Report 2019-118 Recommendation 39 Responses
Report 2019-118: Automated License Plate Readers: To Better Protect Individuals' Privacy, Law Enforcement Must Increase Its Safeguards for the Data It Collects (Release Date: February 2020)
Recommendation #39 To: Marin County Sheriff's Department
To enable auditing of user access to and user queries of ALPR images, Marin should ensure that its ALPR policy makes clear how frequently Marin will audit its ALPR system, who will perform that audit, who will review and approve the audit results, and how long Marin will retain the audit documents. Marin should have in place by February 2021 an audit plan that describes its audit methodology, including, but not limited to, risk areas that will be audited, sampling, documentation, and resolution of findings.
Annual Follow-Up Agency Response From September 2023
Marin's ALPR policy regarding audits has been clarified as recommended. The audit plan is described in Policy 426.6. Per that policy, audits will be conducted each year. All user inquiries will be reviewed. The Vehicle Theft Investigator will serve as the ALPR Program Manager and will be responsible for performing the yearly audit. Audited data will include the following risk areas: User Logins, and categories related to Hit List Browsing, Sharing Reports, Hot List Browsing, Hot List Upload, Hot Plate Upload, Hot List Delete, Hot Plate Delete, Stakeout Browsing, Detections Shared, Hot Lists Shared, Hot Lists Received, and any other data relating to the sharing of ALPR information with other agencies. Audit records will be retained for two years. If a violation is suspected, it will be reported to the sergeant in command of the Auto Theft Task force for further investigation. The results of the audit will be forwarded to the Sheriff or his designee for review, approval, and any necessary remediation.
- Completion Date: September 2023
California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented
1-Year Agency Response
The policy has been revised and/or updated. The new policy number is 429. The current policy has been provided to you via the process for submitting supporting documents.
- Completion Date: November 2020
- Response Date: February 2021
California State Auditor's Assessment of 1-Year Status: Partially Implemented
Marin's policy does not address all elements of the recommendation; the policy omits information about who will review and approve the audit results. In addition, Marin did not provide its audit plan and the policy does not include information that the recommendation specified be included in the audit plan. Absent the noted information, we determined that Marin partially implemented this recommendation.
- Auditee did not substantiate its claim of full implementation
- Auditee did not address all aspects of the recommendation
6-Month Agency Response
The policy now reads, "Audits will be conducted once a year for indications of inappropriate or unusual activity. Data to be audited will include User Logins, and categories related to Hit List Browsing, Hot List Browsing, Hot List Upload, Hot Plate Upload, Hot List Delete, Hot Plate Delete, and Stakeout Browsing. If a violation is suspected, it will be reported to the Sergeant overseeing the Auto Theft Task Force for further investigation."
- Estimated Completion Date: September 30, 2020
- Response Date: August 2020
California State Auditor's Assessment of 6-Month Status: Partially Implemented
60-Day Agency Response
Marin did not provide a 60-day response.
- Estimated Completion Date: unknown
- Response Date: April 2020
California State Auditor's Assessment of 60-Day Status: Pending
All Recommendations in 2019-118
Agency responses received are posted verbatim.