28 CFR Part 23

  • Updated

28 CFR Part 23 is a pivotal federal regulation that establishes crucial guidelines and standards for law 
enforcement agencies regarding the operation of inter-jurisdictional and multijurisdictional criminal 
intelligence systems in the United States. Enacted by the Department of Justice, these standards are designed 
to ensure the lawful and effective gathering, handling, and dissemination of criminal intelligence information 
while safeguarding individual privacy rights and civil liberties. 


In summary, 28 CFR Part 23 serves as a cornerstone regulation that provides essential guidance to law 
enforcement agencies on the lawful and responsible operation of inter-jurisdictional and multijurisdictional 
criminal intelligence systems. By promoting adherence to privacy protections, compliance with legal 
standards, and fostering interagency cooperation, the regulation supports efforts to enhance public safety 
while safeguarding individual rights and maintaining public trust in law enforcement practices. 


Access 28 CFR Part 23 Settings: 
1. Click Administration
2. Click Data Access - Classification & Retention. 
3. Click 28 CFR Part 23. 
4. This will open the 28CFR Part 23 page. 

page212_img1.png

5. You can see there are two flags present on the screen. 

  • Enable 28 CFR part 23:   This flag is to enable or disable this policy under the organization. This will 
    allow the users to select this compliance in all record types, the create and update page. 
  • Make the Field Mandatory: This flag will make the field mandatory, and users cannot ignore 28 
    CFR Part 23 fields while creating or updating the records. 


6. The 28 CFR Part 23 page in OWL includes a critical field called Compliance Precedence, which 
determines how conflicting compliance rules are resolved. 
 

When Conflicts Occur: 

If a record is subject to both Retention Policy compliance and 28 CFR Part 23 
compliance. Then the OWL system cannot automatically determine which rule to apply for archiving or 
deletion. 

Admin Decision Required to resolve this, organization administrators must set a precedence flag 
indicating which compliance takes priority. Once defined, OWL will apply the selected compliance rule 
consistently across affected records. 

This ensures clarity, consistency, and regulatory alignment in record lifecycle management. 
 

7. Click on the edit button of the precedence field. This will open a pop-up to set the compliance 
precedence between the Retention policy and 28CFR Part 23. Select one of them and click on the  
Update button. It can be edited later by the same process. 

page213_img1.png

 

28 CFR Part 23 Review

Organizations that enable this compliance must adhere to a structured review process based on the CJIS Review Information Period. 

  • Triggering Reviews: At the end of each CJIS review period, all records marked for 28 CFR Part 23 
    compliance are flagged for review. 
  • Reviewer Roles: Designated admins or supervisors are responsible for evaluating each record, which 
    includes all types of records created by Users: Cases, Subjects, Forms, etc ... 
  • Review Decisions: 
    Continue: If the record is still relevant, it remains open for further work. 
    Delete: If the record no longer meets compliance criteria, it is deleted in accordance with data 
    retention policies. 


Compliance Mandate 

This review process is mandatory and can be configured by the organization to ensure: 
• Secure handling of case information 
• Confidentiality of sensitive data 
• Adherence to federal compliance standards 


Reminder Notifications sent to facilitate timely reviews: 
• Admins set a notification date before the review deadline. 
• Reviewers receive automated reminders to complete their evaluations before the due date. 
 

 

Steps to Add/Edit 28 CFR Part 23:
1. Click Administration
2. Click Data Access - Classification & Retention. 
3. Click 28 CFR Part 23. 
4. This will open the 28CFR Part 23 page. 
5. Click on the Add/Edit button on the screen when adding the review date in the organization. 
6. Select the year and month from the CJIS Review Info period field. 
7. Select the Notification days before the due date.

page214_img1.png

8. After selecting both, click on the Save button. 
9. The configured review period and notification lead time are stored and accessible via the 28 CFR Part 23 
compliance page.

page214_img2.png

10.  The review period applies exclusively to records that have 28 CFR Part 23 compliance enabled. 


11. For instance, if a case is created today and the CJIS Review Period is set to 2 years, the compliance 
review will be scheduled exactly 2 years from the creation date. If the notification lead time is set to 20 
days, reviewers will receive alerts precisely 20 days before the scheduled review date, based on their 
assigned license roles. 


12. The 28 CFR Part 23 page displays all record types created in OWL in a tabbed layout. Each listed 
record has 28 CFR Part 23 compliance enabled. 


13. Records shown on this page are either pending review or have already been reviewed. Admins can 
initiate the review process by selecting the Review option from the record’s action menu in the table. 

page215_img1.png
14. Clicking Review opens a pop-up window containing: 
• Detailed information about the selected record 
• A history of previous reviews 
 

15. The pop-up includes two action buttons: 
• Retain – to keep the record 
• Delete – to remove the record

page215_img2.png

16. If the reviewer chooses to retain the record: 
• Clicking Retain reveals a mandatory comment box 
• The reviewer must provide a justification for retention in accordance with CJIS compliance 
• After entering the comment, clicking Retain again completes the review

page216_img1.png

17. The record remains active, and a new entry is added to its review history log 


18. If the reviewer decides the record should be deleted: 
• Clicking Delete prompts a mandatory comment box 
• The reviewer must explain the reason for deletion 
• After entering the comment, select the checkbox below the comment box to reconfirm the deletion. 
Clicking Delete again finalizes the deletion.

page216_img2.png

19. Upon deletion: 
• The record’s status is updated to Deleted 
• It is moved to the Trash Bin 
• Any associated records will also be deleted if they are subject to the same deletion compliance 
rules 


20. For example, if a Subject is linked to a Case and the subject does not have a retain compliance flag 
enabled, both the case and subject will be deleted during the review. 


21. However, if child records (e.g., linked Subjects or Forms) have their own retain compliance flags 
enabled, they will be detached from the parent record and preserved with their current status. 


22. Each record type has its own filters on the 28 CFR part 23 page for the reviewers and admins to look for 
specific records that are waiting for review, already retained, or deleted.

page217_img1.png

• Retained 
Records that have undergone the review process and were retained during the most recent review 
cycle. 
• Deleted 
Records that have been reviewed and marked for deletion in accordance with compliance guidelines. 
• Permanently Deleted 
Records that were previously deleted and have now been permanently removed from the OWL system. 
• N/A 
Records that have never been reviewed since their creation, despite having 28 CFR Part 23 compliance 
enabled. 


23. The remaining filters function as expected, allowing users to search records based on Name, 
Department, Owner, and Creation Date.

 

Records without 28 CFR Part 23

When the 28 CFR Part 23 feature is enabled in OWL, administrators gain the ability to monitor and manage 
records that were created without an assigned 28 CFR Part 23 compliance. This ensures compliance and 
proper data governance across the organization. 


Steps to view the number of records without retention policies: 
1. Click Administration
2. Click Data Access-Classification & Retention Policies-Compliance within the OWL Admin menu. 
3. Click on 28 CFR Part 23. 
4. This will open the 28 CFR Part 23 page. 
5. On the retention policy page, we have the section name number of records without 28 CFR Part 23 
policies. 
6. The system displays a count of records without assigned 28 CFR Part 23, organized by record type 
(e.g., Cases, Subjects, Forms). 
7. Clicking on any of these counts opens a pop-up window specific to that record type, showing the list of 
records currently missing 28 CFR Part 23 assignments.

page218_img1.png

8. Click Edit from the action menu. This opens the record with editable compliance fields. 
9. Select the appropriate 28 CFR Part 23 fields and update the record.

page218_img2.png

10. Once updated, the record will be removed from the list, and the count of records without a retention 
policy will decrease accordingly. 
11. If the 28 CFR Part 23 is marked as mandatory, red flag will appear in the column. If it's optional, a 
yellow flag will be shown instead.

Related to