Report 2019-118 Recommendation 39 Responses

Report 2019-118: Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards for the Data It Collects (Release Date: February 2020)

Recommendation #39 To: Marin County Sheriff's Department

To enable auditing of user access to and user queries of ALPR images, Marin should ensure that its ALPR policy makes clear how frequently Marin will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Marin will retain the audit documents. Marin should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.

Annual Follow-Up Agency Response From September 2023

Marin's ALPR policy regarding audits has been clarified as recommended. The audit plan is described in Policy 426.6. Per that policy, audits will be conducted each year. All user inquiries will be reviewed. The Vehicle Theft Investigator will serve as the ALPR Program Manager and will be responsible for performing the yearly audit. Audited data will include the following risk areas: User Logins, and categories related to Hit List Browsing, Sharing Reports, Hot List Browsing, Hot List Upload, Hot Plate Upload, Hot List Delete, Hot Plate Delete, Stakeout Browsing, Detections Shared, Hot Lists Shared, Hot Lists Received, and any other data relating to the sharing of ALPR information with other agencies. Audit records will be retained for two years. If a violation is suspected, it will be reported to the sergeant in command of the Auto Theft Task force for further investigation. The results of the audit will be forwarded to the Sheriff or his designee for review, approval, and any necessary remediation.

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented


1-Year Agency Response

The policy has been revised and/or updated. The new policy number is 429. The current policy has been provided to you via the process for submitting supporting documents.

California State Auditor's Assessment of 1-Year Status: Partially Implemented

Marin's policy does not address all elements of the recommendation; the policy omits information about who will review and approve the audit results. In addition, Marin did not provide its audit plan and the policy does not include information that the recommendation specified be included in the audit plan. Absent the noted information, we determined that Marin partially implemented this recommendation.


6-Month Agency Response

The policy now reads, "Audits will be conducted once a year for indications of inappropriate or unusual activity. Data to be audited will include User Logins, and categories related to Hit List Browsing, Hot List Browsing, Hot List Upload, Hot Plate Upload, Hot List Delete, Hot Plate Delete, and Stakeout Browsing. If a violation is suspected, it will be reported to the Sergeant overseeing the Auto Theft Task Force for further investigation."

California State Auditor's Assessment of 6-Month Status: Partially Implemented


60-Day Agency Response

Marin did not provide a 60-day response.

California State Auditor's Assessment of 60-Day Status: Pending


All Recommendations in 2019-118

Agency responses received are posted verbatim.