FHWA TMC/EOC/FC Handbook: Center/Stakeholder Policies and Regulatory Issues

4.1 Center/Stakeholder Policies and Regulatory Issues

One of the key challenges facing the centers’ ability to exchange information revolves around policy and regulatory issues.

4.1.1 Information Technology (IT) and Data Management Policy

Policy issues that often present roadblocks to information exchange in specific cases include:

Organization-wide IT/security and firewall policies that have typically been tailored to specific agency or more broadly held policies (e.g., statewide) to prevent or limit external access to sensitive databases
Contracts and agreements with commercial interests or other agencies on the use and dissemination of information with financial or other value to these interests/agencies
“Ownership” and liability for the proper use and cost of misuse of information, which is provided with the expectation that it is valid and appropriate for the intended use.

4.1.2 Privacy

Two key laws impact the ability for these centers to exchange information—the Privacy Act of 1974, Public Law 93-579, and title 28 Code of Federal Regulations (CFR) Part 23. This section includes a discussion of these laws, as well as the limitations and concerns they impose on the centers.

The Privacy Act of 1974, Public Law 93-579, states:

No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains…[46]

Broadly stated, the purpose of the Privacy Act is to balance the Federal Government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from Federal agencies’ collection, maintenance, use, and disclosure of personal information about them.[47]

28 CFR Part 23 regulates operating policies for all domestic organizations receiving Federal funding for criminal intelligence systems. 28 CFR Part 23, most recently updated in 2001, defines a criminal intelligence system as “the arrangements, equipment, facilities, and procedures used for the receipt, storage, interagency exchange or dissemination, and analysis of criminal intelligence information.”[48] This definition is now applied to FCs. It also governs the basic requirements for the intelligence system process. This process includes:

Information submission or collection
Secure storage
Inquiry and search capability
Controlled dissemination
Purge and review process.

This regulation recognizes that certain crimes (e.g., drug trafficking, smuggling) involve some degree of coordination and permanent organization over a large geographical area. 28 CFR Part 23 acknowledges that pooling information about such activities is necessary but could represent a threat to the privacy of individuals. It is reported that the U.S. DOJ now trains FCs on 28 CFR Part 23 twice a year to assure compliance.

As an example of the reach of Part 23, in 2002, the Americans Civil Liberties Union (ACLU) filed a class action lawsuit against the Denver Police Department when it was found to have collected and retained information on non-criminal elements (American Friends Service Committee v. City and County of Denver). The lawsuit filed by the ACLU against the police involved in the sharing of this intelligence information challenged the monitoring and recording of peaceful citizens. The ACLU also stated in its suit that the police falsely labeled its clients as “criminal extremists.” Those so labeled apparently included peace activists and education and human rights organizations, suspected as possible threats to public safety. Mayor Webb came out following the lawsuit to say that Denver police had gone too far, compiling “intelligence files” on 3,200 individuals and 208 organizations that demonstrated no credible threat. The Mayor also ordered all intelligence records be archived at the Denver Public Library and “preserved for study.” Part of this archive is available to the public (copies of newspaper clippings, pamphlets, flyers, articles, and photographs). Restricted files are now made available only to persons or organizations named in the files until 2055, when all files will be released to the public.

For TMCs, privacy issues are often cited as a key challenge. While the TMC primary function does not include law enforcement, the information gathered and monitored by the TMC can assist law enforcement officials. However, some TMCs, such as those operated by the Virginia Department of Transportation (VDOT),[49] state, for example, that their field equipment is incapable of identifying license plates of passing traffic and that they do not record video feeds. The Rhode Island Department of Transportation[50] asserts that its TMCs maintain a camera system privacy policy, where their operators are instructed to: “(1) Only focus the cameras on the highway and highway related areas, and (2) Only zoom into an accident scene to determine incident response needs and then zoom out to monitor traffic flow.” Additionally, cameras are “blanked out” on the Web site and cable channel when they are being used in responding to an incident.

In addition, there are potential privacy and liability concerns when handling 9-1-1 calls. In March 2002, the 511 Deployment Coalition published Deployment Assistance Report #2, Transfer of 511 Calls to 911, examining the issue of a 511 system receiving a call intended for 9-1-1 and what concerns there may be for the 511 system to transfer the call to 9-1-1. While there are some technical issues to overcome to allow the transfer to happen, the report states, “In order to transfer a call to a 911 center, the carrier must provide the callers Automatic Identification Number (AIN). While it is technically feasible for the carrier to provide this information, they will be hesitant to do so because of privacy concerns and other State legal considerations.” In addition, there may be liability concerns because “511 operators, both public and private, are concerned that they could face potential liability if, for example, a call transferred to a public safety answering point (“PSAPs”), the facilities that answer 911 calls for emergency assistance, is dropped during the transfer or the call is directed to a PSAP located further from the caller than another PSAP. Under these or similar scenarios, a caller needing emergency assistance could suffer an aggravated injury or, at worst, death if the 511 call center fails to transfer the call properly.”

4.1.3 Classified Information

Issues also exist concerning the classification of information. Personnel within FCs are aware of the different types of information that they are both handling and disseminating from the FC. This information can be public, sensitive, or secret. Classification types will determine how each piece of information is shared, not only with outside agencies but also among the agencies operating within the FC itself. Over-classification can present operational challenges when personnel are not able to read or pass information because the source has classified the information at a level that makes information sharing across the normal lines of communication difficult.

4.1.4 Legal Process and Rules of Evidence

When there is a potential for surveillance information and transactions like 9-1-1 calls to contain evidence that could be relevant to ongoing investigations and/or legal proceedings, enforcement agencies (and many FCs) are very cautious about release, alteration (such as redaction of privacy-sensitive information), chain-of-information “ownership,” verification, and security of information used and retained. Therefore, while it may make operational sense for an FC to receive or provide transportation-related information, this exchange can be handicapped—because the required standards of reliability and verification may be higher than practical for TMCs to meet. In comparison, practical limits exist for TMCs because they gather real-time or near-time data for (usually) non-emergency operational purposes and can, in most situations, tolerate some reliability issues because of redundant information sources and assets in the field.

4.1.5 Training Needs Assessment

TMC personnel may be called upon to physically serve in an EOC or FC to provide on-site subject-matter expertise in support of incident management activities. Preparing personnel for this type of work requires training that may be different from information analysis training or other technical training relevant to the person’s primary position.

In assessing the training needs of EOC and FC support personnel, the functional requirements discussed in the previous section must be mapped to training needs to meet these requirements. As discussed, the functional (and thereby training) requirements differ between the EOC and FC, with EOC requirements being more widely recognized than those of the FC. Appendix H includes an inventory of training resources.

4.1.5.1 Emergency Operations Centers

EOCs are typically staffed 24 hours per day by a dedicated watch responsible for monitoring potential or actual emergency situations in a given jurisdictional area. When certain threats emerge and reach a level that requires EOC “activation,” an “event team” or “incident management team” is activated and responds to the EOC to support a multi-agency, cross-functional response and recovery effort.

A large portion of the event or incident management team is comprised of predetermined ESFs, with ESF positions filled by pre-designated personnel from the ESF lead department or agency. In the case of ESF-1, personnel are typically assigned from within the jurisdiction’s transportation department, and sometimes fill this position as a collateral duty assignment. Whether a full-time or collateral duty assignment, ESF-1 personnel have specific training needs based on the nature of the ESF-1 role in overall emergency management.

Training needs must be mapped to specific requirements that are determined by overall training mandates and specific training needs based on function. In emergency management, the standardized training mandates can be traced back to Homeland Security Presidential Directive - 5 (HSPD-5), Management of Domestic Incidents, in which the development of NIMS is mandated. Published in 2004, NIMS provides “a consistent nationwide approach for Federal, State, and local governments to work effectively and efficiently together to prepare for, respond to, and recover from domestic incidents, regardless of cause, size, or complexity.” Further, as directed in HSPD-5, NIMS includes “a core set of concepts, principles, terminology, and technologies covering…training; …and qualifications and certification” in order “to provide for interoperability and compatibility among Federal, State, and local capabilities.”[51]

As further described in NIMS:

Incident management organizations and personnel at all levels of government, and within the private-sector and nongovernmental organizations, must be appropriately trained to improve all-hazards incident management capability nationwide. Incident management organizations and personnel must also participate in realistic exercises—including multidisciplinary and multijurisdictional events and private-sector and nongovernmental organization interaction—to improve integration and interoperability. Training involving standard courses on incident command and management, incident management structure, operational coordination processes and systems—together with courses focused on discipline-specific and agency-specific subject-matter expertise—helps ensure that personnel at all jurisdictional levels and across disciplines can function effectively together during an incident.[52] [Emphasis added]

Designed for Federal, State, local, and tribal governments, as well as the private sector and nongovernment organizations, NIMS serves as a means to effective coordination in emergency response and recovery operations. As such, all levels of government are encouraged to adopt NIMS through a formal process called NIMS Implementation, which outlines particular implementation steps for all levels of government and nongovernment sectors. Since most EOCs are operated at the State and local levels, the NIMS Implementation Matrix for States and Territories and the NIMS Implementation Matrix for Tribal and Local Jurisdictions provide thenecessary guidance. Developed and issued by the NIMS Integration Center under FEMA, the matrices serve as a guide for specific jurisdictions to use in developing and executing NIMS-compliant preparedness and operational programs and functions.

Because transportation sector personnel would serve in an EOC as part of the interagency emergency coordination effort in support of the ICS during a response and recovery operation, transportation entities would need to ensure that assigned personnel meet the documented training and exercise requirements as outlined in the relevant matrix. Further, due to the nature of the work performed at the EOC, most EOC SOPs require that assigned personnel be employees of the represented agency with decision-making authority on behalf of that agency. These criteria, as they pertain to training requirements, indicate that assigned personnel serve, at a minimum, as middle managers within their agencies. This is important, as training requirements are based on management level and command authority of personnel.

In studying both the State and local matrices, it was concluded that the same compliance criteria exist for preparedness training and exercises as they relate to both State and local workers. As previously cited, there are two areas of training required under NIMS:

Standard courses (which address the NIMS requirement for incident command and management, incident management structure, and operational coordination and systems)
Discipline- and agency-specific subject matter expertise.

In fulfilling the “standard courses” requirements, transportation personnel assigned to the EOC must meet the following criteria as outlined in the matrix documents:

Complete IS-700, NIMS: An Introduction
Complete IS-800, National Response Plan: An Introduction
Complete ICS-100, Introduction to the ICS
Compete ICS-200, ICS for Single Resources and Initial Action Incidents
Complete ICS-300, Intermediate ICS for Expanding Incidents
Participate in a multi-discipline, multi-jurisdictional all-hazards exercise.

In addition, self-study is available through the FHWA’s Simplified Guide to the ICS for Transportation Professionals published in February 2006.

These training activities would prepare the discipline-specific specialist for support operations in the EOC environment. As such, it is assumed that the ESF-1 designee will have completed appropriate discipline- and agency-specific subject matter training, and will have gained expertise in required areas.

3.1.5.2 Fusion Centers

FC intelligence analysts are trained in law enforcement and intelligence disciplines. As part of their professional responsibilities, general intelligence analysts may be assigned to focus areas such as critical infrastructure and transportation as part of the strategic mission on countering terrorist activity. As such, transportation specialists are typically not assigned to an FC. Further, general intelligence analysts assigned to cover critical infrastructure and transportation sectors have immediate access to specific transportation centers, agencies, and personnel through interagency collaboration based on case needs.

As previously described, many FCs are operated by the principal State law enforcement agency, and are geographically located as a stand-alone operation. Many other FCs are co-located with the State TMC. In situations where the FC is not co-located, general intelligence analysts employed at the FC focus on transportation sectors as part of their overall responsibilities, and may call upon transportation industry experts for input and advice as required. In the co-location environment, FC and TMC personnel work closely on a regular basis, providing information and support daily.

Regardless of the location of the FC, transportation personnel may at some point be called upon to provide direct support to FC operations based on need and area of expertise. To adequately support FC mission requirements, transportation personnel must understand the law enforcement and intelligence environment to fully understand and provide for the mission. As such, adequate basic training on law enforcement intelligence processes is warranted. When transportation experts understand the law enforcement intelligence and analysis process, they will be better equipped to provide relevant and timely information and data that could be vital to the intelligence fusion process.

4.1.6 Training for TMC Personnel Working in EOCs and FCs

4.1.6.1 EOCs

Based on the functional and training requirements for transportation personnel working in an EOC, it is recommended that TMCs, or other appropriate transportation agencies, develop a training and certification program for emergency transportation personnel. The training program should be NIMS compliant in that personnel should be trained and certified in their respective areas of expertise. However, it is important that personnel assigned to EOCs complete the additional training and exercise participation to be fully competent in emergency operational support roles. Specifically, training for transportation specialists should include courses that provide an overview of the emergency management industry; the ICS; and the nation’s strategy for preparing for, responding to, and recovering from major incidents or disasters.

Such training may include independent study courses provided by the Emergency Management Institute, covering instruction in NIMS, NRF, and ICS.

4.1.6.2 FCs

The transportation industry is a key element in counter-terrorism and disaster response operations. As a target, the transportation infrastructure requires ongoing monitoring and protection; and as a critical element of the supply chain, the transportation infrastructure needs to be operationally maintained to support the U.S. economy and serve as a means for moving critical resources during disaster operations.

Transportation agencies must ensure that interagency coordination and collaboration with FCs are established and utilized. Such efforts will ensure that relevant information is shared with appropriate entities in a timely manner and will further solidify the cross-jurisdictional and cross-functional partnerships necessary for countering criminal and terrorist activities. Because interagency coordination is largely relationship-based, transportation agencies should designate a core group of technical experts that will collaborate with FC personnel on an ongoing basis. Similar to the ESF-1 emergency operations assignments, designated transportation specialists assigned to support intelligence operations may establish interagency relationships with State law enforcement and intelligence offices and personnel and gain general awareness of their functions and operational needs.

In preparing transportation specialists for assignments in support of law enforcement and intelligence operations, transportation agencies also need to ensure that personnel receive adequate awareness and training that will enhance support capabilities to law enforcement and intelligence operations. Specifically, transportation specialists should attend and participate in basic criminal intelligence operations, intelligence analysis, and anti-terrorism awareness and training. Most available courses are short in length, but provide the appropriate level of awareness for State and local personnel supporting multi-agency intelligence operations.

Unlike NIMS in the emergency management industry, the law enforcement and intelligence industries do not currently offer prescribed training packets for interagency liaison personnel. As such, individual States and FCs, in particular, must develop specific requirements for liaison officers based on available resources that meet the needs of the organization.

[46] U.S. Department of Justice, Privacy Act of 1974, accessed 2010.

[47] U.S. Department of Justice, 28 CFR Part 23, accessed 2010.

[48] U.S. Department of Justice. 28 CFR Part 23, Criminal Intelligence Systems Operating Policies. 1998.

[49] Jeff Sturgeon, “VDOT regional traffic management center has Virginia roads covered,” Roanoke.com, November 29, 2007, accessed 2010.

[50] State of Rhode Island Traffic Management Center, FAQs, accessed 2010.

[51] The White House, Homeland Security Presidential Directive 5.

[52] U.S. Department of Homeland Security, National Incident Management System, March 2001, p. 43.

June 2010
Publication #FHWA-HOP-09-003