submit a comment electronically must mail or hand- deliver the originally signed comment to the Florida Supreme Court, Office of the Clerk, 500 South Duval Street, Tallahassee, Florida 32399-1927; no additional copies are required or will be accepted.

- 6 - APPENDIX

RULE 2.420. PUBLIC ACCESS TO AND PROTECTION OF JUDICIAL BRANCH RECORDS

(a) – (c) [No Change]

(d) Procedures for Determining Confidentiality of Court Records.

(1) Except as provided in subdivision (d)(1)(C), Tthe clerk of the court shall designate and maintain the confidentiality of any information contained within a court record that is described in subdivision (d)(1)(A) or (d)(1)(B) of this rule. The following information shall be maintained as confidential:

(A) The clerk of the court shall maintain as confidential information described by any of subdivisions (c)(1) through (c)(6) of this rule; and

(B) eExcept as provided by court order, the clerk of the court shall maintain as confidential information subject to subdivision (c)(7) or (c)(8) of this rule that is currently confidential or exempt from section 119.07, Florida Statutes, and article I, section 24(a) of the Florida Constitution as specifically stated in any of the following statutes or as they may be amended or renumbered:

(i) – (xxiii) [No Change]

(C) In civil cases, the clerk of the court shall not be required to designate and maintain information as confidential unless the filer follows the notice procedures set forth in subdivision (d)(2), the filer files a Motion to Determine Confidentiality of Court Records as set forth in subdivision (d)(3), the filing is deemed confidential by court order, or the case itself is confidential by law. “Civil cases” as used in this rule includes only civil case types in the circuit, county, or small claims courts (identified by the Court Type Designator CA, CC, and SC in the uniform case numbering system), except those case types listed as “Viewable on Request (VOR)” in the Standards for Access to Electronic Court Records and Access Security Matrix, as adopted by the supreme court in Administrative Order AOSC14-19 or the then-current standards for access.

(2) – (5) [No Change]

(e) – (m) [No Change]

- 7 -

Committee Note

[No Change]

2002 – 2007 Court Commentary

[No Change]

2007 Committee Commentary [No Change]

APPENDIX TO RULE 2.420 [No Change]

- 8 -

Agenda Item VI A. Florida Department of Law Enforcement Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix

The Access Governance Board (Board) was established to develop and maintain a statewide access matrix and policy necessary to protect and limit confidential and sensitive information in court records, while simultaneously establishing mechanisms to afford public access to non-confidential records. The Board developed the Standards for Access to Electronic Court Records and the Access Security Matrix. The standards provides electronic access to court documents, dependent upon user role in accordance with statutes, rules, and administrative policy. The matrix defines specific levels of access to case types based on user roles.

Email completed form to Lakisha Hall at [email protected]

Contact Person Charles Schaeffer Contact Person Phone (850) 410-7100 Name Contact Person [email protected] Agency Name FDLE Email County Statewide Circuit Statewide

1. Describe in detail the change(s) you are requesting to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. The Florida Department of Law Enforcement (FDLE) seeks this Access Governance Board’s assistance in addressing a growing problem for the agency and its several diverse program areas. Recent changes to access to judicial records, as recommended by the Florida Courts Technology Commission and adopted by the Florida Supreme Court via administrative orders (See Admin. Order No. AOSC19-20 (April 16, 2019); see also Admin. Order No. AOSC20-108 (Nov. 20, 2020)), have created many significant hindrances on FDLE in fulfilling its statutory obligations. These changes, in addition to how they were implemented by respective Clerks of Court, have limited the manner in which FDLE is able to access electronic data contained within judicial records. Until recently, many of these records were available electronically to FDLE personnel on demand, but are not only “visible on request,” which requires additional steps and significant time to access, therein slowing down our day-to-day operations and impacting the workload for the Clerks of Court.

This may be in part due to the fact that, according to the most recent Access Security Matrix, FDLE has the same “matrix user role” as other law enforcement agencies across the state regardless of FDLE’s unique statutory role and obligations. This user role does not consider the unique statutory responsibilities incumbent upon FDLE, notably to include our caretaking roles overseeing the Criminal Justice Information Systems (CJIS) program and the Sexual Offender Registry for the state. Additionally, our DNA Database has also been hindered due to limited access of electronic records.

FDLE appreciates the need to ensure information security however, given the agency’s unique role in this state, we hope we can find a path that ensures information security while removing barriers to timely and accurate public safety and criminal justice mandates. FDLE requests the development of a new matrix user role that provides the agency with unfettered access to records necessary to complete Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 1 the statutory missions noted below to ensure efficient services that benefit the State of Florida. FDLE also requests this Board’s assistance in ensuring that all counties provide access to unredacted records pursuant to the statutory authorities listed below.

2. Cite the statute or rule which authorizes or prohibits the access you are requesting. For the Board’s review, FDLE has compiled the following areas of concern, along with the noted statutory obligations for each respective area:

FDLE CJIS Seal and Expunge

FDLE's seal and expunge unit is tasked by statute with ensuring that individuals seeking to seal or expunge criminal history records are statutorily eligible to do so. FDLE administers several types of record relief, including court-ordered sealing and expungement pursuant to ss. 943.059 and 943.0585, F.S., respectively, automatic sealing pursuant to s. 943.0595, F.S., automatic juvenile expungement pursuant to ss. 943.0515(1)(a) and (b), F.S., early juvenile expungement pursuant to s. 943.0515(1)(b)2, F.S., juvenile diversion expungement pursuant to s. 943.0582, F.S., lawful self-defense expungement pursuant to s. 943.0578, F.S., human trafficking expungement pursuant to s. 943.0583, F.S., and administrative expungement pursuant to s. 943.0581, F.S.

The information that FDLE needs to access in order to verify eligibility for record relief varies with the form of statutory relief that is being sought. For illustrative purposes, what follows is a non-exhaustive list of statutory forms of relief and a non-exhaustive listing of associated requirements which FDLE must verify by inspecting court records:

Court-ordered sealing or expungement pursuant to s. 943.059 or 943.0585, F.S., respectively:

FDLE must verify that the applicant: • has never been adjudicated guilty of any crime in Florida

• is not attempting to receive relief for a charge listed at s. 943.0584(2), F.S., where adjudication has been withheld

• is no longer under court supervision at the time of application for relief

• has never received a prior sealing or expunction as defined under ss. 943.059 or 943.0585, F.S.

• has met the time requirements associated with expunging a record that has already been sealed because adjudication was withheld (expungement only)

• has not been adjudicated delinquent of crimes listed at ss. 943.059(1)(b)/943.0585(1)(d), F.S.

Early Juvenile Expungement pursuant to s. 943.0515(1)(b)2, F.S.:

FDLE must verify that the applicant:

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 2 • has not been charged by the state attorney with, or found to have committed, any criminal offense within the 5-year period before the application date

• is not classified as a serious or habitual juvenile offender or committed to a juvenile correctional facility or juvenile prison under Chapter 985, F.S.

• If, at any time, a minor is adjudicated as an adult for a forcible felony, the minor’s criminal history record prior to the time of the minor’s adjudication as an adult must be merged with his or her record as an adjudicated adult

• If 18 or over at the time of application, has not been convicted of a forcible felony as an adult

• has not been adjudicated delinquent for a violation committed on or after July 1, 2007, as provided in s. 943.0435(1)(h)1.d., F.S.

Juvenile Diversion Expungement pursuant to s. 943.0582, F.S.:

FDLE must verify that the applicant: • has successfully completed that county’s diversion program, that his or her participation in the program was based on an arrest for a misdemeanor, and that he or she has not otherwise been charged by the state attorney with, or found to have committed, any criminal offense or comparable ordinance violation

• has never been, before filing the application for expunction, charged by the state attorney with, or found to have committed, any criminal offense or comparable ordinance violation

Common Practical Example:

There is often a difference between the charges at arrest, the charges initially filed by the state attorney’s office, and the final charges at disposition. A common example of this involves the charge of battery – domestic violence. Crimes of domestic violence are ineligible, so long as the person is convicted of such a crime per s. 943.0584(2), F.S. However, cases frequently originate as domestic violence at arrest, and may be formally charged as the same, but are subsequently pled down to simple battery (non-domestic). In this example, the charge would not be ineligible for a certificate of eligibility to seal under s.943.059, F.S. because it is not a conviction for the offense of domestic battery. However, because these cases often are pled down in open court without the filing of an amended charging document by the state attorney’s office, the only way for FDLE to verify the actual disposition charge is by viewing the judgment and sentence entered by the court.

In summary, in order to determine statutory eligibility to seal or expunge records, FDLE requires unrestricted access to criminal court documents. Regardless of what any given criminal justice database reflects concerning a criminal history record, the actual court records are what ultimately govern eligibility for sealing or expungement. Accordingly, when FDLE's decision to deny relief to an applicant is appealed, the content of relevant court records governs the decision. Some examples of what FDLE must verify include, but are not limited to: the specific statutory crime(s) for which an applicant was sentenced, whether adjudication was imposed or withheld in the judgment and sentence,

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 3 whether an order terminating court supervision has been entered, whether jurisdiction or venue was transferred to another court, whether the person was found not guilty by reason of insanity or incompetent to stand trial (and whether the person remains under court supervision as a result), whether the applicant initially had adjudication withheld, but subsequently had adjudication imposed upon violating probation, and more.

FDLE CJIS Firearm Purchase Program

FDLE is the point of contact for the State of Florida with respect to firearm transactions. FDLE is required by statute to determine firearm transaction eligibility and to maintain the mental competency database for the State of Florida. See ss. 790.065(2)(a), 790.065(2)(a)4.a., F.S. Pursuant to s. 790.065(2)(a), F.S., FDLE must review any records available to determine if a potential buyer or transferee of a firearm is eligible to receive that firearm, such as if the individual:

• Has been convicted of a felony and is prohibited from receipt or possession of a firearm pursuant to s. 790.23, F.S.

• Has been convicted of a misdemeanor crime of domestic violence.

• Has had an adjudication of guilt withheld or imposition of sentence suspended on any felony or misdemeanor crime of domestic violence unless 3 years have elapsed since probation or other conditions set by the court have been fulfilled or expunction has occurred.

• Has been adjudicated mentally defective or has been committed to a mental institution by a court, or voluntarily admitted to mental institution following the procedure set forth in s. 790.065(2)(a)4.b.(II), F.S.

FDLE is further required to review any records available to determine if the potential buyer or transferee has been indicted or has an information filed against them for an offense that is a felony under either state or federal law, or, as mandated by federal law, has had an injunction for protection against domestic violence, had an injunction for protection against repeat violence, or arrested for a dangerous crime specified in s. 907.041(4)(a) or any of the following enumerated offenses:

• Criminal anarchy under ss. 876.01 and 876.02, F.S. • Extortion under s. 836.05, F.S. • Explosives violations under s. 552.22(1) and (2), F.S. • Controlled substances under Chapter 893, F.S. • Resisting an Officer with Violence under s. 843.01, F.S. • Weapons and firearms violations under Chapter 790, F.S. • Treason under s. 876.32, F.S. • Assisting self-murder under s. 782.08, F.S. • Sabotage under s. 876.38, F.S. • Staking or aggravated stalking under s. 784.048, F.S.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 4 FDLE’s firearm eligibility unit needs access to various areas outside of county and circuit court criminal records to fulfill their statutory responsibilities. Individuals who are subject to injunctions against committing acts of domestic violence, stalking or cyberstalking are ineligible for possessing firearms under s. 790.233. F.S. Individuals who have been found to have committed a delinquent act in Florida, that would be felony if committed by an adult and are under age 24, are ineligible from possessing firearms in Florida under s. 790.23, F.S.

The information that FDLE needs to access in order to verify eligibility for firearm related transactions encompasses essentially all areas of the Florida Court System. FDLE in daily activities would need to examine the following areas, as examples:

Firearm Purchasing under s. 790.065(2)(a), must review: • Criminal court records to determine relationships of individuals for domestic violence cases. • Judgment and sentences for disposition status confirmation. • Juvenile court records to determine disposition and treatment of the case. • Mental health cases, to determine if the individual meets the definition of “adjudicated mentally defective” under s. 790.065(2)(a)4.a. • Status of any injunctions against a potential purchaser or transferee.

The Department would also note that under s. 790.065(2)(c)3, the office of the clerk of court, at no charge to the department, shall respond to any department request for data on the disposition of the indictment, information, or arrest as soon as possible, but in no event later than 8 working hours. This is in relation to determining whether a potential buyer or transferee has been indicted or had an information filed against them on particular offenses, charged with dangerous crimes, has an injunction against them, or the enumerated offenses from s. 790.065(2)(c)1.a-j.

Common Practical Examples:

• An individual is arrested under a domestic violence offense and the state attorney’s office charges the individual under Battery – Domestic Violence, however the final offense does not include the domestic violence criteria. FDLE would need to review those records to determine if there was a qualifying domestic violence relationship under 18 USC §921(a)(33) and potentially be disqualified under s. 790.065(2)(a)2, F.S. FDLE would need full access to the police reports and case information that is not redacted on the individuals involved to make the proper determinations.

• An individual is arrested as a juvenile and charged with an offense. The cases disposition may not have been updated to show the final disposition in a case. FDLE would need to review the documents associated with the juvenile case to determine whether that person was adjudicated delinquent or potentially treated as an adult, which can be disqualifying under ss. 790.065(2)(a)1 or 790.23, F.S.

• FDLE receives documents from the Clerk of Court on an individual to be entered into the mental competency database (MECOM). FDLE sometimes needs to review other documents from the case to determine if the individual in fact meets the criteria under s. 790.065(2)(a)4.a., of “adjudicated mentally defective.” FDLE users are restricted from accessing the files in different areas of the State and unable to further review the orders and filings within the case to make certain whether a person should be entered into MECOM.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 5

In summary, in order to follow the statutory mandates regarding firearm transactions and the mental competency database, FDLE requires unrestricted access to criminal court, juvenile court, domestic relations and mental health court records. Regardless of what any given criminal justice database reflects concerning a criminal history record, the actual court records are what ultimately govern eligibility for firearm related transaction and mental competency. Accordingly, when FDLE's decision to deny a transaction or enter an individual into MECOM, the content of relevant court records governs the decision. Some examples of the things that FDLE must verify include, but are not limited to: the specific statutory crime(s) for which an applicant was sentenced, whether adjudication was imposed or withheld in the judgment and sentence, whether an order terminating court supervision has been entered, whether jurisdiction or venue was transferred to another court, whether the person was found not guilty by reason of insanity or incompetent to stand trial (and whether the person remains under court supervision as a result), whether the applicant initially had adjudication withheld, but subsequently had adjudication imposed upon violating probation, and more.

FDLE Sexual Offender Registry Pursuant to s. 943.043, FDLE is required to provide to the public information regarding sexual predators and sexual offenders that are not otherwise confidential and exempt. FDLE performs this mission through the Sexual Offender Registry housed on the Internet for all citizens to view. To meet this need, FDLE members must review court records to determine if someone has met the specific statutory requirements to be considered a sexual offender. Additionally, pursuant to s. 775.21, The Florida Sexual Predator Act, FDLE is charged by the Legislature with collecting and publicly posting the names of sexual predators. This requires a written finding of a court that a sexual offender is a sexual predator, which necessitates FDLE’s ability to review court records to review such designations for inclusion or exclusion from the registry based on a court’s findings. Additionally, FLE is charged with notifying a state attorney that a particular offender otherwise meets the criteria to be designated a sexual predator but the court did not, for whatever reason, make a written finding at the time of sentencing. This obligation requires more than a mere review of a judgment and sentence, but rather the potential review of an entire court file to ensure the necessary elements have been met. The affirmative obligations of courts in designating certain individuals as sexual predators and offenders can be found in ss. 775.24 and 943.0436, F.S. In addition to state statutory requirements, Florida is also required to maintain a registry pursuant to 34 U.S.C. 20912(a). 34 U.S.C. 20919 provides for an affirmative duty to notify individuals if they are obligated to register. S. 943.0435, F.S. provides the definition of a sexual offender and who must register with the FDLE as an offender for purposes of the Sexual Offender Registry. The registration process is triggered by a conviction(s) of enumerated offenses which must be verified by FDLE before public posting of an individual’s personal identification information on the Registry. S. 943.0435 also requires written court findings regarding case facts in certain cases, such as juvenile sexual offender cases, which require verification by FDLE. Pursuant to F.S. 394.910 et. seq., FDLE also reviews records related to the involuntary commitment of sexually violent predators, requiring access to civil and mental health records. The Sexual Offender Registry provides many benefits to the State of Florida, and is used in many background processes. Pursuant to s. 943.04351, government agencies must review either a federal registry or FDLE’s registry of sexual predators and offenders prior to appointing or employing a person for work at any park, playground, day care center, or other place where children regularly congregate. Pursuant to s. 943.04352, a similar search must be done by any public or private entity providing

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 6 probation services for any probationer placed on misdemeanor probation through ss. 948.01 and 948.15. The Registry must also be compared for athletic coaches within the state pursuant to F.S. 943.0438. Pursuant to s. 943.0453, the Office of Program Policy Analysis and Government Accountability is charged with reviewing the effectiveness of the sexual predator and registration process every three years, to include a review for “ensuring the most accurate, current, and comprehensive information is provided in a timely manner to the registry…” Additionally, pursuant to the above-noted statutes, as well as F.S. 943.04354, at times FDLE is obligated to remove someone from the Registry and is required to review applicable court records to ensure accuracy in determining if a person is eligible for removal. This may necessitate the review of a series of records within court files.

Common Practical Examples:

In addition to those noted above, there are many illustrative examples of how FDLE uses court records in sex offender reviews. A judgment and sentence is necessary to determine if an individual must register as a sexual offender or predator, as well as for determining how often the individual is statutorily required to update registration information. In many cases, FDLE must review specific findings regarding a case, to include the nature of the offense and fact-specific case details, the age of the victim, and/or the difference in age between the offender and the victim. FDLE must also review case records to determine if the victim was a minor. In some cases, FDLE will also review charge dispositions, particularly when an individual is arrested for one charge and convicted of another. In regard to certain civil commitment cases, it is possible for an individual to be required to register without a qualifying criminal charge, but instead they had been involuntarily civilly committed. Finally, in many cases, FDLE needs to review case records to determine if the case had a sexual motivation that would require registration, such as in the case of certain kidnappings, false imprisonment cases, or luring and enticing cases.

FDLE DNA Investigative Support Database

In order to fulfill the obligations of s. 943.325, F.S., which establishes the DNA Database, FDLE staff must be able to access CCIS to view court documents without the current limitations. The DNA Database uses CCIS to identify or confirm offender identification information and the associated arrest or conviction statute(s) to appropriately determine eligibility into the Combined DNA Index System (CODIS). Document access includes all relevant adult or juvenile (felony and misdemeanor) county cases and the ability to open and view attached documents such as the arrest/booking documents, plea agreements, and judgment and sentencing information. In addition, the database requires the ability to view warrants because some DNA submissions are collected for out-of-county warrants.

FDLE’s ability to efficiently and effectively research DNA submissions is now inhibited by restrictions to county information.

Common Practical Examples:

• A DNA submission may only identify the criminal chapter such as chapters 784 or 800, F.S. Since misdemeanors are located within the chapter and may not qualify for DNA collection, the database

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 7 needs to determine the level of the charge or statute subsection to continue processing. While FDLE has access to FCIC, the offender’s criminal history does not always list the arrest event, the level of the charge, or the statute number; therefore access to the CCIS case information and attached documents allows us to identify/confirm required information for entry into CODIS.

• A DNA submission can be collected for a non-qualifying misdemeanor conviction and identified as a “court ordered” collection. Appropriate access to CCIS allows FDLE to search the court case number and review attached documents (plea agreements, judgment and sentencing or probation orders) for DNA collection requirements, if applicable.

• Access to CCIS case information allows FDLE the ability to cross reference the offender name, date of birth, address, etc. with other sites such as FCIC, DAVID, Department of Corrections or Department of Juvenile Justice databases to ensure appropriate identification of the offender, when necessary.

• The DNA Database receives hard copies of juvenile or adult DNA collection court orders from several counties which generally identifies the defendant by name only which is insufficient for cross- referencing other criminal history databases such as FCIC or the Juvenile Justice Information System (JJIS) to fulfill the DNA Database record requirements. Access to case information in CCIS allows FDLE to confirm the identity and enter the offender data into our system.

• DNA submissions may be collected by a booking agency for an out-of-county warrant. If a criminal history is available in FCIC, there is generally little to no warrant information or the name of the county that issued the warrant. Access to CCIS’s warrant information expands FDLE’s ability to confirm offender and statute information for eligibility into CODIS.

• Several counties do not fingerprint juvenile offenders, so there is no criminal history or SID# available. Access to CCIS’s juvenile case information provides the Database additional offender data and confirmation or comparison of arrest charges or disposition information to Department of Juvenile Justice data.

Currently, the DNA Database annually receives over 70,000 arrestee and convicted offender DNA submissions from all 67 counties in Florida. FDLE relies on the CCIS to provide important case information to identify or confirm offender and statute data, booking dates or dispositions. Unfortunately, the recent matrix changes have significantly impacted our ability to access several counties’ adult and/or juvenile case information or limited the availability of document attachments necessary to research and enter DNA submissions into CODIS in a timely manner.

Along with the DNA Database, members of the FDLE Crime Lab System utilize CCIS to verify case information (case number and defendant name), pending court dates or to confirm if the case is closed.

3. Describe in detail how access was gained prior to the implementation of the Access Security Matrix. Prior to the implementation of the Access Security Matrix, FDLE was able to obtain the above- referenced records electronically through CCIS without systemic issues.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 8 4. Attach a markup copy of the changes you are requesting to be implemented to the Standards for Access to Electronic Court Records and/or the Access Security Matrix.

5. Attach documentation describing in detail internal protocols for protecting and accessing confidential information. FDLE operates in compliance with the FBI's CJIS Security Policy, and also has detailed internal policies and procedures regarding the security of information. FDLE would be happy to provide non- exempt versions of such records on request.

FOR ACCESS GOVERNANCE BOARD USE ONLY Decision Approved Denied Approved with More info conditions requested Reason for Denial Specific Conditions for Approval Reason for More Information Request Date

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 9

Agenda Item VI B. Justice Administrative Commission Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix

Contact Person Rip Colvin Contact Person (850) 488-2415 Name Phone Contact Person [email protected] Agency Name Justice Administrative Email Commission County Circuit

1. Describe in detail the change(s) you are requesting to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. In 1998, Florida voters adopted Revision 7 to Article V of the Florida Constitution, this constitutional amendment required the state to assume responsibility for funding the state courts system, which included court-appointed counsel. Funds for these purposes were required to come from state revenues appropriated by general law. Consequently when the legislature passed Revision 7 legislation in 2004, the Justice Administrative Commission (JAC) was statutorily directed to audit and process invoices for constitutionally and statutorily required legal representation to indigent persons and children by private court-appointed counsel and due process vendors. Each year, JAC audits and processes 60,000+ invoices for legal services to indigent persons in Criminal, Dependency, Guardianship, Capital Collateral Post Conviction, Civil Commitment, and other case types in which the Office of the Public Defender or Regional Conflict Counsel is unable to represent an indigent client due to a legal conflict of interest. Additionally, JAC audits invoices for legal services to children in Dependent Children with Special Needs cases. JAC also audits and processes invoices for court-authorized state payment of Due Process Vendors (i.e., court reporters, investigators, mitigation specialists, interpreters, and experts) providing services in these cases. Each year JAC audits, verifies, and processes invoices for over $60,000,000 in legal services to indigent persons and children in specific case types statewide. Accordingly, Comprehensive Case Information System (CCIS) access to court dockets and records is imperative to fulfill JAC’s statutory duties because such access provides JAC an expeditious means to audit and verify the accuracy of invoices for state-payment in an efficient manner necessary to protect the constitutional rights of indigent persons and children served and ensure the orderly administration of justice.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 1 Additionally, access to the CCIS dockets and records also helps JAC ensure that fraud and errors are prevented when expending scarce taxpayer funds. With the implementation of the Access Security Matrix (ASM) v8, the JAC lost significant access to critical criminal and civil dockets and records in CCIS. JAC’s initial assignment to Role 6 (General Government) failed to maintain JAC’s access to the levels necessary level to carry out its statutorily mandated responsibilities. In order to address this critical issue, JAC was temporarily assigned Role 9 (Attorney General’s Office). However, that level of access does not give JAC the necessary access to dockets and records in 17 criminal and civil case types for which JAC processes invoices. JAC’s current level of access has slowed the review, verification, and processing of payments for critical legal and due process services for the most vulnerable population in the legal system; indigent persons and children in court. This action has resulted in additional delay and frustration for the parties who rely on state-funded legal services to ensure their constitutional rights. If limited access continues, JAC’s review, verification, and processing of payments will continue to slow and result in a backlog of attorney fee hearings before the Courts, longer fee hearing dockets due to the slower payment process, and ultimately an unwillingness by attorneys and due process vendors to serve this vulnerable population. Therefore, in order to ensure the orderly administration of justice, protect the constitutional and statutory rights of indigent persons and children represented by court-appointed counsel, and restore JAC’s ability to perform its statutory duties, JAC requests increased access in the 17 case types listed in Addendum A (Security Matrix). Please note that JAC is only requesting the level of access necessary to fulfill its statutory obligations to ensure that attorneys and vendors are accurately and expeditiously paid so that they will continue to accept court- appointed work and thereby ensure that court proceedings are not unnecessarily delayed.

2. Cite the statute or rule which authorizes or prohibits the access you are requesting. The following statutes require JAC access to court records to appropriately perform its statutorily mandated duties. These include: s. 27.40, F.S. (Court-appointed counsel; circuit registries; minimum requirements; appointment by court); s. 27.52(5), F.S. (Terms and conditions for Indigent For Costs cases); s. 27.5304, F.S. (Private court-appointed counsel; compensation; notice); s. 27.711, F.S. (Terms and conditions of appointment of attorneys as counsel in postconviction capital collateral proceedings); s. 29.007, F.S. (Court-appointed counsel - due process costs); s. 39.013, F.S. (Procedures and jurisdiction; right to counsel); s. 39.01305, F.S. (Appointment of an attorney for a dependent child with certain special needs); s. 39.0132, F.S. (Oaths, records, and confidential information); s. 39.0134, F.S. (Appointed counsel; compensation); s. 39.802, F.S. (Petition for termination of parental rights; filing; elements; right to counsel); s. 39.807, F.S. (Right to counsel); s. 43.16, F.S. (Justice Administrative Commission; membership, powers and duties); s. 215.422, F.S. (Prompt-payment law requiring state payment within 20 days); and a. 985.045, F.S. (Court records).

Section 39.0132(3), F.S., provides that, in relation to dependency proceedings, “The Justice Administrative Commission may inspect court dockets required by this chapter as necessary to audit and verify court authorization and compensation of court-appointed attorneys and due process vendor services.” Similarly, s. 985.045(2), F.S., provides that, in relation to delinquency proceedings, “the Justice Administrative Commission shall always have the right to inspect and copy any official record pertaining to the child.” However, JAC requires access to CCIS dockets and records in order to accurately and expeditiously verify and process payments for court-appointed attorneys representing indigent persons and children and court-authorized due process vendors. With the update to CCIS, JAC

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 2 audit staff often cannot confirm the existence of delinquency or dependency cases through CCIS much less access court dockets or records as authorized by s. 39.0132(3), F.S., (dependency) and s. 985.045(2), F.S. (delinquency). Requiring JAC to petition the court for documents is not feasible given the 60,000+ invoices JAC audits, verifies, and processes annually. Such an approach would render JAC’s compliance with the Prompt Payment law, which requires state payment within 20 days (s. 215.422, F.S.) impossible. Please see the full list of applicable statutes for JAC Authority to view these dockets and records listed in Addendum B (Statutory Authority).

3. Describe in detail how access was gained prior to the implementation of the Access Security Matrix. Prior to the implementation of ASM v8, limited JAC staff had "B Level" access to court dockets and records in CCIS for these 17 case types which JAC audits and processes through JAC’s secure information technology infrastructure. This level of CCIS access preserved: 1) the constitutional and statutory rights of the indigent persons and children served by court-appointed counsel and the due process vendors; 2) the orderly administration of justice; and 3) JAC’s ability to accurately and expeditiously process payments with scarce taxpayer resources while detecting and preventing fraud. It is critical that the requested CCIS docket and records access is implemented so the operations of the court system are not diminished or disrupted.

4. Attach a markup copy of the changes you are requesting to be implemented to the Standards for Access to Electronic Court Records and/or the Access Security Matrix.

See Addendum A, attached. 5. Attach documentation describing in detail internal protocols for protecting and accessing confidential information.

JAC limits CCIS access to specific staff responsible for reviewing, verifying, and processing court- appointed attorney and due process vendor invoices for state payment. Upon hire, this staff must review, understand, and sign different JAC policies, attached as Exhibits C-H, that address the appropriate access and use of sensitive and confidential information on databases used to perform job duties. Staff is repeatedly made aware that violation of any of these policies may result in disciplinary action, including termination. When JAC staff is authorized and trained to use CCIS for job duties, these policies are revisited. This JAC staff is well trained regarding the confidential nature of CCIS information and its limited use for job-related duties. Further, JAC staff are required to access CCIS only through JAC’s secure information technology infrastructure.

Please see: JAC Policy Against Fraudulent, Unethical, and Other Dishonest Acts, attached as Addendum C; JAC Policy on Confidential and Sensitive Information with Addendum, attached as Addendum D; JAC Employment Security Screening Policy & Procedures, attached as Addendum E; JAC Employee Handbook, p. 35, attached as Addendum F; JAC’s CCIS training documents (pages 31, 34), attached as Addendum G; and CCIS Forms, attached as Addendum H.

Decision Approved Denied Approved with More info conditions requested Reason for Denial

Specific Conditions for Approval

Reason for More Information Request

Date

Proposed Role for Justice Administrative Commission Compared to Current Role (Role 9) Case - Charge/Filing Description Role 9 - Current JAC Role1 Proposed JAC Role Statutory Reference County Criminal Appeals C B s. 27.5304, F.S. County Criminal Appeals Sexual Abuse D B s. 27.5304, F.S. County Civil Appeals C C Circuit Civil C C Jimmy Ryce Act D B s. 314.916, F.S. Mortgage Foreclosure C C Circuit Civil Private (Sexual Abuse & Medical Malpractice) D D Circuit Civil - Trusts (Pre-2010) C C County Civil C C County Foreclosure C C Felony C B s. 27.5304, F.S. Felony - Sexual cases D B s. 27.5304, F.S. Juvenile Delinquency G B s. 27.5304, F.S. County Ordinance Infractions C C County Ordinance - Arrests C C Probate D D Probate Miscellaneous D D Criminal Traffic C B s. 27.5304, F.S. Juvenile Dependency B B Juvenile Truancy B B Domestic Relations C C Domestic Relations Adoption (FINAL) G G DR Adoption (while open and pending) G G Domestic Relations - Paternity C C Domestic Relations - Paternity - sealed F F Delayed Birth Certificate C C Name Change C C Dissolution C C Repeat Violence C C Administrative Support Proceeding C C Parental Notice of Abortion G B ch. 390, F.S. Sexual Violence D B s. 39.0134, F.S. Termination of Parental Rights B B URESA/UIFSA C C Extradition D B ch. 744, F.S. Guardianship/Guardian Advocate (Developmental Disabilities) C B ch. 744, F.S. Guardianship Miscellaneous/Professional Guardian C B ch. 744, F.S. Non-Criminal Infractions C C Juvenile Miscellaneous G G Miscellaneous Firearms C C Baker Act and Mental Health Miscellaneous D B s. 394.473, F.S. Substance Abuse - Assessment/Treatment B B Tuberculosis/STD Treatment/Other Confidential B B Incapacity C B s. 27.5304, F.S. Misdemeanor C B s. 27.5304, F.S. Misdemeanor - sexual cases D B s. 27.5304, F.S. Municipal Ordinance Infraction C C Municipal Ordinance Arrest C C Misdemeanor - Misc D B s. 27.5304, F.S. Parking C C Small Claims D D Traffic Infractions C C s. 27.5304, F.S. Any Case Marked Sealed G G Any Expunged Case H H Sealed Family Law G G

Notes: 1. Role 9 for the JAC proper is based on Access Governance Board (AGB) and clerk actions on June 24 and June 25, 2021. Addendum B

The Justice Administrative Commission (JAC) administratively serves the 20 Offices of State Attorney, 20 Offices of Public Defender, 5 Offices of Criminal Conflict and Civil Regional Counsel, 3 Offices of Capital Collateral Regional Counsel, and the Statewide Guardian ad Litem Program (JROs).

In 1998, Florida voters adopted Revision 7 to Article V of the Florida Constitution, this constitutional amendment required the state to assume responsibility for funding the state courts system, which included court-appointed counsel. Funds for these purposes were required to come from state revenues appropriated by general law. Thus, when the legislature passed Revision 7 legislation in 2004, the JAC was directed to audit and process invoices for constitutionally and statutorily required legal services to indigent persons and children provided by private court-appointed attorneys and due process vendors (i.e., court reporters, investigators, mitigation specialists, interpreters, and experts).

The core responsibility of JAC’s Court-Appointed Section is to audit and verify the accuracy of invoices for state-funded services by comparing information on billed entries to court case dockets and records. This comparison allows JAC to accurately and efficiently process these invoices for prompt payment and also ensure the constitutional rights of the indigent persons and children represented, the efficient operation of the justice system, and to prevent and detect fraud, waste, and abuse of scarce taxpayer funds. See also: Section 43.16(6)(a), F.S. (JAC is charged with preventing and detecting fraud, waste, and abuse).

The majority of invoices JAC’s Court-Appointed Section audits are Criminal and Dependency billings. Please note that Criminal invoices include entries for state-funded legal representation in Criminal Traffic, Delinquency, Misdemeanor, and Felony cases. Dependency invoices include entries for state-funded legal representation in Dependency, Termination of Parental Rights, and Dependent Children with Special Needs.

The statutes requiring JAC to perform these functions are the following:

Section 27.40, F.S. (Court-appointed counsel; circuit registries; minimum requirements; appointment by court). Specifically,

(b)1. The flat fee established in s. 27.5304 and the General Appropriations Act shall be presumed by the court to be sufficient compensation. The attorney shall maintain appropriate documentation, including contemporaneous and detailed hourly accounting of time spent representing the client. If the attorney fails to maintain such contemporaneous and detailed hourly records, the attorney waives the right to seek compensation in excess of the flat fee established in s. 27.5304 and the General Appropriations Act. These records and documents are subject to review by the Justice Administrative Commission and audit by the Auditor General, subject to the attorney-client privilege and work-product privilege. The attorney shall maintain the records and documents in a manner that enables the attorney to redact any information subject to a privilege in order to facilitate the commission’s review of the records and documents and not to impede such review. The attorney may redact information from the records and documents only to the extent necessary to comply with the privilege. The Justice Administrative Commission shall review such records and

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 5 shall contemporaneously document such review before authorizing payment to an attorney. Objections by or on behalf of the Justice Administrative Commission to records or documents or to claims for payment by the attorney shall be presumed correct by the court unless the court determines, in writing, that competent and substantial evidence exists to justify overcoming the presumption.

Section. 27.52(5), F.S. (Terms and conditions for Indigent for Costs cases)

Section 27.5304, F.S. (Private court-appointed counsel; compensation; notice), provides the case types for which JAC audits, verifies, and processes state-funded attorney fee invoices as follows:

(1) Private court-appointed counsel appointed in the manner prescribed in s. 27.40(1) and (2)(a) shall be compensated by the Justice Administrative Commission only as provided in this section and the General Appropriations Act. The flat fees prescribed in this section are limitations on compensation. The specific flat fee amounts for compensation shall be established annually in the General Appropriations Act. The attorney also shall be reimbursed for reasonable and necessary expenses in accordance with s. 29.007. If the attorney is representing a defendant charged with more than one offense in the same case, the attorney shall be compensated at the rate provided for the most serious offense for which he or she represented the defendant. This section does not allow stacking of the fee limits established by this section.

(2) The Justice Administrative Commission shall review an intended billing by private court-appointed counsel for attorney fees based on a flat fee per case for completeness and compliance with contractual and statutory requirements. The commission may approve the intended bill for a flat fee per case for payment without approval by the court if the intended billing is correct. An intended billing that seeks compensation for any amount exceeding the flat fee established for a particular type of representation, as prescribed in the General Appropriations Act, shall comply with subsections (11) and (12). ***** (7) Counsel eligible to receive compensation from the state for representation pursuant to court appointment made in accordance with the requirements of s. 27.40(1) and (2)(a) in a proceeding under chapter 384, chapter 390, chapter 392, chapter 393, chapter 394, chapter 397, chapter 415, chapter 743, chapter 744, or chapter 984 shall receive compensation not to exceed the limits prescribed in the General Appropriations Act. Any such compensation must be determined as provided in s. 27.40(7).

In addition, the following statutes authorize JAC to process invoices for court-authorized and state-funded legal representation in other case types:

Section. 27.52(5), F.S. (Terms and conditions for Indigent for Costs cases)

Section. 27.711, F.S. (Terms and conditions of appointment of attorneys as counsel in postconviction capital collateral proceedings) (attorney fees and costs)

Section 39.013, F.S. (Procedures and jurisdiction; right to counsel)

Section 39.01305, F.S. (Appointment of an attorney for a dependent child with certain special needs)

Section 39.0132, F.S. (Oaths, records, and confidential information), permits JAC to inspect court dockets in dependency proceedings as follows:

(3) The clerk shall keep all court records required by this chapter separate from other records of the circuit court. All court records required by this chapter shall not be open to inspection by the public. All records shall be inspected only upon order of the court by persons deemed by the court to have a proper interest therein, except that, subject to the provisions of s. 63.162, a child and the parents of the child and their attorneys, guardian ad litem, law enforcement agencies, and the department and its designees shall always have the right to inspect and copy any official record pertaining to the child. The Justice Administrative Commission may inspect court dockets required by this chapter as necessary to audit compensation of court-appointed attorneys. If the docket is insufficient for purposes of the audit, the commission may petition the court for additional documentation as necessary and appropriate. The court may permit authorized representatives of recognized organizations compiling statistics for proper purposes to inspect and make abstracts from official records, under whatever conditions upon their use and disposition the court may deem proper, and may punish by contempt proceedings any violation of those conditions.

(Emphasis supplied).

Section 39.0134, F. S., (Appointed counsel; compensation) (dependency and termination of parental rights proceedings)

Section 39.802 Petition for termination of parental rights; filing; elements (right to counsel)

Section 39.807, F.S. (Right to counsel; guardian ad litem)

Section 43.16, F.S. (Justice Administrative Commission; membership, powers and duties), provides that “the commission, each state attorney, each public defender, the criminal conflict and civil regional counsel, the capital collateral regional counsel, and the Guardian Ad Litem Program shall establish and maintain internal controls designed to: . . . .(a) Prevent and detect fraud, waste, and abuse as defined in s. 11.45(1).”

Section 215.422, F.S. (Payments, warrants, and invoices; processing time limits; dispute resolution; agency or judicial branch compliance) (Florida Prompt Payment law), requires JAC to record, approve, and file an invoice with the Chief Financial Officer no later than 20 days after receipt of the invoice and receipt.

Section 394.473, Florida Statutes, (Attorney’s fee; expert witness fee) (Baker Act)

Section 394.916, F.S. (Trial; counsel and experts; indigent persons; jury) (Involuntary Civil Commitment)

Section 397.501, F.S. (Rights of individuals) (Marchman Act)

Chapter 390, F.S. (TERMINATION OF PREGNANCIES) (Parental Notice of and Consent for Abortion)

Chapter 415, F.S. (ADULT PROTECTIVE SERVICES)

Chapter 744, F.S. (GUARDIANSHIP)

Section 939.06, F.S. (Acquitted defendant not liable for costs)

Section 985.045, F.S. (Court records) permits JAC to inspect court records in delinquency proceedings as follows:

(2) The clerk shall keep all official records required by this section separate from other records of the circuit court, except those records pertaining to motor vehicle violations, which shall be forwarded to the Department of Highway Safety and Motor Vehicles. Except as provided in ss. 943.053 and 985.04(6)(b) and (7), official records required by this chapter are not open to inspection by the public, but may be inspected only upon order of the court by persons deemed by the court to have a proper interest therein, except that a child and the parents, guardians, or legal custodians of the child and their attorneys, law enforcement agencies, the Department of Juvenile Justice and its designees, the Florida Commission on Offender Review, the Department of Corrections, and the Justice Administrative Commission shall always have the right to inspect and copy any official record pertaining to the child. Public defender offices shall have access to official records of juveniles on whose behalf they are expected to appear in detention or other hearings before an appointment of representation. The court may permit authorized representatives of recognized organizations compiling statistics for proper purposes to inspect, and make abstracts from, official records under whatever conditions upon the use and disposition of such records the court may deem proper and may punish by contempt proceedings any violation of those conditions.

(Emphasis supplied.)

Section 984.07, F.S. (Appointed counsel; compensation) (Child in Need of Services)

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 8 Prior to the recent CCIS Security Matrix update, JAC enjoyed a level of access that allowed the efficient auditing, verification, and processing of payments for these critical court-authorized and state-funded services to indigent persons and children in an expeditious manner. With the implementation of the Access Security Matrix (ASM) v8, JAC was initially assigned “Role 6” General Government. However, Role 6 failed to maintain JAC’s access to the levels necessary level to carry out its statutorily mandated responsibilities. In order to address this critical issue, JAC was temporarily assigned Role 9 (Attorney General’s Office). As a result, JAC staff can no longer verify certain case information in 17 case types, such as status, orders, and other necessary information that allows JAC to audit, verify, and process payments for court-appointed attorneys and their due process vendors. Moreover, in order to audit and process these payments, JAC is now required to send attorneys and vendors Audit Deficiency Notices requesting documents that were previously accessed by JAC on CCIS, thereby impeding the efficient operation of the justice system. This has slowed the review, verification, and processing of payments for critical legal and due process services for the most vulnerable population in the legal system; indigent persons and children in court. This action has resulted in additional delay and frustration for the parties who rely on state-funded legal service to ensure their constitutional rights. If limited access continues, JAC’s review, verification, and processing of payments will continue to slow and result in a backlog of fee hearings before the Courts, longer fee hearing dockets due to the slower payment process, and frustration and delay with the Courts, attorneys, and vendors. For these reasons, JAC, as well as the courts and affected persons, would greatly appreciate greater CCIS access for JAC to audit, verify, and process payments to court-appointed attorneys and the due process vendors in order to ensure their rights and avoid disruption of the orderly administration of justice. The result of denying JAC the access required to accurately and efficiently process bills would be to prolong payments, thereby dissuading court-appointed attorneys and due process vendors from accepting court-appointed work.

POLICY AGAINST FRAUDULENT, UNETHICAL, AND OTHER DISHONEST ACTS

SPECIFIC AUTHORITY ss. 112.311, Florida Statutes, et seq.

OBJECTIVE To guard against fraudulent, unethical, and dishonest acts (collectively referred to as “bad acts”) that compromise the Justice Administrative Commission (JAC) and list staff and management responsibilities for preventing, detecting, reporting, and investigating such acts.

OVERVIEW

JAC is committed to the highest standards of ethical behavior. Breaches of these standards, especially through bad acts involving fraudulent, unethical, and other dishonest behavior, are not only costly, but they erode the public's trust and confidence in JAC’s integrity and competence. By issuing this policy, JAC hereby affirms its duty and responsibility to aggressively combat behaviors that affect the JAC’s abilities to perform its duties.

This policy is intended to: (1) communicate a "zero tolerance" for fraudulent, unethical, and other bad acts; (2) institute preventive measures at JAC designed to deter these bad acts as well as make them easier to detect; (3) require all employees to report suspected incidences of fraud, unethical, and other bad acts; and (4) provide for the reporting and investigation of such, including providing protection to employees who report violations.

A. DEFINITIONS Fraud generally involves a willful or deliberate act or omission with the intention of obtaining an unauthorized benefit, service, property, or something of value by deception, misrepresentation, or other unethical or unlawful means. Fraud can be committed through many methods, including mail, wire, telephone, and the Internet. Fraudulent, unethical, and other bad acts may include, but are not limited to, the following:

Rev. 11-15-2019

1. Forgery or unauthorized alteration of documents or computer records;

2. Falsification or misrepresentation of information to management, external agencies and entities, including time sheets, claims for travel or other reimbursement.

3. Failure to report a material fact to management, external agencies and entities that may lead to a wrongful financial gain (e.g., failing to disclose the receipt of an overpayment).

4. Requesting, authorizing or receiving payment for time not worked;

5. Misappropriation of funds, securities, supplies, or other assets;

6. Impropriety in handling or reporting of money or financial transactions;

7. Engaging in unauthorized activities that result in a conflict of interest;

8. Disclosing confidential or proprietary information to unauthorized individuals;

9. Removal of agency property, records, or other assets from the premises without supervisory approval;

10. Unauthorized use or destruction of agency property, records, databases, or other agency assets; and

11. Taking and using information or providing information that could lead to identity theft.

B. RESPONSIBILITY FOR DETECTION, REPORTING, AND PREVENTION OF FRAUD AT JAC

1. Management Responsibility

a. Management shall demonstrate the appropriate respect for complying with all laws, rules, and regulations. Management is also responsible for establishing and maintaining proper internal controls that will provide for the security and accountability of the resources entrusted to them. Such controls include, but are not limited to, ensuring that: (1) incompatible duties are properly separated; (2) financial transactions are properly authorized and approved; (3) reports of financial activity are periodically reviewed for completeness and accuracy; (4) official personnel actions (e.g., appointments, terminations, promotions) and employee time and leave are properly authorized and approved; (5) assets are physically secured; (6) computer passwords are protected and not shared; (7) confidential and sensitive information is protected from unauthorized access; and (8) employees are effectively trained and supervised. In addition, supervisors shall be cognizant of the risks and exposures inherent in their area of

Rev. 11-15-2019

responsibility, take appropriate steps to help mitigate those risks, and be aware of the related symptoms of fraudulent, unethical, and other dishonest actions. b. Management shall be alert to the possibilities of fraud and any indication that unethical or dishonest activity is taking place. Upon receiving a report of an allegation involving fraud, unethical behavior or other bad act, management shall immediately notify the Executive Director or General Counsel. If either or both the Executive Director and General Counsel are potential participants in the fraudulent, unethical or bad act, JAC management shall directly notify the current Chair of the Justice Administration Commission. Management shall not investigate the suspected bad act or discuss the matter with anyone other than the person who reported the bad act to them and the appropriate person to whom the bad act is subsequently reported.

2. Employee Responsibility

a. Employees shall also be alert to the possibilities of fraud and any indication that unethical or other bad act is taking place. b. Any JAC employee, who has a reasonable belief based upon articulable facts that such bad act has occurred or is occurring, shall immediately notify JAC management, specifically his or her supervisor. If the supervisor is a potential participant in the unethical or bad act, the JAC employee shall directly notify the Executive Director or General Counsel. If, in addition to the supervisor, either or both the Executive Director and General Counsel are also potential participants in the unethical or bad act, the JAC employee shall directly notify the current Chair of the Justice Administration Commission. The employee shall NOT investigate the suspected bad act or discuss the matter with anyone other than the person or office to whom the activity was reported.

3. Employees making good faith reports are protected. An employee who, in good faith, reports wrongful activity meeting the provisions of s. 112.3187, Florida Statutes (Whistle-blower's Act), is protected against retaliation for making such a report. The law also provides for the individual's identity to remain confidential. Regardless as to whether the provisions of the Whistle-blower's Act are met, it is a violation of this policy for anyone to retaliate against an employee for reporting, in good faith, allegations of wrongdoing, or participating in the investigation of such allegations.

4. Employees knowingly making false reports are not protected. Employees who knowingly make false allegations may be subject to disciplinary action up to and including dismissal. Allegations that are investigated and deemed unsubstantiated are not necessarily indicative of false allegations.

C. INVESTIGATION

Upon receiving and reviewing allegations of fraudulent, unethical, and other bad acts, the Executive Director in consultation with the General Counsel will determine whether an investigation is warranted. If an investigation is warranted, the Executive Director in consultation with the General Counsel, will decide whether the JAC should conduct an

Rev. 11-15-2019 administrative investigation or whether the matter involves potential criminal acts that must be immediately turned over to one of the following: the Department of Financial Services’ Office of Fiscal Integrity, the Florida Department of Law Enforcement, or the State Attorney’s Office.

Administrative Investigation

If the Executive Director determines to proceed with an administrative investigation, the Executive Director shall appoint an employee within JAC to investigate the reported bad act.

Upon appointment, the Appointee in an expeditious manner shall as described in the JAC Investigative Procedures:

1. Receive and review the allegations of fraudulent, unethical, and other bad acts; 2. Review all relevant documents and evidence; 3. Identify and interview potential witnesses; 4. Interview the JAC staff member alleged to have committed the fraudulent, unethical, and other bad acts; and 5. Analyze all information and prepare a report with findings. At any time during the administrative investigation, if the Appointee suspects that criminal activity has taken place, the Appointee shall consult with the Executive Director and the General Counsel on whether the administrative investigation should be suspended and the matter referred to the proper law enforcement agency.

The results of the investigation conducted by the Appointee shall be communicated in writing, to the Executive Director

During the administrative investigation, the Constitutional rights of all persons are to be observed. The accused will be afforded the opportunity to respond to the allegations or matters being investigated. The rights of the accused will be safeguarded throughout the investigation.

Pursuant to this policy, all employees are to cooperate fully with those performing an administrative investigation. All employee-witnesses, including the accused, shall be given a statement of rights before the interview. (See, JAC Administrative Investigation Statement of Rights, attached). An employee-witness who does not fully cooperate with an authorized administrative investigation may be disciplined up to and including termination of employment. However in accordance with the 5th and 14th Amendments of the Constitution of the United States, self-incriminating statements made by an employee- witness may not be used against the employee-witness in any subsequent criminal proceeding.

D. ACTIONS

Employees determined to have participated in fraudulent, unethical, or other bad acts will be subject to disciplinary action in accordance with personnel policies and rules. Employees who fail to report known or suspected fraudulent, unethical, or other bad acts

Rev. 11-15-2019 as required by this policy may also be subject to disciplinary action in accordance with personnel policies and rules. Criminal, civil, and/or other administrative actions may also be taken against employees who are found to have participated in unlawful acts. Whether a criminal action is pursued falls within the sole purview of local, state, or federal law enforcement, as well as prosecuting and judicial authorities.

E. OTHER REPORTING METHODS

JAC and the State of Florida provide other methods to report possible wrongful activity. These methods are supplemental and the utilization of one or more of the following methods does not excuse an employee from complying with the requirement of this policy to report any knowledge of fraudulent, unethical, or other bad acts to their supervisor or other appropriate person addressed in Section B of this policy.

1. Any method provided by s. 112.3187, Florida Statutes. (Whistle-blower’s Act).

2. Employees may also report possible wrongful activity anonymously. Methods to make anonymous reports include but are not limited to:

 Using JAC’s Executive Director Box housed in the common area outside of the restroom;  Sending an anonymous email to any JAC email address listed on the Contact JAC webpage;  Submitting a JAC Tip Form at: https://www.justiceadmin.org/contact/jacemailform.aspx?ToName=JAC%20Tip;  Contacting JAC’s Online Support Team at: 1-844-522-5463 (toll free);  By mail to the Justice Administrative Commission, Attention: Executive Director or General Counsel, at 227 North Bronough Street, Suite 2100, Tallahassee, FL 32301; or  Contacting the Department of Financial Services’ Office of Fiscal Integrity at https://www.myfloridacfo.com/Division/DIFS/OFI/.

Note: Anonymous complaints for which no corroboration can be found will be retained by JAC but will not be placed in any employee's personnel file.

I have received, read, and understand the “Policy Against Fraudulent, Unethical, and Other Dishonest Acts.”

Employee Signature: ______Date: ______

Employee Name: ______

NOTE: A copy of this policy will be placed in the employee’s personnel file.

Rev. 11-15-2019

JAC ADMINISTRATIVE INVESTIGATION STATEMENT OF RIGHTS

You are hereby directed to fully cooperate with the investigating official(s). Your failure to cooperate will create an objective and subjective fear of termination. You have the following rights and responsibilities during this investigation:

1. You have the right to be informed of the allegations involved.

2. You will be asked questions specifically directed and narrowly related to the performance of your official duties.

3. Statements made during any interviews may be used as evidence of misconduct or as the basis for seeking disciplinary action against you.

4. Any statements made by you during these interviews cannot be used against you in any subsequent criminal proceeding, nor can the information derived from any of your statements be used against you in any subsequent criminal proceeding.

5. If you so request, a person of your choice may be present to serve as a witness during the interviews.

6. If you refuse to answer questions relating to the performance of your official duties, you will be subject to dismissal.

ACKNOWLEDGEMENT: I have read and understand the above notification.

Employee’s Signature: ______Date: ______Time: ____

Investigator’s Signature: ______Date: ______Time: ____

Witness’s Signature: ______Date: ______Time: ____

Rev. 11-15-2019

JUSTICE ADMINISTRATIVE COMMISSION

Policy on Confidential and Sensitive Information

The nature of the business conducted by an administrative services agency, such as the Justice Administrative Commission, involves receipt of and access to confidential or sensitive information. (See Addendum, attached). Agency personnel who have access to any confidential or sensitive information, in the course of their duties, are responsible for ensuring that they utilize this information only for legitimate business purposes, and that they maintain the integrity of any confidential or sensitive information encountered.

Confidential or sensitive material may be in any form (“physical” paper, e-mail, facsimile, information within a database, etc.) Confidential information, records or data includes information specifically exempted from disclosure as a public record as provided in Chapter 119, Florida Statutes, as well as, many legal and court documents, specifically those concerning juveniles. Any improper handling of this information creates the potential for criminal charges being filed against the responsible party or parties.

The Commission has clearly expressed their position on the use, discussion, or distribution of any agency’s (SA, PD, CCRC, GAL, etc.) information (financial data, personnel data, etc.) Although only some of this information or documentation is exempt from public records disclosure, this material contains sensitive information that requires use of your professional judgment and discretion. If at anytime a JAC employee encounters a request regarding sensitive agency information from an unauthorized individual (any individual other than those whom you routinely deal with in an administrative office for a specific circuit office and task, i.e., payroll, accounting, benefits, etc.), then the employee shall notify the Public Records Request Coordinator in the Executive Office. When this occurs, the agency or agencies affected will be notified of the request for their agency’s data, per the JAC Public Records Request Policy.

Additionally, no access, discussion or distribution of information between employees relative to any JAC employee is permitted outside of a legitimate business purpose within the scope of the duties of their position.

Any documents or records no longer needed must be properly destroyed by shredding, or by placing the document in a locked proprietary bin (Shred-It Bins) for destruction. The State of Florida retention guidelines, as published in Department of State Schedule GS1-S, should be consulted before disposing of any document.

Disclosures or unauthorized access to confidential or sensitive information, whether intentional or inadvertent, harm the individual’s reputation, the agency’s reputation, as

Rev. 03-2015

well as that of the State. Any violations of this policy will be subject to disciplinary action, up to and including termination.

I have received, read, and understand the “Policy on Confidential and Sensitive Information”.

Employee Signature: ______Date: ______

Employee Name:

Rev. 03-2015

ADDENDUM TO JAC POLICY ON CONFIDENTIAL AND SENSITIVE INFORMATION

The Justice Administrative Commission (JAC) processes financial and personnel transactions for the 20 Offices of the State Attorney, the 20 Offices of the Public Defenders, the 3 Offices of Capital Collateral Regional Counsels, the 5 Offices of Criminal Conflict and Civil Regional Counsels, and the Statewide Guardian ad Litem Program, as well as the JAC itself. The JAC also processes payments for private court- appointed counsel and related due process services providers. As a result, during the course of business JAC receives confidential and exempt information which it is required to maintain confidential. Examples of such information and the law(s) which preserves its confidentiality include:

1. Medical information pertaining to prospective, current, or former employees (ss. 119.071(4)(b)1, 760.50(5), F.S.); 2. Personal identifying information of a dependent child of a current, or former, officer or employee of any agency whose dependent child is insured by the agency’s group insurance plan (s. 119.071(4)(b)2., F.S.) 3. Any information revealing undercover personnel of any criminal justice agency (s. 119.071(4)(c), F.S.); 4. Specific information of active, or former, state attorneys, assistant state attorneys, etc. (s. 119.071(d)2.d.(I) and (II), F.S.); 5. Specific information of active, or former, sworn or civilian law enforcement personnel (s. 119.071(4)(d)2.a.(I) and (II), F.S.); 6. Specific information of current, or former, human resources, employee relations, and assistant directors whose duties include hiring and firing (s. 119.071(d)2.f, F.S.); 7. Specific information of current, or former, Guardians ad Litem (s. 119.071(d)2.h, F.S.); 8. Specific information of current, or former, public defenders, assistant public defenders, criminal conflict and civil regional counsel and assistant criminal conflict and civil regional counsel (s. 119.071(d)2.j., F.S.); 9. Social security numbers (42 U.S.C. s. 405(c)(2)(c)(viii)(I) and s. 119.07(5)(a) and (b), F.S.); 10. Names of authorized financial institutions and the account numbers of the beneficiaries with regard to direct deposit (s.17.076(5), F.S.); 11. Bank account numbers, debit, and credit charge numbers (s. 119.071(5)(b), F.S.); 12. Information part of a criminal defendant’s file [Kight v. Dugger, 574 So. 2d 1066 (1990)]; 13. Chapter 39, F.S., records relating to dependency matters, termination of parental rights, Guardians ad Litem, child abuse, neglect, and abandonment (ss. 39.0132(3), 39.0132(4)(a), F.S.); 14. All information related to the discharge of duties pursuant to Ch. 39, F.S., entitled “Proceedings Related to Children” (s. 39.0132(4)(a)1, F.S.); 15. Information that can be used to identify a minor petitioning a circuit court for a judicial waiver (ss. 390.01114, 390.01116, F.S.);

Rev. 03-2015

16. Information which reveals the identity of a victim of child abuse (s. 119.071(2)(h)1.a., F.S.); 17. Information which reveals the identity of a victim of sexual offense (s. 119.071(2)(h)1.b., F.S.); 18. Information from juvenile delinquency records (ss. 985.04(1), 985.045(2), F.S.); 19. Information related to known, or suspected, cases of tuberculosis or exposure to tuberculosis (ss. 392.545, 392.65, F.S.); 20. Specific information related to Baker Act cases (s. 394.4615(7), F.S.); and 21. Sealed court documents (Rule 2.420, Fla. Rules of Judicial Administration).

Although the list above recognizes the most common types of confidential or exempt information processed or maintained by JAC, it is not comprehensive. From time to time JAC receives and processes information not listed above which is subject to other privacy laws and/or regulations.

For these reasons, please pay special attention to the highly sensitive/confidential information that is found everywhere in our office spaces and on our computers. In order to preserve the confidentiality of the information we process, the JAC will adopt the following procedures.

1. Lock your computer: With regard to your computer, when leaving it unattended please lock your screen by holding your “Windows” key (flag key) down while striking the “L” key; 2. Secure documents with confidential or sensitive information: Each person should have an assigned space to secure documents with confidential or sensitive information. Please contact your supervisor concerning your sections’ policy for securing such documents. Please be sure to secure such materials when out of the office; 3. E-Mail: When sending an e-mail containing confidential, exempt or sensitive information please include the following disclaimer:

This e-mail or any attachments provided may contain confidential information intended for the use of the designated recipients named above. If you are not the intended recipient and have received this e-mail in error, please notify the sender immediately by returning the e-mail and deleting the message and be aware that any review, dissemination, distribution or copying of this communication is strictly prohibited.

Thank you for doing your part to preserve the confidential nature of the information with which JAC has been entrusted.

Rev. 03-2015

Justice Administrative Commission

Employment Security Screening Policy & Procedures

POLICY STATEMENT The Justice Administrative Commission (JAC) is authorized under s. 110.1127, F.S., to conduct employment screening, using Level 2 screening standards, including fingerprinting as a condition of employment and continued employment. This authority calls for the JAC to designate those positions that, because of the special trust or responsibility or sensitive location, require this level of security background investigations. The JAC’s employees have access to confidential or sensitive information, including data accessed through the People First system, FLAIR, CAATS, CCIS, Laserfiche, BOMS, and other databases. Accordingly, it is the JAC’s policy that prospective and current employees submit to a Level 2 background check in order to be eligible for employment or for continued employment at JAC. Any reference to the Executive Director, General Counsel, or Human Resources Director shall include by implication his or her designee. AUTHORITY

Section 110.1127, Florida Statutes Section 112.011, Florida Statutes Chapter 435, Florida Statutes

DEFINITIONS

Level 1 and Level 2 Background Checks are terms used in Florida Statutes to convey the method of the criminal history record check and the extent of the data searched. However, the terms may also refer to certain disqualifying offenses if certain statutes are referenced. The terms “Level 1” and “Level 2” are exclusive to Florida and are not used by the FBI or other states.

• Level 1 generally refers to a state only name-based check AND an employment history check.

• Level 2 generally refers to a state and national fingerprint based check and consideration of disqualifying offenses, and applies to those employees designated by law as holding positions of responsibility or trust.

SCOPE AND COVERAGE

The scope of this policy applies to all prospective and current JAC staff.

BACKGROUND

Section 112.011(a), F.S., states that a person may not be disqualified from state employment solely because of a prior conviction for a crime, except for certain drug offenses. However, the

Rev. 2/2015 Page 1

state may disqualify a person whose prior conviction was for a felony or first-degree misdemeanor and is directly related to the position of employment or position sought.

Furthermore, the State of Florida Employment Application contains the following certification:

I am aware that any omissions, falsifications, misstatements, or misrepresentations above may disqualify me for employment consideration and, if I am hired, may be grounds for termination at a later date. I understand that any information I give may be investigated as allowed by law. I consent to the release of information about my ability, employment history, and fitness for employment by employers, schools, law enforcement agencies, and other individuals and organizations to investigators, human resources staff, and other authorized employees of the Florida state government for employment purposes. This consent shall continue to be effective during my employment if I am hired. I understand that applications submitted for state employment are public records. I certify that to the best of my knowledge and belief all of the statements contained herein and on any attachments are true, correct, complete, and made in good faith.

Procedures for Criminal Convictions/Pleas for JAC Employees and Applicants

1. Review the Type/Level of Criminal Offense a. If NOT a Felony or First Degree Misdemeanor, do not proceed further unless the offense is recent, significant, or determined to be directly related to the employee’s position. If the offense is recent, significant, or directly related to the employee’s position, proceed under 2.c., below. b. If the offense is a Felony or First Degree Misdemeanor, proceed to 2., below.

2. Felony or First Degree Misdemeanor [s. 112.011(1)(a), F.S.] a. If the offense is a disqualifying Felony listed in s. 435.04(2) or (3), F.S., an exemption may NOT be granted under either of the following circumstances: 1) fewer than three (3) years have elapsed since the applicant or employee has been released from confinement, supervision, or sanction for the Felony offense [s. 435.07(1)(a)1., F.S.], or 2) the Felony is one listed in s. 435.07(4)(b), F.S. b. If the offense is a disqualifying Felony or first degree Misdemeanor under s. 435.04(2) or (3), F.S., which qualifies for an exemption under s. 435.07, F.S. (see 2.a., above, for offenses for which an exemption may not be granted):

Rev. 2/2015 Page 2

1) For an Applicant: The Executive Director, General Counsel, and Human Resources (HR) Director shall review the offense using the following considerations and determine whether to consider the Applicant further: a) Period of time that has elapsed since the offense; b) The nature of the offense, including the harm to the victim; c) The applicant’s history since the incident, and; d) The relationship of the offense to the responsibilities of the position.

If it is determined to proceed with consideration of the Applicant for hire, the Applicant is notified in writing of the opportunity to submit a written request for an exemption which must address the four considerations listed above in addition to other considerations which the Applicant believes are relevant.

Upon receipt of the Applicant’s written request, the Executive Director, General Counsel, and HR Director shall review it. The Executive Director shall make the final decision regarding an exemption.

2) For a current Employee: the Employee is notified in writing of the opportunity to submit a written request for an exemption which must address the following considerations that the Employee believes relevant: a) Period of time that has elapsed since the offense; b) The nature of the offense, including the harm to the victim; c) The employee’s history since the incident, and; d) The relationship of the offense to the responsibilities of the position.

The Executive Director, General Counsel, and HR Director shall review the information submitted. The Executive Director shall make the final decision regarding an exemption.

c. If the Felony or first degree Misdemeanor is NOT a disqualifying felony or first degree misdemeanor as listed in s. 435.04(2) or (3), F.S., the Executive Director, General Counsel, and HR Director shall review the following information: 1) Period of time that has elapsed since the offense; 2) The nature of the offense, including the harm to the victim; 3) The applicant’s employment and other history (i.e., rehabilitation, etc.) since the incident, and; 4) The relationship of the offense to the responsibilities of the position.

Rev. 2/2015 Page 3

After consultation with the General Counsel and HR Director, the Executive Director shall make the final decision regarding employment.

3. Refusal to Submit to Fingerprinting a. For a current Employee – will result in termination. b. For a prospective Employee – will result in any offer made being retracted.

4. Employee Responsibility Regarding Reporting Arrest An employee must inform his or her immediate supervisor of any arrest that occurs during the employee’s tenure with the JAC within one (1) business day of the event. An employee must inform his or her immediate supervisor of any conviction, adjudication of guilt withheld, or other final disposition within two (2) business days of the event. The supervisor shall immediately consult with the HR Director. Failure to comply with these reporting requirements may result in the employee’s termination.

5. Failure to Disclose Criminal Offense a. If a criminal history background check reveals any criminal history, this history shall be compared by the HR Director to the application submitted by the prospective or current employee. b. Any false or misleading answers or omissions made on the employment application can serve as sufficient grounds for rejection of a prospective employee or immediate termination for a current employee. c. The prospective or current employee shall be afforded an opportunity to provide to the Executive Director, General Counsel, and HR Director an explanation or other input (including a challenge to the accuracy or completeness of the information) before a final determination is made. d. The nature of the failure to disclose (whether knowing or innocent) may be considered in addition to the factors set forth above.

NOTE: Related correspondence and the results of criminal history background checks are confidential, must always be treated as such, and will be maintained in a file separate from the employee’s personnel file.

Rev. 2/2015 Page 4

THE JUSTICE ADMINISTRATIVE COMMISSION OF THE STATE OF FLORIDA

EMPLOYEE HANDBOOK

REVISED MAY 1, 2019 Contents A WORD FROM THE EXECUTIVE DIRECTOR ...... 5 HISTORY OF THE JUSTICE ADMINISTRATIVE COMMISSION ...... 6 PURPOSE ...... 7 THE JAC ON-LINE ...... 7 I. COMPENSATION ...... 8 A. Compensation for Hours Worked and Overtime ...... 8 B. Rate of Pay ...... 9 C. Dual Employment and Dual Compensation within State Government ...... 9 D. Employment Outside State Government ...... 10 E. Earnings Information ...... 10 F. Direct Deposit ...... 10 II. STATE GROUP INSURANCE PROGRAM BENEFITS ...... 11 A. Health Insurance ...... 11 B. Life Insurance ...... 12 C. Supplemental Insurance ...... 12 D. Flexible Spending Accounts ...... 13 E. Healthcare Flexible Savings Accounts ...... 13 F. Dependent Care Flexible Savings Account ...... 13 G. Consolidated Omnibus Budget Reconciliation Act of 1986 ...... 14 H. Continuation of Health and Life Coverage for Retirees ...... 14 I. Continuation of Health Insurance Coverage for Surviving Spouses ...... 15 III. OTHER STATE SPONSORED BENEFITS AND PROGRAMS ...... 16 A. Deferred Compensation ...... 16 B. Florida State Employees’ Charitable Campaign ... Error! Bookmark not defined. C. Reemployment Assistance ...... 16 D. Voluntary Insurance Plans through Payroll Deduction ...... 16 E. Workers Compensation ...... 16 F. Tuition Waiver Program ...... 17 IV. ATTENDANCE AND LEAVE ...... 18 A. Attendance ...... 18 B. Work Schedules ...... 18 C. Employee Attendance and Leave Reporting ...... 19 D. Holidays ...... 19 E. Miscellaneous Leave Provisions ...... 20 Annual Leave Accrual ...... 21 Annual Leave Accrual for Management Positions ...... 21 G. Sick Leave...... 21 H. Sick Leave Pool and Transfer Plan ...... 22 I. Leave Payment upon Separation from Service ...... 24 J. Administrative Leave ...... 24 K. Disability Leave ...... 25 L. Family and Medical Leave Act ...... 25 M. Military Leave ...... 26 N. Unauthorized Leave ...... 27 V. RETIREMENT...... 28 A. FRS Pension Plan ...... 28 Disability Retirement ...... 29 Survivor Benefits ...... 29 Deferred Retirement Option Program ...... 30 B. FRS Investment Plan ...... 30 Disability Retirement ...... 31 Survivor Benefits ...... 31 C. Retiree Health Insurance Subsidy Program ...... 32 E. Reemployment ...... 33 VI. TRAINING ...... 34 Required Training ...... 34 EEO/AA ...... 34 Harassment ...... 34 Anti-Fraud ...... 34 VII. GENERAL INFORMATION ...... 36 A. Personal Appearance/Dress Code ...... 36 B. Parking ...... 36 C. Smoking Policy ...... 36 D. Social Media ...... 36 E. Email Etiquette ...... 38 F. Information Technology ...... 38 Appropriate Use ...... 38 Information Security/Passwords ...... 39 Proprietary Software Act ...... 40 G. Travel ...... 40 H. Use of Privately-Owned Vehicle ...... 40 I. Use of Seat Belts ...... 41 J. Common Areas – Break Rooms ...... 41 K. Telework ...... 41 L. Visitors to Justice Administrative Commission ...... 41 M. Children at the Workplace ...... 42 N. Employee Identification Card...... 42 O. JAC Main Telephone Number ...... 43 VIII. EMPLOYEE RELATIONS ...... 43 A. Employee Assistance Program (EAP) ...... 43 B. Drug-Free Workplace ...... 43 C. Violence in the Workplace ...... 44 D. Domestic and Sexual Violence ...... 44 E. Harassment ...... 44 F. Whistle-Blower’s Act of 1986 ...... 44 G. E-Verify ...... 45 H. Code of Ethics for Public Officers and Employees ...... 45 Employee Relationships with Regulated Entities ...... 45 Nepotism/Employment of Relatives ...... 45

Gift Policy ...... 46 Gift Policy Procedures ...... 47 I. Political Activities ...... 47 J. Performance Management ...... 47 K. Oath of Loyalty ...... 48 L. Personnel and Medical Records ...... 48 M. Public Records, Confidentiality, and Proper Record Disposal ...... 48 N. Workplace Enhancement Team ...... 49 IX. STANDARDS OF CONDUCT...... 50 A. Disciplinary Standards ...... 50 B. Disciplinary Actions ...... 52 C. Disciplinary Investigations ...... 54 D. Distribution ...... 54 E. Grievance and Appeal Rights ...... 54 X. Employment Laws ...... 55 A. Americans with Disabilities Act ...... 55 B. Equal Employment Opportunity ...... 55 C. Florida Commission on Human Relations ...... 55 D. Fair Labor Standards Act ...... 55 E. Genetic Information Non-Discrimination Act of 2008 ...... 56 F. Veterans’ Preference ...... 56 CONTACT INFORMATION ...... 57 ACKNOWLEDGEMENT OF RECEIPT ...... 58

Cybersecurity

Section 282.318(4)(i), F.S., requires all newly hired employees to complete cybersecurity training within thirty (30) days of hire.

CCIS User Guide What is CCIS?

. Comprehensive Case Information System . Your one place to look up and verify case information for the State of Florida. . You can search by defendant name or case number. . CCIS must only be used for JAC business. You may not use CCIS for personal business. Inappropriate CCIS access and use is cause for disciplinary action. – Fla. Stat. 815.04(3)(a)(b) – JAC Employee Handbook & JAC’s Fraud and Confidential and Sensitive Information policies

2 Creating a user

. Before a user is given access to CCIS, he or she must read the documentation and provide the signed CCIS Security Agreement Form to the CCIS Administrator. . The Administrator will create your account and user name. CCIS will email you directly so that you can create your password. . When you sign the Security Agreement, you acknowledge that you will not use CCIS for any other business except for JAC business.

3 CCIS Home screen

4 Using CCIS

. CCIS is best used in Chrome. . On your first sign in, click the “Remember Me” box, and you will not have to re-enter your user name and password. . All activity is recorded and retained by CCIS in audit files and tracked by User Name. You are responsible for all activity recorded with your credentials. For this reason, do not share your username or password.

5 A new search

. To execute a new search, click on the browser’s back arrow or hover over the Search menu at the top and select Person Search or Case Search. . If you click the back arrow, the search criteria you entered will still be on the search screen. . If you click on Person Search or Case Search, the screen will be refreshed, and the fields will be blank.

6 Search by case number

. In most instances, it will be more efficient to do a case search because JAC receives documents tied to a particular case number (such as orders of appointment and charging documents). . Click the Case Search tab or Hover over Search and click on Case Search. . You must enter the county, year, court type, and sequence #. . If the information you entered matches a case, the docket will come up.

7 8 9 10 “Pulling documents” from CCIS

. While performing a case search, it may be necessary to “pull documents” from CCIS. This simply means to download documents from CCIS that JAC does not have but needs. . For example, if a case in our system lacks the charging document, it can be pulled from CCIS. . Not all counties scan documents into CCIS. For example, Miami-Dade does not. If a document is available for download, you will see a yellow page icon next to the docket number.

11 Searching within a docket

. Searching within a docket is useful when the docket is long, complicated, or not in any specific order. . On your keyboard and while Chrome is your “selected window,” hold Ctrl + F. This will bring up the “Find” function in Chrome. A box in the upper right corner will appear. . Type a search word(s) to help you locate what you are looking for, e.g., “Information,” “Sentence,” “withdraw,” “Notice of Appearance,” etc.

12 13 14 Search by defendant name

. When the case number is unknown or incorrect, it may be possible to do a CCIS search by defendant name to determine the applicable case number. It can also be helpful when a defendant has multiple cases, particularly for indigent for costs (IFC) cases. . Type the last name, first name, and middle initial (if known). Entering a birthdate will help narrow the search results. . Select the county or counties from the list on the right. . Then click search.

15 16 . Person search fields

17 Person Search – Case List Screen

. On this screen, you will be able to find the cases for the defendant name you searched. . From here you can click on the case numbers to find the dockets.

18 19 Questions . . .

FLORIDA ASSOCIATION OF COURT CLERKS AND COMPTROLLER COMPREHENSIVE CASE INFORMATION SYSTEM SECURITY USER AGREEMENT/APPLICATION

I, the undersigned, hereby certify that I am an employee of the following agency:

Justice Administrative Commission Employing Agency

User Name

Job Title

Agency Address: 227 North Bronough Street, Suite 2100 Tallahassee, Florida 32301______

As a user of the web-based Comprehensive Case Information (CCIS) portal, I acknowledge that I will have access to statewide data or court records, some of which are considered sensitive under Florida law, or which are or may be made confidential or exempt from public disclosure by Florida or federal law, court rule, or court order.

As a government employee user, by signing this agreement I acknowledge and understand the following:

. My access to CCIS is subject to the Florida Computer Crimes Act, Section 815.04(3)(a)(b), Florida Statutes, which addresses the unauthorized modification, destruction, disclosure (except as to public records) or taking of information resources, for those computer programs, systems and data protected by the act. . That my access to CCIS data and information is limited to that data or information made available to the category of user based on my employing agency and job title, pursuant to Florida or Federal law or court rule, and under no circumstance shall I be allowed access to data or information that is otherwise confidential or exempt from public disclosure under Florida or federal law, court rule, or court order. . That I will maintain the confidentiality and prevent the unauthorized disclosure of any data or information I access or obtain from CCIS that is confidential or exempt from public disclosure under Florida or federal law or court rule. . That I have read the CCIS Security Policy and will abide by this policy when using CCIS

As the user, I understand that a security violation may result in criminal prosecution according to the provisions of Chapter 815, Florida Statutes. Information accessed from the CCIS site is for use in the ordinary course of official business and I will ensure that access to CCIS or any of its systems, modules, data or information is not gained, obtained or used by unauthorized users by taking the following actions and security measures:

1 . I will safeguard my user login and password and not permit any unauthorized user to use my login and password. . I will not use CCIS other than for official business. . I will log off the system after each use, taking precautionary measures to ensure unauthorized users do not have ability to view computer monitor. . I will not sell any data or information obtained from CCIS to any person, entity or governmental agency, without the express written permission of the Florida Association of Court Clerks and Comptroller (FACC). . I will ensure use of CCIS site is conducted in a legal manner.

I have read the above statements and have obtained a copy of the Computer Related Crimes Act, Chapter 815, Florida Statutes. My signature below indicates I understand the policy and agree to the above terms and conditions of use.

______Signature Date

_(850) 488-2415______(850) 488-8944____ Phone Number Fax Number Email Address

Approved by Agency CCIS Administrator ______Signature Date

Upon receipt of the above Agreement/Application and review and validation of the information the user will be notified by e-mail, as provided above, the login for access to CCIS at the appropriate access level.

Approved by CCIS Project Committee 01/25/06

Agenda Item VI C. Office of Criminal Conflict and Civil Regional Counsel

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix

Email completed form to Lakisha Hall at [email protected]

Contact Person Name Candi Powell Contact Person Phone (407) 389-5131 Regional Conflict Contact Person Email [email protected] Agency Name Counsels County ALL Circuit ALL

1. Describe in detail the change(s) you are requesting to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. The Offices of Criminal Conflict and Civil Regional Counsel are PRESUMED TO BE APPOINTED AS THE ATTORNEY OF RECORD on all criminal cases in which an Office of the Public Defender is unable to represent an indigent client due to a legal conflict of interest pursuant to F.S. 27.511. Additionally, and equally as important, the Regional Counsels are PRESUMED TO BE APPOINTED AS THE ATTORNEY OF RECORD and the primary court-appointed attorney of record for a host of civil cases enumerated in F.S. 27.511 (6) (a).

Through the implementation of ASM 8 the Regional Counsels lost significant access to critical criminal and civil records in CCIS. THIS IS NOT CURED BY A COURT ORDERED APPOINTMENT OF COUNSEL. Further, the implementation of Role 13 for the Offices of Criminal Conflict and Civil Regional Counsel, in its current form, will not restore the Regional Counsels’ access to what is absolutely necessary to carry out constitutional and statutorily mandated duties. Role 13 in ASM v9 does not give Regional Counsels proper access to criminal cases, and only gives access to a limited number of civil case types.

It is imperative the Regional Counsels receive “B Level” access to all case types provided in the attached documentation. 2. Cite the statute or rule which authorizes or prohibits the access you are requesting. In criminal cases, the Offices of Criminal Conflict and Civil Regional Counsel are PRESUMED BY STATUTE TO BE APPOINTED AS ATTORNEY OF RECORD when one of Florida’s 20 Offices of Public Defender withdraws from a criminal case pursuant to F.S. 27.511(5)(a), F.S., and F.S. 27.511(5)(b). Pursuant to F.S. 27.511(5) does not enumerate each criminal case type, but specifically provides that when a court grants the public defender’s motion to withdraw, the Offices of Criminal Conflict and Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 1 Civil Regional Counsel SHALL BE APPOINTED and shall provide legal services to indigent people charged with any felony, a misdemeanor being prosecuted by a state attorney, any traffic violation punishable by imprisonment, including juvenile delinquency.

Further, pursuant to 27.511 6(a), in certain civil cases the Offices of Criminal Conflict and Civil Regional Counsel are the first and primary appointment and PRESUMED TO BE APPOINTED to persons entitled to court-appointed counsel under the Federal or State Constitution or as authorized by general law in civil proceedings, including, but not limited to, proceedings under F.S. 393.12 and chapters 39, 392, 397, 415, 743, 744, and 984 and proceedings to terminate parental rights under chapter 63. We have provided a copy of an abbreviated portion of F.S.27.511 for your convenience. Please see exhibit A. 3. Describe in detail how access was gained prior to the implementation of the Access Security Matrix. Prior to the implementation of Version 8 of the Access Security Matrix, and for the past 14 years, the Regional Counsels have had "B Level" access to all of the case types through CCIS in which the agencies are appointed to as the attorney of record. The Regional Counsels also had access to warrants and orders to show cause in CCIS. 4. Attach a markup copy of the changes you are requesting to be implemented to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. Please see Exhibit B. 5. Attach documentation describing in detail internal protocols for protecting and accessing confidential information. Please see Exhibit C.

FOR ACCESS GOVERNANCE BOARD USE ONLY Decision Approved Denied Approved with More info conditions requested Reason for Denial Specific Conditions for Approval Reason for More Information Request Date

Title V Chapter 27 View Entire

JUDICIAL STATE ATTORNEYS; PUBLIC Chapter BRANCH DEFENDERS; RELATED OFFICES

27.511 Offices of criminal conflict and civil regional counsel; legislative intent; qualifications; appointment; duties.—

(5) When the Office of the Public Defender, at any time during the representation of two or more defendants, determines that the interests of those accused are so adverse or hostile that they cannot all be counseled by the public defender or his or her staff without a conflict of interest, or that none can be counseled by the public defender or his or her staff because of a conflict of interest, and the court grants the public defender’s motion to withdraw, the office of criminal conflict and civil regional counsel shall be appointed and shall provide legal services, without additional compensation, to any person determined to be indigent under s. 27.52, who is:

(a) Under arrest for, or charged with, a felony;

(b) Under arrest for, or charged with:

1. A misdemeanor authorized for prosecution by the state attorney;

2. A violation of chapter 316 punishable by imprisonment;

3. Criminal contempt; or

4. A violation of a special law or county or municipal ordinance ancillary to a state charge or, if not ancillary to a state charge, only if the office of criminal conflict and civil regional counsel contracts with the county or municipality to provide representation pursuant to ss. 27.54 and 125.69.

The office of criminal conflict and civil regional counsel may not provide representation pursuant to this paragraph if the court, prior to trial, files in the cause an order of no imprisonment as provided in s. 27.512;

(d) Sought by petition filed in such court to be involuntarily placed as a mentally ill person under part I of chapter 394, involuntarily committed as a sexually violent predator under part V of chapter 394, or involuntarily admitted to residential services as a person with developmental disabilities under chapter 393;

(e) Convicted and sentenced to death, for purposes of handling an appeal to the Supreme Court;

(f) Appealing a matter in a case arising under paragraphs (a)‐(d); or

(g) Seeking correction, reduction, or modification of a sentence under Rule 3.800, Florida Rules of Criminal Procedure, or seeking postconviction relief under Rule 3.850, Florida Rules of Criminal Procedure, if, in either case, the court determines that appointment of counsel is necessary to protect a person’s due process rights. (6)(a) The office of criminal conflict and civil regional counsel has primary responsibility for representing persons entitled to court‐appointed counsel under the Federal or State Constitution or as authorized by general law in civil proceedings, including, but not limited to, proceedings under s. 393.12 and chapters 39, 392, 397, 415, 743, 744, and 984 and proceedings to terminate parental rights under chapter 63. Private court‐appointed counsel eligible under s. 27.40 have primary responsibility for representing minors who request counsel under s. 390.01114, the Parental Notice of and Consent for Abortion Act; however, the office of criminal conflict and civil regional counsel may represent a minor under that section if the court finds that no private court‐appointed attorney is available.

(b) If constitutional principles or general law provide for court‐appointed counsel in civil proceedings, the court shall first appoint the regional counsel unless general law specifically provides for appointment of the public defender, in which case the court shall appoint the regional counsel if the public defender has a conflict of interest.

(c) Notwithstanding paragraph (b) or any provision of chapter 744 to the contrary, when chapter 744 provides for appointment of counsel, the court, in consultation with the clerk of court and prior to appointing counsel, shall determine, if possible, whether the person entitled to representation is indigent, using the best available evidence.

1. If the person is indigent, the court shall appoint the regional counsel. If at any time after appointment the regional counsel determines that the person is not indigent and that there are sufficient assets available for the payment of legal representation under s. 744.108, the regional counsel shall move the court to reassign the case to a private attorney.

2. If the person is not indigent or if the court and the clerk are not able to determine whether the person is indigent at the time of appointment, the court shall appoint a private attorney. If at any time after appointment the private attorney determines that the person is indigent and that there are not sufficient assets available for the payment of legal representation under s. 744.108, the private attorney shall move the court to reassign the case to the regional counsel. When a case is reassigned, the private attorney may seek compensation from the Justice Administrative Commission for representation not recoverable from any assets of the person in an amount approved by the court as a pro rata portion of the compensation limits prescribed in the General Appropriations Act.

(d) The regional counsel may not represent any plaintiff in a civil action brought under the Florida Rules of Civil Procedure, the Federal Rules of Civil Procedure, or federal statutes, and may not represent a petitioner in a rule challenge under chapter 120, unless specifically authorized by law.

(7) The court may not appoint the office of criminal conflict and civil regional counsel to represent, even on a temporary basis, any person who is not indigent, except to the extent that appointment of counsel is specifically provided for in chapters 390, 394, 415, 743, and 744 without regard to the indigent status of the person entitled to representation.

Exhibit B

MATRIX USER ACCESS PERMITTED USER SECURITY ROLES REQUIREMENTS All records except those that Secure access through are expunged or sealed; access useman1eand password by may be denied to records or written notarized infom1ation automatically agree1nent. The gatekeeper confidential under nlle is responsible for 2.420(d)(l ), Fla. R. Jud. maintaining authorized user Admin., or made confidential list. by court order, depending upon the type of case and the Each regional counsel must language of the court order. establish written 12olicies to User Role 13 ensure that access to Office of The Office of Criminal confidential records and Criminal Conflict and Conflict and Civil Regional information is limited to Civil Regional Counsel Counsel (OCCCRC) is those individuals who (Institutional Access considered the a �on1e� of regmre access 111 only) record at a party's first 12erfonnanceof their official appearance in civil proceedings duties. listed in §27.511(6), F.S., and in criminal proceedings is entitled to appointment as attorney of recor -1upon the Public Defender's declaration of conflict in case types listed in §27.511(5), F.S.

Access will be changed to User Role 6 when the OCCCRC is no longer the attorney of record or another attorney is assigned.

Access Security Matrix Exhibit D (November 2020 v9)

User Role (Subscribers) Key to access codes ***VOR Statute List (F.S.): Regional Cousnel 787, 794, 796, 800, 825, 827, 847, 921 VOR is at the case level Authority by Case Type A = All but expunged, or sealed under Ch. 943, F.S. ***Viewable on Request (VOR) - to ensure that information is properly removed prior to public B = All but expunged, or sealed under Ch. 943, F.S., or sealed under Fla. R. access, some case types and document types have a special electronic security called viewable Jud. Admin. 2.420 on request. Selecting an image of a court document in cases or documents coded viewable on C = All but expunged, or sealed under Ch. 943 and sealed under request will not allow the user to view the record at that point. Instead, a request is generated to a Fla. R. Jud. Admin. 2.420, or confidential clerk, who performs a second examination of the document to remove personal identification D = All but expunged, sealed or confidential; record images information and information about the victims of sexual or child abuse crimes. After the clerk has viewable upon request completed, the requestor then receives a notice that the document is available for viewing. Once a E = Case number, party names, dockets only document has been requested and reviewed, it is available for all future access without requiring a F = Case number and party names only request/review. G = Case number only H = No access 13. Office of Criminal Conflict and Civil Regional Civil and Conflict Criminal of Office 13. Counsel (Institutional Access only) 3. Attorneys of Record Case - Charge/Filing Description PRIVACY UCN Applicable rules and statutes Applicable rules and statutes County Criminal Appeals P B B AP Rule 2.420(d) & (f) s. 27.511(5)(b)1. County Criminal Appeals Sexual Abuse VOR B B AP Rule 2.420(d) & (f), §119.071(2)(h), F.S., Chs. 794, 796, 800, 827 & 847, F.S. s. 27.511(5)(b)1. County Civil Appeals P B C AP Rule 2.420(d) Circuit Civil P B C CA Rule 2.420(d) & Rule 1.210 Jimmy Ryce Act VOR B B CA Rule 2.420(d), Chapter 119, F.S.& § 394.921(1)&(2), F.S. s. 27.511(5)(d) Mortgage Foreclosure P B C CA Rule 2.420(d) & Rule 1.210 Circuit Civil Private (Sexual Abuse & Medical Malpractice) VOR B D CA Rule 2.420(d)(1)(B)(xiii), §§119.071(2)(h), 119.0714(1)(h), & 28.2221(5)(a), F.S. Circuit Civil - Trusts (Pre 2010) P B C CA Rule 2.420(d)(1)(B); Chapter 119, F.S. & §28.2221(5)(a), F.S. County Civil P B C CC Rule 2.420(d) & Rule 1.210 Felony PBB CF Rule 2.420(d) & Chapter 119, F.S. s. 27.511(5)(a) Felony - sexual cases VOR B B CF Rule 2.420(d)(1), §119.071(2)(h)1.b or c, F.S., Chs. 794, 796, 800, 827, & 847, F.S. s. 27.511(5)(a) Juvenile Delinquency P B B CJ §§985.04(1) & (2), 985.045(2), 985.036(1) & 985.11(3), F.S. s. 27.511(5)(c) County Ordinance Infractions P B B CO Rule 2.420 s. 27.511(5)(b)4. and s. 125.69(2) County Ordinance - Arrests P B B CO Rule 2.420 s. 27.511(5)(b)4. and s. 125.69(2) Probate Formal Administration P D D CP Rule 2.420; §§28.2221(5)(a) & 733.604 (b), F.S. Probate Other P B D CP Rule 2.420; §§28.2221(5)(a) & 735.201-302, F.S. Criminal Traffic P B B CT Rule 2.420(d) & (f) s. 27.511(5)(b)2. Juvenile Dependency P B B DP Rule 2.420(d), §§39.0132(3)&(4)(a), 39.822(3) & 27.511(6)(a), F.S. Juvenile Truancy P B B DP §984.06(3) & §27.511(6)(a), F.S. Domestic Relations PBB DR Rule 2.420(d), §§28.2221(5)(a), 61.043(1), 68.07, 382.025(1), 382.0195(1), 409.2563(2)(d) & s. 27.511(6)(a) 742.011, F.S. Domestic Relations Adoption (FINAL) P D B DR §§63.162(1)(2) & 63.022(4)(i), F.S. s. 27.511(6)(a) DR Adoption (while open and pending) P B B DR §§63.162(1)(2), 63.022(4)(i), & 27.511(6)(a), F.S. Domestic Relations - Paternity - sealed P F F DR §§742.011, 742.091, 742.16(9), 742.031(1), & 28.2221(5)(a), F.S. DR Violence Injunctions (all) Before Service C B G DR Rule 2.420(d)(1)(B)(xxiii), §§119.0714(1)(k)3 & 28.2221(5)(a), F.S. DR Violence Injunctions (all but sexual) After Service P B B DR Rule 2.420(d)(1)(B)(xxiii), §§119.0714(1)(k)3 & 28.2221(5)(a), F.S. s. 27.511(6)(a) Parental Notice of Abortion VOR B B DR Rule 8.805(b), Rule 8.835, Rule 2.420(d)(1)(B)(vii), §§390.01114(4)(e) & 390.01116, F.S. s. 27.511(6)(a) Sexual Violence After Service VOR B D DR Rule 2.420(d)(1)(B)(xiii) & (f), §119.071(2)(h)1 (b) or (c), F.S. Termination of Parental Rights P B B DR §§39.814(3) & (4), 39.822(3) & 27.511(6)(a), F.S. Extradition VOR B D CF Rule 2.420(d) & (f) Guardianship/Guardian Advocate (Developmental Disabilities) P B B GA §§744.1076, 744.3701, 393.12 & 27.511(6)(a), F.S. Guardianship Miscellaneous/Professional Guardian P B B GA §§744.1076, 744.3701, 744.2003 & 27.511(6)(a), F.S. Non-Criminal Infractions P B C IN Rule 2.420(d) Juvenile Miscellaneous P B B DP §§985.04(1) & (2), 985.045(2) & 27.511(6)(a), F.S. Miscellaneous Firearms P B B MM Rule 2.420(d), §§119 & 790.065(4), F.S. s. 27.511(5)(b)1. Mental Health Miscellaneous P B B MH Rule 5.900, §§393.11, 765.105, 916.107(3)(a), & 415.1051, F.S. s. 27.511(5)(d), s. 27.511(6)(a), Baker Act C B B MH Rule 2.420(d), §§394.459(8) & 394.4615, F.S. and s. 27.511(7) Substance Abuse - Assessment/Treatment C B B MH Rule 2.420(d), §§397.501(7), 397.6760 & 27.511(6)(a), F.S. Tuberculosis/STD Treatment/Other Confidential P B B MH §§392.55, 384.27 & 27.511(6)(a), F.S. Incapacity P B B MH Rule 2.420(d), §§744.3701, & 27.511(6)(a), F.S. Misdemeanor P B B MM Rule 2.420(d) s. 27.511(5)(b)1. Misdemeanor - sexual cases VOR B B MM Rule 2.420(d) & §119.071(2)(h), F.S. s. 27.511(5)(b)1. Municipal Ordinance Infraction P B B MO Rule 2.420(d) s. 27.511(5)(b)4. and s. 125.69(2) Municipal Ordinance Arrest P B B MO Rule 2.420(d) s. 27.511(5)(b)4. and s. 125.69(2) Misdemeanor-Misc VOR B B MM Rule 2.420(d) s. 27.511(5)(b)1. Parking PBB CO Rule 2.420(d) s. 27.511(5)(b)1. Access Security Matrix (November 2020 v9)

User Role (Subscribers) Key to access codes ***VOR Statute List (F.S.): 787, 794, 796, 800, 825, 827, 847, 921 VOR is at the case level A = All but expunged, or sealed under Ch. 943, F.S. ***Viewable on Request (VOR) - to ensure that information is properly removed prior to public B = All but expunged, or sealed under Ch. 943, F.S., or sealed under Fla. R. access, some case types and document types have a special electronic security called viewable Jud. Admin. 2.420 on request. Selecting an image of a court document in cases or documents coded viewable on C = All but expunged, or sealed under Ch. 943 and sealed under request will not allow the user to view the record at that point. Instead, a request is generated to a Fla. R. Jud. Admin. 2.420, or confidential clerk, who performs a second examination of the document to remove personal identification D = All but expunged, sealed or confidential; record images information and information about the victims of sexual or child abuse crimes. After the clerk has viewable upon request completed, the requestor then receives a notice that the document is available for viewing. Once a E = Case number, party names, dockets only document has been requested and reviewed, it is available for all future access without requiring a F = Case number and party names only request/review. G = Case number only H = No access 13. Office of Criminal Conflict and Civil Regional Civil and Conflict Criminal of Office 13. Counsel (Institutional Access only) 3. Attorneys of Record Case - Charge/Filing Description PRIVACY UCN Applicable rules and statutes Small Claims P B D SC Rule 2.420(d) Traffic Infractions P B B TR Rule 2.420(d) s. 27.511(5)(b)2. Any case marked sealed S G G Any case that has a SEALED Privacy at the case level Any expunged case E H H Any case that has an EXPUNGED Privacy at the case level Sealed Family Law Case S B G Case by case basis giving Party/Attorney access

Agenda Item VI D. Agency for Persons with Disabilities Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix

Email completed form to Lakisha Hall at [email protected]

Contact Person Name Meghan Kirkley Contact Person Phone (850) 414-7787 Agency for Persons with Contact Person Email [email protected] Agency Name Disabilities County Leon Circuit

1. Describe in detail the change(s) you are requesting to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. This is a formal request to update the Access Security Matrix to allow the Agency for Persons with Disabilities, whose role is currently labeled "General Government and Constitutional Officers" to include level 'C' (All but expunged, or sealed under Ch. 943 and sealed under Fla. R. Jud. Admin 2.420, or confidential) access to juvenile delinquency cases.

2. Cite the statute or rule which authorizes or prohibits the access you are requesting. Sections 393.0655(5), F.S. Also, 435.04(2), F.S., which states, "The security background investigations under this section must ensure that no persons subject to the provisions of this section have been arrested for and are awaiting final disposition of, have been found guilty of, regardless of adjudication, or entered a plea of nolo contendere or guilty to, or have been adjudicated delinquent...... "

3. Describe in detail how access was gained prior to the implementation of the Access Security Matrix. Unfortunately, I am not aware of when or how access was initially granted. Statutory changes resulted in the need for the requested viewing access, thus these records have not always been required. There was a period of time, prior to the recent Matrix levels system update, in which APD staff members were able to view these records. As of today, we no longer have access to these records.

4. Attach a markup copy of the changes you are requesting to be implemented to the Standards for Access to Electronic Court Records and/or the Access Security Matrix.

5. Attach documentation describing in detail internal protocols for protecting and accessing confidential information. Please see attached agency operating procedures. Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 1

FOR ACCESS GOVERNANCE BOARD USE ONLY Decision Approved Denied Approved with More info conditions requested Reason for Denial Specific Conditions for Approval Reason for More Information Request Date

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 2

a~ ogene - --~s s · h d sa 11 res State of Florida

Short Title: Confidential Information APD Policy 6-0010 Policy New Policy: 1m Established Policy: 0 New Procedure: 0 Established Procedure:O Full Title: Policy to provide guidance on Authorized Signature: the authorized use and disclosure of confidential information 'f~Of+D Owner: Information Security Manager, Effective Date';'?/; ojc;

Table of Contents I. Purpose: ...... 1 II. Authority/Reference(s): ...... 1 Ill. Scope: ...... 2 IV. Policy: ...... 2 V. Definitions: ...... 3 VI . Procedures: ...... 4 VII. Enforcement: ...... 4 VIII . Revision/History: ...... 4

I. Purpose:

The purpose of this policy is to provide guidelines for use and handling of exempt and confidential and exempt information. The Agency for Persons with Disabilities (hereinafter referred to as "Agency") information technology resources are valuable assets, the confidentiality, integrity, and availability of which must be protected .

II. Authority/Reference(s):

71A-1 .006, Florida Administrative Code Chapter 119, Florida Statutes Section 282.318, Florida Statutes Section 2 86. 011, Florida Statutes

Page 1 of 4 45 CFR Parts 160, 162 and 164 (Health Insurance Portability and Accountability Act [HIPAA])

Ill. Scope:

This policy applies to all Agency workforce members, including all personnel affiliated with third parties, who have access to confidential information through their business relationship with the Agency.

IV. Policy:

1. Agency workforce members shall exercise due diligence to protect exempt, and confidential and exempt information by using appropriate administrative, technical, and physical controls. It is the responsibility of each member of the Agency workforce to maintain security for all formats of confidential information.

2. Agency information owners shall be responsible for authorizing access to confidential and exempt information.

3. Confidential information shall be accessible only to authorized individuals.

4. The Agency Information Security Manager, Inspector General, Internal Audit, General Counsel or other authorized personnel shall be granted access to audit logs containing accountability details for review.

5. Agency workforce members shall exercise due diligence to protect exempt, and confidential and exempt information by using appropriate administrative, technical, and physical controls.

6. The agency shall maintain a reference list of exempt, and confidential and exempt agency information or software and the associated applicable state and federal statutes and rules.

7. The agency shall identify agency information and software that is exempt, or confidential and exempt, under provisions of applicable Florida law or federal law and rules.

8. Agency information owners are responsible for identifying exempt, and confidential and exempt information.

9. Exempt, and confidential and exempt information, regardless of format, shall be labeled as such to the extent possible.

Page 2 of 4 10. Procedures for handling and protecting exempt, and confidential and exempt information shall be referenced in the agency operational information security plan and documented in a policy that is reviewed and acknowledged by all agency staff.

11.Agency workforce members shall encrypt exempt, and confidential and exempt information sent by e-mail.

12.Agency workforce members shall encrypt electronic transmission of exempt, and confidential and exempt information when the transport medium is not owned or managed by the Agency.

13. Agency workforce members shall ensure that all passwords are unreadable during transmission and storage using appropriate encryption technology.

14. Mobile computing devices used with exempt, or confidential and exempt information must be encrypted.

15. Mobile storage devices with exempt, or confidential and exempt Agency data must have encryption technology enabled such that all content resides encrypted .

16. For systems containing exempt, or confidential and exempt data, the Agency shall ensure written agreements and procedures are in place to ensure proper security for sharing, handling or storing confidential data with entities outside the agency.

17. The Agency shaH destroy exempt, and confidential and exempt information when authorized by the applicable retention schedule, regardless of media type.

V. Definitions:

1. Confidentiality: the principle that information is accessible only to those authorized .

2. Confidential information and/or confidential data: information which is protected by law from disclosure and not subject to inspection by the public, but which may be released only to those persons and entities authorized by Florida Statute or federal law.

3. Exempt information: information which when contained in a record is not subject to disclosure under the public records law (Section 119.07(1 ), Florida Statutes) or public meetings law (Section 286.011, Florida Statutes).

Page 3 of 4 4. Information owner. the manager of the business unit ultimately responsible for the collection, maintenance, and dissemination of a specific collection of information.

5. Mobile computing device: a portable device that can process data (e.g. , laptop, personal digital assistant, certain media players and cell phones).

6. Mobile device: a general term describing both mobile computing and mobile storage devices.

7. Mobile storage device: portable data storage media including external hard drives, thumb drives, floppy disks, recordable compact discs (CD-RIRW), recordable digital videodiscs (DVD-R/RW), or tape drives that may be easily attached to and detached from computing devices.

8. Workforce: employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

VI. Procedures:

Not applicable.

VII. Enforcement:

Any APD workforce members found to have intentionally violated this policy may be subject to disciplinary action, up to and including termination of employment. Non-APD employees and contractors are directly responsible for damages as a direct result of policy violation. Intentional and non-intentional violation may result in termination of service and revocation of contract.

VIII. Revision/History:

January 13, 2015: John Collins, Information Security Manager

Page 4 of 4

Short Title: CJIS Security Compliance Policy/Operating Procedure #: 6-0024 New Policy: Established Policy: New Procedure: Established Procedure:

Full Title: Policy and Procedures for Authorized Signature: Criminal Justice Information Services COS Signature on file Security Compliance Owner: Information Security Manager Effective Date: 07-02-2018

Table of Contents

I. Purpose: ...... 2 II. Authority/Reference(s): ...... 2 III. Scope: ...... 2 IV. Definitions: ...... 3 V. Policy: ...... 5 A. PERSONALLY IDENTIFIABLE INFORMATION (PII) ...... 5 B. INFORMATION EXCHANGE ...... 6 C. INFORMATION HANDLING ...... 7 D. INCIDENT RESPONSE FOR COMPUTERS ...... 8 E. ACCOUNT MANAGEMENT ...... 9 F. SYSTEM ACCESS CONTROL ...... 12 G. REMOTE ACCESS ...... 12 H. PERSONALLY OWNED INFORMATION SYSTEMS...... 13 I. AUTHENTICATION STRATEGY ...... 13 J. AUTHENTICATOR MANAGEMENT ...... 15 K. MEDIA PROTECTION ...... 16 L. ELECTRONIC MEDIA SANITIZATION AND DISPOSAL ...... 16

Page 1 of 22

M. DISPOSAL OF PHYSICAL MEDIA ...... 17 N. PHYSICAL PROTECTION ...... 17 O. ENCRYPTION ...... 18 P. VOICE OVER INTERNET PROTOCOL (VOIP) ...... 18 Q. PATCH MANAGEMENT ...... 20 R. SECURITY ALERTS AND ADVISORIES ...... 20 S. WIRELESS ACCESS RESTRICTIONS ...... 21 T. BLUETOOTH ...... 22 U. PERSONNEL SANCTIONS ...... 22 VI. Enforcement: ...... 22 VII. Revision/History: ...... 22

I. Purpose:

The overriding goal of this policy is to comply with the FBI CJIS Security Policy requirements. Due to the evolving nature of the FBI CJIS Security Policy, it is necessary to separately communicate the requirements of the FBI CJIS Security Policy as it is developed and enhanced. These additional requirements are intended to be an enhancement to the existing Standard Operating Procedures of Florida Agency for Persons with Disabilities. The Agency shall adhere, at a minimum, to the FBI CJIS Security Policy. While the Agency may augment or increase the standards, it cannot detract from the minimum requirements set forth by the FBI CJIS Security Policy.

II. Authority/Reference(s):

U. S. Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Division: Criminal Justice Information Services (CJIS) Security Policy

III. Scope:

This policy applies to all employees, contractors, and volunteers of the Agency for Persons with Disabilities.

Page 2 of 22

IV. Definitions:

1. Authorized Personnel: For CJI: Personnel who have been appropriately vetted through a Level II fingerprint-based record check, have received the required CJIS Security Training, have been duly authorized according to Agency procedures and (according to their job duties) have been granted access to handle CJI. For non-CJI: Personnel who have been appropriately vetted through a Level II fingerprint-based record check, have received the required Security Awareness Training, have been duly authorized according to Agency procedures and (according to their job duties) have been granted access to handle confidential information (non-CJI). 2. CJI: Criminal Justice Information – The term used to refer to the FBI- provided Criminal Justice data necessary for law enforcement and civil agencies to perform their missions. 3. CSA: CJIS Systems Agency – A duly authorized state, federal, international, tribal, or territorial criminal justice agency on the Criminal Justice Information Services (CJIS) network providing statewide (or equivalent) service to its criminal justice users with respect to the CJI from various systems managed by the FBI CJIS Division. In Florida, the CSA is the Florida Department of Law Enforcement. 4. CSIRT: Computer Security Incident Response Team – The group of people assigned the responsibility for coordinating and supporting the response to a computer security incident. 5. FIPS 140-2: Federal Information Processing Standard (FIPS) Publication 140-2 – a U.S. government computer security standard used to approve cryptographic modules. 6. Information Security Access Control Team: Information Security personnel responsible for executing duly authorized access requests to information technology resources according to established processes and procedures.

Page 3 of 22

7. IP: Internet Protocol – A protocol used for communicating data across a packet-switched network using the Internet Protocol Suite, also referred to as TCP/IP. IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of delivering data packets from the source host to the destination host based on their addresses. 8. ISO: Information Security Officer – A member of an organization who has the responsibility to establish and maintain information security policy, assesses threats and vulnerabilities, performs risk and control assessments, oversees the governance of security operations, and establishes information security training and awareness programs. The ISO also usually interfaces with security operations to manage implementation details and with auditors to verify compliance to established policies. 9. LASO: Local Agency Security Officer – The primary Information Security contact between a local agency and the CSA. The LASO actively represents their agency in all matters pertaining to Information Security. 10. NAS: Network Attached Storage – A file-level computer data storage server connected to a computer network. 11. Physically Secure Location: A facility, a criminal justice conveyance, or an area, a room, or a group of rooms, within a facility with both the physical and personnel security controls sufficient to protect CJI, PII, and associated information systems. 12. PII: Personally Identifiable Information – data that could potentially identify a specific individual. (see Policy A) 13. PKI: Public Key Infrastructure – A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates. Typically used for message authentication and encryption, or digital signatures. 14. SAN: Storage Area Network – A computer network which provides access to data storage.

Page 4 of 22

15. VOIP: Voice Over Internet Protocol – A set of software, hardware, and standards designed to transmit voice over computer networks. 16. VPN: Virtual Private Network – A technology that creates an encrypted connection to a secured network, over a less secure network such as the internet.

V. Policy:

A. PERSONALLY IDENTIFIABLE INFORMATION (PII)

PII Personally Identifiable Information (PII) – is any information pertaining to an individual that can be used to distinguish or trace a person’s identity. PII is defined as any one or more of types of information including, but not limited to: 1. Social security number 2. Username and password 3. Passport number 4. Credit card number 5. Clearances 6. Banking information 7. Biometrics 8. Data and place of birth 9. Mother’s maiden name 10. Medical and financial records 11. Educational transcripts 12. Photos and video including any of the above

All electronic files that contain PII or CJI will reside within a physically secure location.

All physical files that contain PII will reside in a physically secure location within a locked file cabinet or a locked office when not being actively viewed or modified.

All physical files that contain CJI will reside in a physically secure location within a locked file cabinet and a locked office when not being actively viewed or modified.

PII is not to be downloaded to workstations or mobile devices (such as laptops, personal digital assistants, mobile phones, tablets or removable media) or to systems outside the protection of the Agency. PII will also not be sent through any form of insecure electronic communication as significant security risks emerge when PII is transferred from a secure location to a less secure location or is disposed of improperly. When disposing of PII the physical or electronic file should

Page 5 of 22 be shredded or securely deleted. All disposal of PII will be done by Agency Authorized Personnel.

All PII will be collected only when there is a legal authority and it is necessary to conduct Agency duties.

Access to PII is only conducted when the information is needed to conduct Agency official duties and should only be utilized for official purposes. Agency members will not create unnecessary duplicate copies of documents that contain PII and will destroy the documents when no longer needed. When PII is extracted from a document, Agency members may only target the PII that is required for the task. PII that is extracted shall not be retained beyond the records retention rules for the data and the system it was accessed from. PII shall not be stored or transmitted via personally owned devices. PII may not be taken home by any Agency member.

B. INFORMATION EXCHANGE

Criminal Justice Information is the term used to refer to all of the FBI CJIS provided data necessary for law enforcement and civil agencies to perform their missions including, but not limited to, biometric, identity history, biographic, property, and case/incident history data. The following categories of CJI describe the various data sets housed by the FBI CJIS architecture:

1. Biometric Data—data derived from one or more intrinsic physical or behavioral traits of humans typically for the purpose of uniquely identifying individuals from within a population. It is used to identify individuals, to include: fingerprints, palm prints, iris scans, and facial recognition data.

2. Identity History Data—textual data that corresponds with an individual’s biometric data, providing a history of criminal and/or civil events for the identified individual.

3. Biographic Data—information about individuals associated with a unique case, and not necessarily connected to identity data. Biographic data does not provide a history of an individual, only information related to a unique case.

4. Property Data—information about vehicles and property associated with crime when accompanied by any personally identifiable information (PII).

5. Case/Incident History—information about the history of criminal incidents.

Page 6 of 22

The Agency will put forth formal agreements with other agencies prior to exchanging criminal justice information as well as the use of secondary dissemination.

The Agency does not allow for criminal justice information in its possession to be disseminated to external entities.

C. INFORMATION HANDLING

Information obtained from the CJI systems, must only be used for criminal justice purposes. Personnel must follow all CJIS Security Policy, state and federal rules and regulations regarding CJI information. All personnel needing access to CJI, (audio as well as visual), shall receive the proper training before access is granted. Training will be renewed at required periodic intervals, or access will be revoked. CJI or PII derived from CJI will not be transmitted via email. All information outlined in the information exchange and disposal of physical media shall be followed as well. These procedures shall include all inquiries for both criminal justice and non- criminal justice purposes.

The Agency utilizes a single file server for storage of criminal justice information. The server is kept in a physically secure location – a Tier III, state-of-the-art data center which is staffed 7x24x365 and is inaccessible to unauthorized individuals. The doors have key card locks that are only accessible to authorized data center employees. The server is access restricted by an IP white list, and enforces encrypted network communications via the SMB-3 protocol to secure the criminal justice data.

Physical information, such as reports that contain criminal justice information, is stored in a physically secure location within locked cabinets in locked offices and is only accessible to authorized Agency personnel. The documents are only removed when needed for official purposes. When removed, the information is kept by an authorized individual and then returned. The removal is documented in a log.

Any information that must leave the facility for transport will be done so only by authorized personnel and only for official purposes.

All computers within the facility are turned away from view to prevent unintentional viewing or shoulder surfing.

The Agency does not permit emailing CJI.

Page 7 of 22

D. INCIDENT RESPONSE FOR COMPUTERS

If an incident occurs involving any device (workstations, smart phones, laptops, tablets, etc.) that is on the agency network, the LASO shall be contacted immediately. If it is deemed by the LASO to be a security breach of confidential CJI, or PII contained in or derived from CJI, a Security Incident Response Form will be filled out and submitted to FDLE ISO at [email protected].

All users are responsible for reporting known or suspected information or information technology security incidents. All incidents must be reported immediately to the Agency LASO. The LASO will inform appropriate IT staff and document the incident.

If a suspected incident occurs on any computer or device, including a mobile device, the user shall not turn off the computer or device. The user will leave the computer or device on and report the incident immediately. A member of IT will inspect the device to determine if the incident is contained to the one device or if it is within the Agency systems.

The Agency will employ malware protection on all desktop and laptop devices and will ensure that the antivirus software is up-to-date.

Incident response will be managed based on the level of severity of the incident. The incident rating is a measure of its impact or threat on the operation or integrity of the Agency or its’ information as follows:

Critical: The incident imposes a severe effect on IT resources or CJI, or is believed to impact multiple agencies or delivery of services. High: The incident imposes a severe effect on IT resources or CJI. Medium: The incident imposes a moderate effect on IT resources or CJI. Low: The incident imposes a minimum effect on IT resources or CJI. Minimal: The incident imposes a negligible effect on IT resources or CJI. The Agency will identify a security breach by conducting the following:

1. Analyze a reported Event and investigate to determine its scope and potential impact.

2. Categorize the report as an Incident if appropriate.

3. Perform immediate containment of the incident while preserving evidence.

Page 8 of 22

4. Convene the CSIRT, review the preliminary details, and determine appropriate response. If criminal culpability is observed or suspected, contact Law Enforcement.

5. Rate the impact on the agency as: Minimal, Low, Medium, High, or Critical.

6. Determine if the Incident involves unauthorized access or confidential information or CJI.

7. Categorize the Incident as a Breach if appropriate.

8. Perform mitigation activities and implement mitigation measures

9. Investigate the Incident or Breach to determine how it occurred while preserving evidence.

10. Perform remediation activities and implement remediation measures.

11. Document actions throughout the process from initial detection to final resolution.

E. ACCOUNT MANAGEMENT

The management of system user accounts shall be conducted by the Information Security Access Control team at the direction of the LASO in accordance with all policies.

The management of CJI system user accounts shall be conducted by the Information Security Access Control team at the direction of the LASO in accordance with all policies and CJIS Security Policy requirements. Personnel will not gain access to a CJI-containing system until the required training courses are completed. The Agency LASO is the point of contact for all CJI system user accounts. The LASO (or designees) shall manage CJI system accounts to include establishing, activating, modifying, reviewing, disabling, and removing user accounts on all Criminal Justice Information Systems.

All user accounts of retired, terminated or otherwise former and non-working employees shall be disabled and revoked immediately or as soon as practicable. User accounts suspected of compromise shall be immediately disabled upon first discovery or suspicion of compromise. Logs of access privilege changes shall be maintained for a minimum of one year. Periodic user account validation will be logged.

Account Creation:

Page 9 of 22

1. Upon completion of appropriate state and national fingerprint-based records check, the Agency will notify the LASO (or designees) and provide the following information (as applicable) regarding the user: A. Start date/time B. Employee type (employee, contractor, other) C. Full name D. Business Unit E. Region, Area, City F. People First ID G. Position Number H. Phone I. Position Title J. Systems access and permissions with proper authorizations

2. The Agency will notify Desktop Support of the user’s computer equipment needs. 3. The LASO (or designees) will create and establish a domain account for the applicant. Each account will have a unique user name. 4. The domain account will be assigned a temporary password and will be set to require the user to create a new password upon activating the first session. The password for the account must adhere to the Agency password requirements outlined in the Authentication Strategy Policy. (See Policy I.) 5. The LASO (or designees) will provide the initial credentials to the user’s supervisor and local IT support technician. 6. Upon completion of the new employee user account creation, the user will be issued Agency equipment delegated to the users’ position within the Agency. Equipment may include, but is not limited to, Agency desktop or laptop computer, mobile phone or smart device, MiFi device for wireless access, keys, identification and entry badge. Equipment assigned to the employee will be inventoried to document which equipment is assigned to which employee. Inventory will be updated for subsequent equipment changes, deletions, enhancements.

Account Modification

In the event of promotion, demotion, change in job duties, suspension, extended leave, or termination, the employee’s supervisor or Human Resources will immediately notify the LASO (or designees) of the change of status to ensure appropriate access changes are made to systems and applications. 1. Promotion, Demotion, or Change in Job Duties:

Page 10 of 22

• Supervisor or Human Resources will notify LASO (or designees) of the change of status and change of authority level. • The LASO (or designees) will update all systems and applications as necessary to coincide with the new status of employment and will document these changes. 2. Suspension, or Extended Leave: • Supervisor or Human Resources will notify LASO (or designees) of the temporary change to the users’ account. • The LASO (or designees) will temporarily deactivate the account on each system and application. • The Supervisor will collect all agency equipment from the user and document the transaction. Inventory will be updated to show the altered equipment assignments. • Upon reinstatement, the supervisor or Human Resources will notify the LASO (or designees) and return all agency equipment to the user. Inventory will be updated to show the altered equipment assignments. • The LASO (or designees) will reactivate the user accounts on appropriate systems and applications. • The user will verify that the accounts are active.

Account Termination

• Upon termination from the Agency, whether voluntary or involuntary, the supervisor or Human Resources will inform the LASO (or designees) of the employment change. • The LASO (or designees) will disable all accounts on all information systems and applications. • The LASO (or designees) will place the user in the Terminated User Organizational Unit within Active Directory, remove all access of controls from the user, disable Agency e- mail account, and remove remote access ability and all permissions. • The supervisor will collect all Agency equipment and have the user sign the equipment receipt. • Inventory will be updated to show the altered equipment assignments.

Account Validation

• The LASO (or designees) will validate Agency User Accounts and Access Privilege Levels annually. • The LASO (or designees) will document the date and time of the validation on the Agency Validation Form. • The LASO (or designees) will verify that all active accounts are current and up-to-date.

Page 11 of 22

• Any changes made by the LASO (or designees) involving an account will be documented.

F. SYSTEM ACCESS CONTROL

Access control policies are high-level requirements that specify how access to the information system(s) are managed and who may access the information under what circumstance. The purpose of this policy is to define standards and procedures for multiple concurrent sessions within the Agency information system(s).

Access to a CJI system will be granted by the agency’s LASO. Once access is granted, the Information Technology (IT) Department will control access.

Access to Agency information system(s) are based on a user’s right to know, authority, and user group.

The Agency does not allow multiple concurrent sessions to the CJI system(s) within the network.

G. REMOTE ACCESS

Remote access to CJI is prohibited. However, to access non-CJI remotely, the Agency utilizes remote access technologies to communicate with internal information systems from an external, non-agency-controlled network. The purpose of this policy is to outline acceptable methods of remote access and the security in place to keep the information system(s) secure.

Remote access shall be for official use only, including via VPN. Vendor companies may be granted access to the agency’s network only if their access is restricted to only the information resources they are authorized to access.

It is the responsibility of Agency employees, contractors, and vendors with remote access privileges to the Agency network to utilize a connection that is secure. All remote access to internal Agency information systems must be performed through an Agency-authorized VPN. Those personnel accessing internal Agency information resources via VPN must use advanced authentication as a secondary form of authentication. VPN access will employ encryption algorithms that are FIPS 140-2 certified. IT will monitor and control all remote access to Agency systems.

Page 12 of 22

H. PERSONALLY OWNED INFORMATION SYSTEMS

Personally owned devices include smart phones, tablets, or any other device that is owned and maintained by the user, not the Agency.

Personally owned devices are not allowed to access the agency’s network. Therefore, a device that is not owned by the Agency, shall not process, store, access or transmit CJI.

Under no circumstance are users allowed to connect their personal device to the Agency network or any Agency owned computers, devices, applications or systems.

I. AUTHENTICATION STRATEGY

This Password Policy applies to all information systems and applications that contain or access criminal justice information or services. This includes, but is not limited to:

• Mainframes, servers and other devices that provide centralized computing capabilities

• SAN, NAS and other devices that provide centralized storage capabilities.

• Agency issued desktops, laptops, or any other device that provides distributed computing capabilities.

• Routers, switches and other devices that provide network capabilities.

• Firewalls and other devices that provide dedicated security capabilities.

• User access accounts

• Any other criminal justice information system or service.

The Agency LASO (or designees) will ensure each account is set up with a temporary password. When the user logs on the first time, the temporary password will be entered and the user will be prompted to create a new password.

Page 13 of 22

Each password and User ID will be unique and not be shared with any other individual. Users are forbidden to share their unique password or write it down. All passwords must be memorized.

Each user who is authorized to access, store, process, administer and maintain the Criminal Justice systems and applications, and/or transmit criminal justice information must be uniquely identified. The purpose of this policy is to define standards and procedures for the administration of user and system passwords.

While remote access to CJI is prohibited, access to any (non-CJI) Agency owned or managed information resource shall require advanced authentication when access commences from outside an Agency owned or managed network. If personnel are connecting from within an Agency owned or managed network, a username and password are required.

All passwords should: 1. Be a minimum length of eight (8) characters.

2. Contain 3 of the 4 following character sets:

a. A-Z

b. a-z

c. 0-9

d. Non-alphanumeric characters such as: ~ ! @ # $ % ^ & * ( ) _ - + = < > ? , . / \ |

3. Not be a dictionary word of any language or slang

4. Not be a proper name or a commonly used word such as:

a. Names of family members, friends, pets, or fictional characters.

b. Names of places, cities, etc.

5. Not be personal information such as:

a. Birthdays, anniversaries, or other significant dates

b. Addresses or phone numbers

6. Not be based on word or number patterns such as:

a. Abcdefg123

b. Qwerty1!

Page 14 of 22

c. 123454321

7. Not be the same as the User name.

8. Expire within a maximum of 90 calendar days.

9. Not be identical to the previous ten (10) passwords.

10. Not be transmitted in the clear outside the secure location.

11. Not be displayed when entered.

Each account is uniquely identified by a user name derived from the user’s first name followed by a dot, followed by the last name. To resolve matching names, the new username is appended a digit 1, 2, 3, etc.

J. AUTHENTICATOR MANAGEMENT

Authenticators will be assigned to personnel during onboarding or upon reassignment. Any lost, compromised, or damaged authenticators should be reported to the IT department immediately. Authenticators shall be deactivated immediately upon loss, compromise, or if personnel are terminated, retired, or have been reassigned.

Each user that accesses criminal justice information must be uniquely identified prior to being given access to the system and information. The Agency uses standard authenticators (passwords) for accessing criminal justice information in a secure manner from within an Agency owned or managed network. Access to criminal justice information from outside an Agency owned or managed network is not allowed.

A temporary standard authenticator (password) is given to the user for the user’s first active session. The user then creates a new password as outlined in the authentication strategy policy.

Advanced authenticators are given to users prior to gaining access to criminal justice information outside of the physically secure location. The Agency utilizes out-of-band authenticators for Advanced Authentication. The LASO will facilitate a secure protocol for individual user access to retrieve the out-of-band authenticators.

Page 15 of 22

K. MEDIA PROTECTION

Media in all forms shall be protected at all times.

Digital and physical media is restricted to authorized individuals. Only those authorized Agency users who have undergone a fingerprint based record check and have appropriate security awareness training will be allowed to handle criminal justice information in any form.

Handling physical media: The Agency will ensure that only authorized individuals will be granted access to media containing criminal justice information. The media will be stored in a physically secure location within locked cabinets in locked offices and only accessible to authorized Agency personnel. The media will only be removed when needed for official purposes. When removed, the information will be kept by an authorized individual and then returned. The removal will be documented in a log. When no longer needed, the electronic media will be disposed of by authorized agency personnel. Hard copies will be shredded by authorized personnel using a cross cut shredder.

Any computer that accesses criminal justice information within the facility will have a screen cover to ensure that information is not viewable by any unauthorized individual.

Any media that is transported outside the physically secure location will be kept in a sealed envelope with evidence tape to ensure that the chain of custody is kept. When the media is released to another user, the user will document the transaction in a secondary dissemination log for validation purposes.

At no time will the physical media be released to an unauthorized person or left without proper documentation.

L. ELECTRONIC MEDIA SANITIZATION AND DISPOSAL

Electronic media that has reached the end of its lifecycle must be sanitized and disposed of to ensure that criminal justice information is not viewed or accessed by unauthorized individuals. Electronic media is defined as any electronic storage device that is used to record information, including, but not limited to: hard disks, magnetic tapes, compact disks, videotapes, audiotapes, and removable storage devices such as USB drives.

Page 16 of 22

All electronic media must be properly sanitized before being transferred from the custody of the Agency. The proper method of sanitization depends on the type of media and the intended disposition of the media.

Hard Drives: The Agency will overwrite the hard drive utilizing at least a three-pass wipe. This will ensure that the data on the drive is overwritten with patterns of binary ones and zeros. The sanitization of the hard drive is not complete until the third wipe and a verification pass is complete.

Removeable media such as USB drives, floppy disks, DVDs, CDs, zip disks, videotapes, or audiotapes will be erased if possible and then destroyed by shredding, and witnessed or carried out only by Agency Authorized Personnel.

M. DISPOSAL OF PHYSICAL MEDIA

The disposal of criminal justice information must be performed in a manner that effectively protects secure information. Physical media will be destroyed properly.

When no longer needed, physical media such as hard copy print-outs shall be disposed of by shredding using a cross-cut shredder. The shredding will be performed only by Agency Authorized Personnel.

N. PHYSICAL PROTECTION

All agency personnel, support personnel, private contractors and vendors will protect criminal justice information, whether by physical, logical, or electronic means.

Only authorized personnel have access to the building where criminal justice information systems and components are located. The building is equipped with badge swipe access for authorized personnel.

Visitors must sign in at the front desk and produce identification. The Agency does not allow unescorted access by any non-agency member. When escorted into the building, visitors will wear a visitor badge and be accompanied by an authorized Agency member.

All computer screens upon which criminal justice information is viewed will be turned away from public view.

Page 17 of 22

All physical media containing CJI will be stored in a physically secure location within a locked filing cabinet in a locked office. Only authorized personnel will have a key to the cabinet and office.

All computer components will be locked in the secure server room. Only authorized IT personnel will have access to the server room. All vendors and contractors will undergo fingerprint based records checks under the Agency ORI and will complete appropriate security awareness training.

Any transportation of CJI will be done securely. Only Authorized Personnel can transport CJI. It will be physically with the personnel and if electronic, will be transported in encrypted form, using FIPS 140-2 certified encryption algorithms.

All Agency computers will be equipped with boundary protection tools, and malware protection to avoid intrusions.

O. ENCRYPTION

The Agency does not currently utilize Public Key Infrastructure (PKI).

CJI transmitted outside of a physically secure location or building will be protected by encryption using an algorithm that is FIPS 140-2 certified, and using at least a 128-bit key.

Encryption is not required if the transmission is contained within the boundary of the physically secure location or building.

P. VOICE OVER INTERNET PROTOCOL (VOIP)

Voice over Internet Protocol (VoIP) is the routing of voice conversations over a packet switched network as opposed to the traditional circuit-switched telephone network. Voice and data convergence introduces many security issues that must be addressed prior to deployment and use of VoIP technology. The following are standards and procedures for the implementation of VoIP telephone systems, as well as restrictions regarding criminal justice information.

To ensure the secure environment of the VoIP system, the VoIP server will be dedicated only for applications required for VoIP operations.

Page 18 of 22

IT will ensure that software patches for the VoIP system and servers originate from the system manufacturer and are applied in accordance with the manufacturer’s instructions.

Security:

The Agency will ensure all critical VoIP network and server components are located in a physically secure location and that only authorized personnel have access to them. This will limit physical access to the VoIP network segment.

The Agency will ensure that the default administrative password on the IP phones and VoIP switches are changed prior to implementation.

The Agency will utilize Virtual Local Area Network (VLAN) technology to segment VoIP traffic from the data traffic. The Agency will ensure that the VoIP system is not on the same VLAN as the Agency’s information network.

The Agency will use IPsec for all remote management and auditing access of the VoIP system, and will use a VoIP-enabled firewall designed for VoIP protocols to aid in securing the system.

The agency will ensure the following usage restrictions for agency personnel:

1. Do not divulge personal or criminal justice information to unauthorized individuals or people you don’t know.

2. Do not discuss criminal justice information using your VOIP Phone on Speaker with unauthorized personnel in the room.

3. Do not install or connect unauthorized devices to your VOIP Phone such as computers, Bluetooth, recording device, etc.

4. Do not use mobile software apps to attach to VOIP System.

5. Turn off all unused features on the VOIP System.

6. VOIP phone should not be used for international calls (outside the United States and its’ territories).

7. Do not store or save criminal justice information on the VOIP System.

8. Do not connect fax machine into VOIP System to fax criminal justice information.

9. Do not connect alarm systems into VoIP System. Alarm Systems must be connected to copper POTS line.

Page 19 of 22

10. If your VOIP Phone System does not provide a dial tone or is not showing the correct time/date and extension, please report this to Information Security by email, cellular phone or walk-in visit.

Q. PATCH MANAGEMENT

All workstations, mobile devices and servers owned by the Agency must have up-to-date operating system and software security patches installed in order to protect the device and network from known vulnerabilities.

Workstations, desktops and laptops have automatic updates enabled for the operating system patches. Current Agency servers have the minimum baseline requirements that define the default operating system level, service pack, hotfix, and patch level required to ensure the security of the Agency’s data and network. Software patches are “pushed” to devices as available.

IT will manage the patching needs for the servers on the network. In addition, they will manage the patching needs for all workstations on the network. IT will routinely assess the compliance of the patching policy and will provide guidance to all personnel of any security and patch management issues. IT also approves monthly and emergency patch deployments if necessary.

IT will monitor and report the outcome of each patching cycle to the Agency LASO. This will enable the LASO to assess the current level of risk. If a patch is causing vulnerability on the network or appliance, IT will roll the patch back in order to lessen the chance of vulnerabilities on the network.

The agency’s IT department shall review all security relevant patches, service packs, and hot fixes from the vendors. Once reviewed, the patches will be fixed promptly.

R. SECURITY ALERTS AND ADVISORIES

Security alerts and advisories are released to IT departments to ensure knowledge of newly discovered threats that may affect Agency Information Systems. The following are standards and procedures for security alerts and advisories.

The IT Department will monitor and/or receive alerts and advisories from the locations listed below. If an alert is determined to be critical or pertinent to Agency infrastructure, the

Page 20 of 22 appropriate personnel will be notified. All alerts and related actions will be recorded into an information log for Agency records.

The IT department has signed up for alerts and advisories from the following sites: www.us-cert.gov/ncas/current-activity ([email protected]) www.cisecurity.org/ms-isac/ ([email protected]) technet.microsoft.com/en-us/security ([email protected])

• The Agency will receive information system security alerts and advisories from the above listed sites.

• Once an alert has been received or detected and has been determined to be a credible threat, IT will notify the Agency LASO. If it is deemed an agency wide threat, the LASO will push the message out to all personnel via email.

• IT will take appropriate action depending on the alert. This may include, for example, updating security settings or issuing information to all relevant Agency personnel with directions to ensure proper handling of the issue.

S. WIRELESS ACCESS RESTRICTIONS

The Agency does not allow utilizing criminal justice information system(s) with wireless access.

Agency wireless networks will be configured so they are physically or logically separated from Agency networks. Wireless networks shall only allow network traffic to or from the Internet. Wireless networks shall not allow traffic to or from an Agency network. Agency personnel are only permitted to use Agency wireless networks for Agency business.

Agency personnel are not allowed to access CJI-containing systems from any public wireless network. Users are not permitted to attempt to add, remove or modify any hardware, software, network devices or other information systems in place within the Agency.

Wireless networks will have logging enabled (if supported), and logs will be reviewed at least monthly.

Page 21 of 22

T. BLUETOOTH

Bluetooth technology is an open standard for short-range radio frequency communication. The Agency does not allow connecting Bluetooth enabled devices to Agency owned devices.

U. PERSONNEL SANCTIONS

Any user who violates any portion of this policy will be subject to the standard disciplinary processes in place with the Agency. Sanctions against staff that violate information systems or security policies may include formal disciplinary action up to and including termination based on offense severity.

VI. Enforcement:

Workers may be subject to sanctions as stated in the above policy “Personnel Sanctions”. (see Policy U)

VII. Revision/History:

07/02/2018: Mike Sodders

Page 22 of 22

Agenda Item VI E. Office of Attorney General – Bureau of Victim Compensation Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix

Email completed form to Lakisha Hall at [email protected]

Contact Person Contact Person Michelle Crum (850) 414-3391 Name Phone Office of the Attorney Contact Person [email protected] Agency Name General, Bureau of Email Victim Compensation County All Circuit All

1. Describe in detail the change(s) you are requesting to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. The Bureau of Victim Compensation utilizes CCIS to accomplish four mission critical objectives: 1) Under the authority of s. 960.17, Fla. Stat., to investigate and enforce the collection of debts owed to the Crimes Compensation Trust Fund for restitution pursuant to s. 775.089, Fla. Stat.; 2) To review criminal history records for indicators of forcible felony, habitual offender, and/or confinement disqualifiers, as provided by s. 960.065(2) and (3), Fla. Stat.; 3) To verify court records reflect claimant cooperation as required by s. 960.13(1)(b)(2), Fla. Stat., and s. 960.195(2), Fla. Stat.; and, 4) In accordance with s. 960.05(1)(k), Fla. Stat., entitlement to receive any data, including confidential records, which enables the department to determine if a crime was committed or attempted.

2. Cite the statute or rule which authorizes or prohibits the access you are requesting. Section 960.02, Fla. Stat., provides, "It is the express intent of the Legislature that all state departments and agencies cooperate with the Department of Legal Affairs in carrying out the provisions of this chapter." The Access Security Matrix (Nov. 2020, v.9) User Role (Subscribers) Access Permissions, prohibits adequate access to carry out mission critical objectives.

3. Describe in detail how access was gained prior to the implementation of the Access Security Matrix. There is no historical knowledge regarding the details of how access was initially implemented. However; in recent years, employees completed a Florida Association of Court Clerks and Comptroller CCIS Security User Agreement Application, and the approved agency CCIS Administrator added them using their secure login.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 1 4. Attach a markup copy of the changes you are requesting to be implemented to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. Request to increase “Access Methods” to “2. Web-based application for replicated or live data with security…”. Specifically, the Bureau of Victim Compensation requires the same level of access as delineated on the Access Security Matrix for “2. Florida State Attorney’s Offices”. 5. Attach documentation describing in detail internal protocols for protecting and accessing confidential information. Every employee within the Bureau of Victim Compensation is certified by and adheres to the standards of CJIS compliance in accordance with the Memorandum of Understanding by the Florida Department of Law Enforcement. Printed materials are maintained behind locked doors and in confidential files until such time they are shredded. Records are not electronically imaged, nor are they shared outside the agency. Agency policies governs general and appropriate use, security and proprietary information, system and network activities, software and hardware peripherals, with accompanying disciplinary policies should violations occur.

FOR ACCESS GOVERNANCE BOARD USE ONLY Decision Approved Denied Approved with More info conditions requested Reason for Denial Specific Conditions for Approval Reason for More Information Request Date

-- B -- B -- B -- B

-- B -- B

-- B

-- B -- B -- B -- B -- B -- B -- B

-- B -- B -- B -- B -- B -- B

-- B -- B

Agenda Item VI F. Office of Attorney General – Capital and Criminal Appeals Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix

Email completed form to Lakisha Hall at [email protected]

Contact Person Contact Person Thomas Duffy (850) 414-3617 Name Phone Attorney General's Contact Person [email protected] Agency Name Office, Capital and Email Criminal Appeals County All Circuit All

1. Describe in detail the change(s) you are requesting to the Standards for Access to Electronic Court Records and/or the Access Security Matrix. The Capital and Criminal Appeals Divisions of the Florida Office of the Attorney General request Access Code B, User Role 2 access to certain records in all courts. The State of Florida is a party to all criminal prosecutions and the appeals and collateral proceedings that derive from them; it likewise is a party in certain mental health cases under Chapter 394, Florida Statutes, and juvenile delinquency cases under Chapter 985 Florida Statutes. At the trial level, these cases are handled by Assistant State Attorneys, who are the attorneys of record. On appeal, the State is represented by the Office of the Attorney General, pursuant to subsections 16.01(4) (5) and (6), Florida Statutes. Assistant, or Deputy, Attorneys General become the attorneys of record on direct appeals and in collateral challenges in state and federal courts. In death sentences, lawyers from the Capital Division co-counsel with Assistant State Attorneys in the trial court. Therefore, the Assistant Attorneys General who handle the appeals, both direct and collateral, stand in the shoes of the prosecutors and must have access to certain confidential records in order to provide competent representation. Both entities represent the State of Florida, which is a party.

Until relatively recently, the Capital and Criminal Appeals Divisions have received un-redacted copies of court papers and transcripts. At some point, however, some clerks’ offices began delivering redacted records on appeal. Some records are totally redacted to the extent that every page had a single word: “Secured.” Most records are at least partially redacted and information like the names of victims and witnesses are omitted in both documents and trial transcripts. Even in those cases where only names are omitted—e.g., cases involving sexual abuse of children—the redactions of names can be so severe that it is impossible to understand the testimony.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 1 Appeals from juvenile delinquency adjudications, sexually violent predator commitment proceedings and cases where criminal defendants are found incompetent to stand trial or are found not guilty by reason of insanity, will always have confidential information included within them, and other cases may. In other instances, vital documents are omitted from the record altogether, and in the past we have been able to see the dockets and find what has been omitted (see Item 3). The parties below—the State Attorney’s office and the defense—have access to all these items; we frequently do not. This lack of access hampers and at times frustrates, attorneys’ ability to represent the State of Florida as thoroughly as in the past. User Role 2 access will alleviate this problem. 2. Cite the statute or rule which authorizes or prohibits the access you are requesting. Authorization Article IV, section 4(b), Florida Constitution Subsections 16.01(4), (5), (6), Florida Statutes Section 16.08, Florida Statutes Section 394.9125(1), Florida Statutes Section 394.913(3)(h), Florida Statutes Florida Rule of Appellate Procedure 9.140(f) Florida Rule of Appellate Procedure 9.141(b)

Authority that would deny or limit access Florida Rule of Judicial Proceedings and Records 2.420(d)(1) Section 39.0132(4)(a)(1), Florida Statutes Section 119.071(5)(a)6.b, Florida Statutes Section 119.0714(1)(h), Florida Statutes Section 119.0714(1)(i), Florida Statutes Section 381.004(5)(c), Florida Statutes Section 384.29(1), Florida Statutes Section 382.013(5), Florida Statutes Section 382.025(1)(a)5, Florida Statutes Section 394.4615(3)(b), Florida Statutes Section 394.4655, Florida Statutes Section 984.06(3), Florida Statutes Section 985.04(1)(b), Florida Statutes 3. Describe in detail how access was gained prior to the implementation of the Access Security Matrix. Access to trial court records historically has been through either the Comprehensive Case Information Service (CCIS) or through the websites maintained by the Clerks of Court in each of the 67 counties. The District Courts of Appeal also allow access. In all cases, the user must be registered and approved by either CCIS, the clerk’s office or the Court. As noted above, records on appeal were provided without any redaction, except that in some cases involving sex crimes, only a paper record was provided. Paper records are rarely furnished. 4. Attach a markup copy of the changes you are requesting to be implemented to the Standards for Access to Electronic Court Records and/or the Access Security Matrix.

5. Attach documentation describing in detail internal protocols for protecting and accessing confidential information.

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 2

FOR ACCESS GOVERNANCE BOARD USE ONLY Decision Approved Denied Approved with More info conditions requested Reason for Denial Specific Conditions for Approval Reason for More Information Request Date

Request Form to Amend the Standards for Access to Electronic Court Records or the Access Security Matrix version 4.0 November 2020 Approved by the Florida Courts Technology Commission Page 3 MATRIX USER ACCESS PERMITTED USER SECURITY ROLES REQUIREMENTS All records except those that are expunged or sealed, automatically confidential under rule 2.420(d)(1), Fla. R. Jud. Admin., or made confidential by court order.

Access to Social Security numbers by §§119.071(5)(a)6.b. and 119.0714(1)(i), F.S.

Access to HIV test results as permitted by §381.004(5)(c), F.S. Secure access through

username and password by Access to sexually transmitted written notarized agreement. disease results as permitted by Agency gatekeeper is §384.29(1), F.S. User Role 2 responsible for maintaining

Florida State Attorneys’ authorized user list. Access to birth certificates as Offices; Florida permitted by §§382.013(5) and Attorney General’s Each state attorney must 382.025(1)(a)5, F.S. Office, Capital and establish policies to ensure

Criminal Appeals that access to confidential Access to mental health records Division records and information is as permitted by limited to those individuals §§394.4615(3)(b), who require access in 394.4655(3)4)(c), and F.S. performance of their official

duties. Access to identities of victims of sexual and child abuse when originating from law enforcement as permitted by §119.0714(1)(h), F.S.

Access to children and families in need of services records as permitted by §984.06(3), F.S.

Access to juvenile records as permitted by §§39.0132(4)(a)(1) and 985.04(1)(b), F.S.

Standards for Access to Electronic Court Records November 2020 Page 3

Access Security Matrix (November 2020 v9) User Role (Subscribers) ***VOR Statute List (F.S.): Key to access codes 787, 794, 796, 800, 825, 827, 847, 921 VOR is at the case level A = All but expunged, or sealed under Ch. 943, F.S. ***Viewable on Request (VOR) - to ensure that information is properly removed prior to public

B = All but expunged, or sealed under Ch. 943, F.S., or sealed Florida , access, some case types and document types have a special electronic security called viewable under Fla. R. Jud. Admin. 2.420 on request. Selecting an image of a court document in cases or documents coded viewable on C = All but expunged, or sealed under Ch. 943 and sealed under request will not allow the user to view the record at that point. Instead, a request is generated to a Fla. R. Jud. Admin. 2.420, or confidential clerk, who performs a second examination of the document to remove personal identification D = All but expunged, sealed or confidential; record images information and information about the victims of sexual or child abuse crimes. After the clerk has viewable upon request completed, the requestor then receives a notice that the document is available for viewing. Once

4. Parties 4. a document has been requested and reviewed, it is available for all future access without E = Case number, party names, dockets only requiring a request/review.

F = Case number and party names only AppealsDivision theirauthorized users

G = Case number only Attorneys 3. of Record (Institutionalonly) Access

H = No access

Counsel(Institutional only) Access

6. General Gov't General 6. and Const Officers

Departmentof Children and Families

10. Florida School Districts (Truancy)SchoolFlorida Districts 10.

14. Statewide Guardian14. ad Litem Office

12. FloridaOffice 12. of the Defender Public

2. Florida Attorney'sState2. Offices

11. Commercial purchasers of bulk purchasers records Commercial 11.

andFlorida stateand law enforcement local

9. Florida Office,Attorney9. Florida General's

personnel (Internal access byauthorization) personnel(Internal access

8. Certified law 8. enforcement ofofficers federal

Attorney General's Office,Attorney Capital General's and Criminal

5. Public in Clerks' offices users and registered in Clerks' Public 5.

13. Office 13. of Conflict Criminal Regionaland Civil

agencies, Florida DepartmentFlorida agencies, of and Corrections,

1. Judges 1. and authorized office court and clerk's 7. General public General (without 7. registration agreement)

Case - Charge/Filing Description PRIVACY UCN Applicable rules and statutes County Criminal Appeals P A B B C D C D B C C D B C D AP Rule 2.420(d) & (f) County Criminal Appeals Sexual Abuse VOR A B B D D D D B D D D B D D AP Rule 2.420(d) & (f), §119.071(2)(h), F.S., Chs. 794, 796, 800, 827 & 847, F.S. County Civil Appeals P A B B B D C D B C C D C C D AP Rule 2.420(d) Circuit Civil P A B B B D C D B C C D C C C CA Rule 2.420(d) & Rule 1.210 Jimmy Ryce Act VOR A B B D D D D B D D D B D D CA Rule 2.420(d), Chapter 119, F.S.& § 394.921(1)&(2), F.S. Mortgage Foreclosure P A B B B D C D B C C D C C D CA Rule 2.420(d) & Rule 1.210 Circuit Civil Private (Sexual Abuse & Medical Malpractice) VOR A B B D D D D B D D D D D D CA Rule 2.420(d)(1)(B)(xiii), §§119.071(2)(h), 119.0714(1)(h), & 28.2221(5)(a), F.S. Circuit Civil - Trusts (Pre 2010) P A B B B D C E B C C E C C C CA Rule 2.420(d)(1)(B); Chapter 119, F.S. & §28.2221(5)(a), F.S. County Civil P A B B B D C D B C C D C C C CC Rule 2.420(d) & Rule 1.210 Felony P A B B C D C D B C C D B C C CF Rule 2.420(d) & Chapter 119, F.S. Felony - sexual cases VOR A B B C D D D B D D D B D D CF Rule 2.420(d)(1), §119.071(2)(h)1.b or c, F.S., Chs. 794, 796, 800, 827, & 847, F.S. Juvenile Delinquency P A B B B G G G B G G G B G G CJ §§985.04(1) & (2), 985.045(2), 985.036(1) & 985.11(3), F.S. County Ordinance Infractions P A B B B D C D B C C D C C C CO Rule 2.420 County Ordinance - Arrests P A B B C D C D B C C D B C C CO Rule 2.420 Probate Formal Administration P A D D D D D E D D D E D D D CP Rule 2.420; §§28.2221(5)(a) & 733.604 (b), F.S. Probate Other P A D B D D D E D D D E D D D CP Rule 2.420; §§28.2221(5)(a) & 735.201-302, F.S. Criminal Traffic P A B B C D C D B C C D B C C CT Rule 2.420(d) & (f) Juvenile Dependency P A B B C G G G B B G G G B B DP Rule 2.420(d), §§39.0132(3)&(4)(a), 39.822(3) & 27.511(6)(a), F.S. Juvenile Truancy P A B B B G G G B B B G G B B DP §984.06(3) & §27.511(6)(a), F.S. Rule 2.420(d), §§28.2221(5)(a), 61.043(1), 68.07, 382.025(1), 382.0195(1), 409.2563(2)(d) & Domestic Relations P A B B B D C E B C C E C C C DR 742.011, F.S. Domestic Relations Adoption (FINAL) P A G D D G G G G G G G G G G DR §§63.162(1)(2) & 63.022(4)(i), F.S. DR Adoption (while open and pending) P A G B D G G G G G G G G B G DR §§63.162(1)(2), 63.022(4)(i), & 27.511(6)(a), F.S. Domestic Relations - Paternity - sealed P A F F F F F F F F F F F F F DR §§742.011, 742.091, 742.16(9), 742.031(1), & 28.2221(5)(a), F.S. DR Violence Injunctions (all) Before Service C A B B G G G G D G G G G G G DR Rule 2.420(d)(1)(B)(xxiii), §§119.0714(1)(k)3 & 28.2221(5)(a), F.S. DR Violence Injunctions (all but sexual) After Service P A B B D D C E B C C E B C C DR Rule 2.420(d)(1)(B)(xxiii), §§119.0714(1)(k)3 & 28.2221(5)(a), F.S. Parental Notice of Abortion VOR A G B B G G G G G G G G G G DR Rule 8.805(b), Rule 8.835, Rule 2.420(d)(1)(B)(vii), §§390.01114(4)(e) & 390.01116, F.S. Sexual Violence After Service VOR A B B D D D E B D D E C D D DR Rule 2.420(d)(1)(B)(xiii) & (f), §119.071(2)(h)1 (b) or (c), F.S. Termination of Parental Rights P A B B G G G G B B G G G B B DR §§39.814(3) & (4), 39.822(3) & 27.511(6)(a), F.S. Extradition VOR A B B C D D D B D D D C D D CF Rule 2.420(d) & (f) Guardianship/Guardian Advocate (Developmental Disabilities) P A B B B D C E C C C E C B C GA §§744.1076, 744.3701, 393.12 & 27.511(6)(a), F.S. Guardianship Miscellaneous/Professional Guardian P A B B C D C E C C C E C B C GA §§744.1076, 744.3701, 744.2003 & 27.511(6)(a), F.S. Non-Criminal Infractions P A B B B D C D B C C D C C C IN Rule 2.420(d) Juvenile Miscellaneous P A B B G G G G G G G G G B G DP §§985.04(1) & (2), 985.045(2) & 27.511(6)(a), F.S. Miscellaneous Firearms P A B B B D C D B C C D B C D MM Rule 2.420(d), §§119 & 790.065(4), F.S. Mental Health Miscellaneous P A B B B D D E C D D E B D D MH Rule 5.900, §§393.11, 765.105, 916.107(3)(a), & 415.1051, F.S. Baker Act C A B B B G G G B B G G B G B MH Rule 2.420(d), §§394.459(8) & 394.4615, F.S. Substance Abuse - Assessment/Treatment C A B B B G G G B B G G G B B MH Rule 2.420(d), §§397.501(7), 397.6760 & 27.511(6)(a), F.S. Tuberculosis/STD Treatment/Other Confidential P A B B B G G G B B G G G B B MH §§392.55, 384.27 & 27.511(6)(a), F.S. Incapacity P A B B B D C E C C C E C B C MH Rule 2.420(d), §§744.3701, & 27.511(6)(a), F.S. Misdemeanor P A B B D D C D B C C D B C C MM Rule 2.420(d) Misdemeanor - sexual cases VOR A B B D D D D B D D D B D D MM Rule 2.420(d) & §119.071(2)(h), F.S. Municipal Ordinance Infraction P A B B B D C D B C C D C C C MO Rule 2.420(d) Municipal Ordinance Arrest P A B B B D C D B C C D B C C MO Rule 2.420(d) Misdemeanor-Misc VOR A B B B D D D B D D D B D D MM Rule 2.420(d) Access Security Matrix (November 2020 v9) User Role (Subscribers) ***VOR Statute List (F.S.): Key to access codes 787, 794, 796, 800, 825, 827, 847, 921 VOR is at the case level A = All but expunged, or sealed under Ch. 943, F.S. ***Viewable on Request (VOR) - to ensure that information is properly removed prior to public

4. Parties 4. a document has been requested and reviewed, it is available for all future access without E = Case number, party names, dockets only requiring a request/review.

F = Case number and party names only AppealsDivision theirauthorized users

G = Case number only Attorneys 3. of Record (Institutionalonly) Access

H = No access

Counsel(Institutional only) Access

6. General Gov't General 6. and Const Officers

Departmentof Children and Families

10. Florida School Districts (Truancy)SchoolFlorida Districts 10.

14. Statewide Guardian14. ad Litem Office

12. FloridaOffice 12. of the Defender Public

2. Florida Attorney'sState2. Offices

11. Commercial purchasers of bulk purchasers records Commercial 11.

andFlorida stateand law enforcement local

9. Florida Office,Attorney9. Florida General's

personnel (Internal access byauthorization) personnel(Internal access

8. Certified law 8. enforcement ofofficers federal

Attorney General's Office,Attorney Capital General's and Criminal

5. Public in Clerks' offices users and registered in Clerks' Public 5.

13. Office 13. of Conflict Criminal Regionaland Civil

agencies, Florida DepartmentFlorida agencies, of and Corrections,

1. Judges 1. and authorized office court and clerk's 7. General public General (without 7. registration agreement)

Case - Charge/Filing Description PRIVACY UCN Applicable rules and statutes Parking P A B B B D C D B C C D B C C CO Rule 2.420(d) Small Claims P A B B B D D D D D D D C D D SC Rule 2.420(d) Traffic Infractions P A B B B D C D B C C D B C C TR Rule 2.420(d) Any case marked sealed S A G G G G G G G G G G G G G Any case that has a SEALED Privacy at the case level Any expunged case E H H H H H H H H H H H H H H Any case that has an EXPUNGED Privacy at the case level Sealed Family Law Case S A G B B G G G G G G G G G G Case by case basis giving Party/Attorney access

Domestic Relations consists of Administrative Support Proceeding, Delayed Birth Certificate, Dissolution, Domestic Relations-Paternity, URESA/UIFSA, and Name Change County Civil consists of County Foreclosure As the custodian of public records, the Capital and Criminal Appeals Divisions of the Florida

Office of the Attorney General must “provide safeguards to protect the contents of public records from unauthorized remote electronic access or alteration and to prevent the disclosure or modification of those portions of public records which are exempt or confidential from subsection

(1) or s. 24, Art. I of the State Constitution.” § 119.07(2)(b), Fla. Stat.

Records of the Capital and Criminal Appeals Divisions of the Florida Office of the Attorney

General are stored on secure media connected via password-protected devices and computers.

Employees of the Capital and Criminal Appeals Divisions of the Florida Office of the Attorney

General receive annual training on public records. The training and policy manual state that all employees and other computer system users are held accountable for protecting information from unauthorized modification, destruction, or disclosure, and for safeguarding sensitive and confidential information. Every user is expected to know these policies and all associated referenced guidelines and to conduct their activities accordingly.

All requests for access to these records are approved by a managerial- level employee prior to release of the requested information, to ensure that exempt and/or confidential records have been correctly excluded or redacted. See Ch. 39, 119, 381, 382, 384, 984, and 985, Florida Statutes.

Agenda Item VI G. C.O.R.E. Program