1. United States
Department of Justice
2013 Criminal Justice Information Forum on Data Exchange and
Information Sharing Standards and Models
Privacy for Practitioners—Real Case Studies
Illustrating Privacy Policy Development and
Impact Assessment
February 5, 2013
Cabell Cropper Christina M. Abernathy
National Criminal Justice Association Institute for Intergovernmental Research
Diana Graski Becki Goggins
National Center for State Courts State of Alabama
2. United States
Department of Justice
Topics
• Privacy overview
• Global privacy resources
• Illinois privacy resources
• Global success stories
• Keys to success
• Technical privacy case studies and success stories
2
3. United States
Department of Justice
Privacy Overview
What is privacy?
• Privacy refers to individuals’ interests in preventing the
inappropriate collection, storage, use, and release of
personally identifiable information
• Privacy, as it relates to information sharing, concerns
information whose confidentiality is enforceable by law
or social norms
3
4. United States
Department of Justice
Privacy Overview
Civil Liberties Are Civil Rights Are
The fundamental individual rights or The rights and privileges of citizenship and
freedoms, such as the freedom of equal protection that the state is
speech, press, assembly, and religion, the constitutionally bound to guarantee all
right to due process and a fair trial, as well citizens regardless of race, religion, sex, or
as the right to privacy and other other characteristics unrelated to the
limitations on the power of the worth of the individual
government to restrain or dictate the
actions of individuals
Involve restrictions on government Civil rights involve positive or affirmative
government action
Together, they are the legal protections that safeguard
individual freedom and ensure equal treatment under the law!
4
5. United States
Department of Justice
Privacy Overview
What Is a Privacy Policy?
What Is the Purpose of a Privacy Policy?
5
6. United States
Department of Justice
Privacy Overview
What Is the Difference Between a
Privacy Policy and a Security Policy?
6
7. United States
Department of Justice
Privacy Overview
Why do you need a privacy policy?
• “the public’s acceptance of an integrated justice information system is related to its
confidence that the government is taking measures to protect individual’s privacy
interests”
• There is “a need to educate the public as to what information about citizens is available
in the justice system and what is available to the public”
• “Privacy issues are raised when the government collects information about individuals
for investigatory purposes absent any suspicion of criminal wrongdoing . . . mere
collection of personally identifiable victim and witness information raises genuine
privacy concerns . . . factors should be identified to balance the amount of data
collected to address privacy concerns while still meeting legitimate law enforcement
needs”
• “A sound privacy policy should clearly identify appropriate uses of the information
contained in the information system”
‒ IIJIS’ Privacy Issues Confronting the Sharing of Justice Information in an Integrated Justice Environment
7
8. United States
Department of Justice
Privacy Overview
Reasons for Having a Privacy Policy
It’s the Right Thing to Do!
8
9. United States
Department of Justice
What Can Happen Without a Privacy Policy?
• Effects of Improper Practices
– Tarnish an individual’s reputation
– Personal or financial injury to individuals
– Loss of ability to share information
– Lawsuits and paying settlements or judgments
– Loss of public support and confidence
– Loss of funding and resources
– Getting shut down
– Decline in morale
9
10. United States
Department of Justice
From Privacy to Information Quality
• The collection and sharing of poor quality information raises
serious privacy concerns because the two concepts are
inherently linked
• Quality information plays an extremely important role in the
protection of the privacy rights of individuals
• Through cross-collaboration among local, state, tribal, and
federal justice entities, information is shared to form the
records that underlie justice decision-making
• As cross-collaboration increases, it is imperative that justice
entities address the quality of the information shared
10
11. United States
Department of Justice
From Privacy to Information Quality
How Can You Develop and Implement
Privacy and Information Quality
Policies and Procedures?
11
12. United States
Department of Justice
Global Privacy Resources
13. United States
Department of Justice
Global Justice Information Sharing Initiative—or “Global”
• Federal advisory body to nation’s chief law enforcement officer, the
U.S. Attorney General (AG)
• Supported by the Bureau of Justice Assistance (BJA) and the Office of
Justice Programs (OJP), U.S. Department of Justice (DOJ)
• Representatives from across the justice landscape, affecting the work of
more than 1.2 million justice professionals
• Global’s Advisory Committee (GAC) working groups, councils, and task
teams are formed around timely justice issues:
– Intelligence
– Infrastructure, standards, security
– Business solutions
– Privacy and information quality
13
14. United States
Department of Justice
Global Privacy Resources Booklet
• A road map to help justice entities
navigate the diverse privacy resources
available today
• Structured to help determine which
products to use when and for what
purpose
• Products are grouped according to their
use at each step of a Privacy Program
Cycle
• All Global Privacy Resources are
available online at
www.it.ojp.gov/privacy
14
15. United States
Department of Justice
Global Privacy Resources
• Step 1. Educate and Raise Awareness
– Executive Summary for Justice
Decision Makers: Privacy, Civil Rights,
and Civil Liberties Program
Development
– 7 Steps to a Privacy, Civil Rights, and
Civil Liberties Policy
15
16. United States
Department of Justice
Global Privacy Resources
• Step 2. Assess Agency Privacy Risks
– Guide to Conducting Privacy Impact
Assessments for State, Local, and
Tribal Justice Entities (or “PIA
Guide”)
16
17. United States
Department of Justice
Global Privacy Resources
• Step 3. Develop the Privacy Policy
– Privacy, Civil Rights, and Civil
Liberties Policy Development Guide
for State, Local, and Tribal Justice
Entities (Global Privacy Guide)
– Privacy, Civil Rights, and Civil
Liberties Policy Development
Template for State, Local, and Tribal
Justice Entities (SLT Policy
Development Template)
17
18. United States
Department of Justice
Global Privacy Resources
• Step 4. Perform a Policy Evaluation
– Privacy, Civil Rights, and Civil Liberties
Policy Development Template for
State, Local, and Tribal Justice
Entities: Policy Review Checklist
18
19. United States
Department of Justice
Global Privacy Resources
• Step 5. Implement and Train
– Coming Soon! Establishing a Privacy
Officer Function Within a Justice or
Public Safety Entity: Recommended
Responsibilities and Training
– The Importance of Privacy, Civil
Rights, and Civil Liberties Protections
in American Law Enforcement and
Public Safety DVD—or “Line Officer
Video”
19
20. United States
Department of Justice
Global Privacy Resources
• Step 5. Implement and Train
– Implementing Privacy Policy in Justice
Information Sharing: A Technical Framework
– Privacy, Civil Rights, and Civil Liberties
Compliance Verification for the Intelligence
Enterprise
– Recommendations for First Amendment-
Protected Events for State and Local Law
Enforcement Agencies (and reference card)
– Criminal Intelligence Systems Operating
Policies (28 CFR Part 23) Online Training
20
21. United States
Department of Justice
Global Privacy Resources
• Step 6. Conduct an Annual Review
– Privacy, Civil Rights, and Civil Liberties Policy Development
Template for State, Local, and Tribal Justice Entities:
Policy Review Checklist
21
22. United States
Global’s Information Quality
Department of Justice
(IQ) Series
– Information Quality: The Foundation
for Justice Decision Making
– 9 Elements of an Information Quality
Program
– Information Quality Self-Assessment
Tool
– Information Quality Program Guide
– Available online at
www.it.ojp.gov/IQ_Resources
22
23. United States
Department of Justice
Illinois Privacy Resources
• Where do I look for existing privacy policies?
– Employee handbooks
– Concept of operations manuals
– Standard operating procedures
– Security manuals
– Memoranda of understanding
– User agreements
– State and federal statutes
23
24. United States
Department of Justice
Illinois Privacy Resources
• Local examples of privacy
standards and
recommendations:
• IIJIS’ Privacy Policy Guidance,
www.icjia.state.il.us/iijis/
• Illinois State Police Academy
curriculum
24
25. United States
Department of Justice
Illinois Privacy Resources
IIJIS Privacy Policy Subcommittee’s charge:
“Developing policies to ensure that the enhanced
sharing of justice information made possible through
advancing information technologies is carried out
in accordance with Illinois law and its citizens’
reasonable expectation of privacy”
25
26. United States
Department of Justice
Illinois Privacy Resources
Excerpt from IIJIS’ Mission:
“Through integrated justice information sharing we will
enhance the safety, security, and quality of life in Illinois;
improve the quality of justice, the effectiveness of programs,
and the efficiency of operations; and ensure informed
decision-making, while protecting privacy and
confidentiality of information”
Strategic Issue 3:
Serve justice, public safety, and homeland security needs
while protecting privacy, preventing unauthorized
disclosures of information, and allowing appropriate public
access
26
27. United States
Department of Justice
Illinois Privacy Resources
• July 27, 2010—Illinois Statewide Terrorism Intelligence
Center, Illinois State Police, successfully finalized its
comprehensive privacy policy, fully meeting all ISE Privacy
Guidelines and DHS standards
27
28. United States
Department of Justice
Illinois Privacy Resources
• March 11, 2011—Chicago Crime Prevention and
Information Center, Chicago Police Department, finalized
a comprehensive privacy policy that fully met the
Information Sharing Environment (ISE) Privacy Guidelines
and federal standards set by the U.S. Department of
Homeland Security (DHS)
28
29. United States
Department of Justice
Global Success Stories
30. United States
Department of Justice
Global Success Stories
Connect South Dakota—NGA Privacy TA Effort
“Using Global Resources, such as the SLT Policy Development Template, we
were able to ‘Connect South Dakota’ (Connect SD) law enforcement in a
statewide data exchange project, while ensuring the privacy rights and civil
liberties of the citizens we serve. Upon completion of the Connect SD privacy
policy, it was important to ensure our officers were trained on privacy
protections. To accomplish this goal, we utilized Global’s line officer training
video and First Amendment-protected event resources”
—Bryan Gortmaker, Director
South Dakota Division of Criminal Investigation
30
31. United States
Department of Justice
Global Success Stories
CONNECT Consortium—NGA Privacy TA Effort
“For several years, the Alabama Criminal Justice Information Center (ACJIC) has been involved in
a multi-state initiative—called CONNECT—which has served as a proof-of-concept for sharing rich
criminal justice information across state lines. Since its inception, the CONNECT leadership has
recognized the importance of adopting a strong privacy and civil liberties policy to govern usage of
CONNECT. Thanks to the Global SLT Policy Development Template and the Global Privacy Impact
Assessment Guide, CONNECT was able to craft a model policy to meet the needs of the member
states (Alabama, Kansas, Nebraska and Wyoming). Despite the fact that each state has its own
set of governing laws and policies concerning the sharing of criminal justice information, the
Global templates were robust enough to allow for the creation of a single policy to govern
CONNECT usage”
—Maury Mitchell, Director, Alabama Criminal Justice Information Center
31
32. United States
Department of Justice
Global Success Stories
• Hawaii Integrated Justice Information Sharing (HIJIS)
Program—NGA Privacy TA Effort
• Indiana Data Exchange (IDEx)
• 77 DHS Designated Fusion Centers and 15 Regional Nodes
32
33. United States
Department of Justice
Global Success Stories
Alabama Fusion Center
“DOJ’s OJP Web site pertaining to Global Privacy Resources, www.it.ojp.gov/privacy, is
an amazing resource and I highly recommend it to anyone that wants to learn more
about privacy, civil rights, and civil liberties. The site is designed to help with all
aspects of the Privacy Program Cycle, including providing all the materials necessary
to develop a comprehensive privacy policy or to evaluate an existing policy. As a
relatively new Fusion Center Director, privacy was one of the first areas that I focused
on and this site provided all the materials necessary to help create our
program. Thanks to the DOJ subject matter experts who developed this site!”
—Joe B. Davis, Ph.D., Director, Alabama Fusion Center
33
34. United States
Department of Justice
Keys to Success
• Executive sponsorship
• Input from stakeholders
• Designation of privacy officer
• Ongoing training and review
34
35. United States
Department of Justice
Technical Privacy: Resources and Success
Stories
• Business drivers for technical privacy enforcement:
– From user’s perspective, too many user IDs and rules to manage
– From technologist’s perspective, too many users and rule
changes to manage
– From enterprise’s perspective, policy experts cannot manage
policy’s implementation in applications and cannot reasonably
audit for compliance
• Solution: Global’s Privacy Policy Technical Framework
35
38. United States
Department of Justice
Benefits of External Authentication
• From a user’s perspective, single sign-on
• From a technologist’s perspective, application no longer
contains user sign-on logic, and user tables are managed
elsewhere
• From the enterprise’s perspective, trusted, shared
standards for identity proofing and provisioning and
deprovisioning users
38
40. United States
Department of Justice
Benefits of External Authentication
• From a user’s perspective, not much impact
• From a technologist’s perspective, application no longer
contains authorization logic
• From the enterprise’s perspective, policy experts now
manage access-control policies, revised policies are
implemented immediately across the suite of
applications, and compliance tools can be implemented
on audit data
40
41. United States
Department of Justice
Learn More: TechnicalPrivacyTraining.org
• Executive briefing video
• Interactive primer (seven 15-minute modules)
• Readiness assessment (with case studies, surveys, and
tailored recommendations for next steps)
• Implementation Guide (for your developers, with XACML
lessons and a virtual machine)
• Resources
• Request for technical assistance
41
A privacy and civil liberties policy is a written, published statement that articulates an agency’s policy position on how it handles the personally identifiable information it gathers and uses. The purpose of a privacy and civil liberties policy is to articulate publicly that the agency will adhere to legal requirements and agency policy decisions that enable gathering and sharing of information to occur in a manner that protects personal privacy and civil liberties interests.A privacy policy addresses the handling of PII which, depending on the agency, may include criminal history records, public records, wants and warrants, sentencing, adjudication and disposition information, intelligence information, tips and leads, suspicious activity reports (or “SARs”), terrorism-related information, and others.A comprehensive privacy policy will address:GovernanceInformation CollectionInformation QualityCollation and AnalysisMerging RecordsAccess and DisclosureRedressSecurityRetention and DestructionAccountability and EnforcementTraining
Privacy and security both relate to the handling of data and information, but they have different implications. Security relates to how an organization protects information during and after collection, whereas Privacy addresses why and how information is collected, handled, and disclosed and is also concerned with providing reasonable quality control. Security policies alone do not adequately address the privacy, civil rights, civil liberties, and IQ issues. A security policy implements privacy policies by ensuring compliance.A security policy, therefore, may be incorporated within a privacy policy, but by itself, does not adequately address the protection of personally identifiable information or the requirements of a privacy policy in its entirety.
Why do you need a privacy policy? Here are a few reasons, as stated in Privacy Issues Confronting the Sharing of Justice Information in an Integrated Justice Environment, by the Illinois Integrated Justice Information System.
A privacy policy allows agencies to be proactiveand to traintheir personnel on the issues that might arise in the gathering and sharing of information.A privacy policy helps build public trust. A privacy policy that is available to the public helps ensure public confidence in the handling of personal information.Having a good privacy and civil liberties policy and ensuring adherence to its protections is important because of the law enforcement oath to support and uphold the Constitution.It is the right thing to do.
Justice Example – Errors in the recording of a defendant’s record may adversely affect: court decisions, restitution and treatment options, and if a juvenile, can also transfer into adult records, if applicable.Good privacy policies address the quality of the information the entity handles through information quality processes and policies, such as:Data quality reviewsProcedures for error correctionProcess for error reporting to agencies that originate and receive information
.
The Global Justice Information Sharing Initiative – or Global- serves as a Federal Advisory Committee (FAC) and advises the U.S. Attorney General on justice information sharing and integration initiatives. Global is a “group of groups,” representing more than 32 independent organizations, of law enforcement, judicial, correctional, and related bodies. Its mission is the efficient sharing of data among justice entities, which is at the very heart of modern public safety and law enforcement.GAC’s efforts have a direct impact on the work of more than 1.2 million justice professionals.Global was created to:support the broad scale exchange of pertinent justice and public safety information. promote standards-based electronic information exchange provide the justice community with timely, accurate, complete, and accessible information in a secure and trusted environment.The GAC facilitates working groups/councils/task teams consisting of GAC members and SMEs to develop solutions to timely justice issues: intelligence, infrastructure, standards, security, business solutions, privacy, and information technology.
Writing a privacy policy is important but it isn’t the only step an entity needs to take to protect privacy. It’s just one in a series of steps comprising an entity’s privacy protection efforts—or Privacy Program Cycle, as illustrated here, whose steps are: Educate and raise awarenessAssess agency privacy risksDevelop the privacy policyPerform a policy evaluationImplement and trainConduct an annual reviewGlobal developed a Global Privacy Resources booklet (available on the resource table here today) as a useful road map to help justice entities navigate the privacy awareness, risk assessment, policy drafting, and implementation and training products available today.The booklet is structured to help the reader determine which products to use when and for what purpose.All of these resources, and more, are featured online at www.it.ojp.gov/privacy.
The Executive Summary for Justice Decision Makers can be used as an awareness overview or as a training tool, for understanding the importance of privacy protections within justice agencies, learning basic privacy concepts and privacy risks, and clarifying steps needed to establish privacy protections.The 7 Steps to a Privacy, Civil Rights, and Civil Liberties Policy resource is designed for both justice executives and agency personnel to educates readers on the seven basic steps associated with preparing for, drafting, and implementing a privacy policy. Also featured is an overview of the core concepts (or chapters) that an agency should include in the written provisions of a privacy policy.
The Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Information Sharing Initiatives—or PIA Guide—was developed to assist practitioners in examining the privacy implications of their information systems and information sharing collaborations. Completing a PIA will help practitioners identify vulnerabilities that need to be addressed in privacy protection policies and procedures.Privacy policies emerge as a result of the analysis performed during the PIA process.
Privacy, Civil Rights, and Civil Liberties Policy Development Guide for State, Local, and Tribal Justice Entities—or the Privacy Guide: Is a practical resource for SLT justice practitioners. Provides well-rounded instruction for the planning, education, development, and implementation of agency privacy protections to protect the justice agency, the individual, and the public. It educates readers on foundational privacy concepts. Helps clarify an agency’s information exchanges. Provides guidance on how to perform a legal analysis. Includes policy drafting tools, such as a policy template (described next), a glossary, legal citations, and sample policies.Privacy, Civil Rights, and Civil Liberties Policy Development Template for State, Local, and Tribal Justice Entities—or the SLT Policy Development Template: Is contained in the Privacy Guide describe above. Is a tool designed specifically to walk policy authors through each step of the policy language drafting process. The policy language (or “provisions”) suggested are grouped according to policy concepts, each representing a fundamental component of a comprehensive policy. Sample language is also provided for each recommended provision.
The Policy Review Checklist is a companion resource to the SLT Policy Development Template.This checklist: Provides privacy policy authors, project teams, and agency administrators with tool to evaluate whether the provisions contained within an agency privacy policy has met the core recommendations in the privacy template. May be used during the drafting process to check work on the draft policy or during the final review of the policy. May also be used to perform the policy’s annual review (discussed in Stage 6) to determine if revisions are needed.
An implementation “focused” deliverable which includes:“Do I Need a Privacy Officer Function” discussion with real-world examples,Alternatives for smaller agencies that cannot establish a full-time privacy officer,Suggested qualifications for privacy officers,Recommended responsibilities, andA listing of available education/awareness products and training resources.The Importance of Privacy, Civil Rights, and Civil Liberties Protections in American Law Enforcement and Public Safety DVD—or Line Officer Video—is an 8-minute roll call video to educate line officers on the privacy issues they may confront
The following are only “some” of the implementation and training resources featured in the Global Privacy Resources series:Implementing Privacy Policy in Justice Information Sharing: A Technical Framework helps technical practitioners convert privacy policies into computer and software language. Privacy, Civil Rights, and Civil Liberties Compliance Verification for the Intelligence Enterprise: Assists intelligence enterprises in complying with privacy policies by evaluating compliance with those policies, uncovering any gaps that exist.Recommendations for First Amendment-Protected Events for State and Local Law Enforcement Agencies—Provides guidance to law enforcement on their roles and responsibilities in First Amendment-protected events. (Both the guide and pocket reference card are available on the resource table here today.)The Criminal Intelligence Systems Operating Policies (28 CFR Part 23) Online Training was developed to facilitate greater understanding of 28 CFR Part 23 and includes topics such as compliance, privacy, inquiry, and dissemination requirements; storage requirements; and review-and-purge requirements.
Applying the guidance described in the Privacy Guide, justice entities are encouraged to review and update the provisions protecting privacy, civil rights, and civil liberties contained in the privacy policy at least annually using the annual review portion of the Policy Review Checklist,referenced earlier in Stage 4. This update will ensure that appropriate changes are made in response to changes in applicable laws, technology, the purpose and use of the information systems, and public expectations. Once the policy is updated, entities should revisit the resources listed in each stage of the privacy program cycle. This will ensure that systems and individuals comply with the most current protections established in the entity privacy policy.
Good information quality is the cornerstone for sound agency decision making and inspires trust in both the justice system and the law enforcement entities that use information.In addition to Global’s Privacy Resources, Global also developed an information quality series which follows a similar sequential approach: raise awareness, perform an assessment, and policy and program development—these resources are:Information Quality: The Foundation for Justice Decision Making9 Elements of an Information Quality ProgramInformation Quality Self-Assessment ToolInformation Quality Program GuideAn overview flyer is available on the resource table here today.
In preparation for writing a privacy policy, it is important to determine what policies, rules, and regulations already exist.For example, policies on the handling of personally identifiable information that may be accessed in an agency database may be described in an employee handbook, as well as sanctions for violations.Rules for building security and the security of computer systems and the assignment and use of user IDs, and other system access protocols may be described in ConOps, SOPs, and security manuals.Conditions for sharing or exchanging information from an agency database with external entities may be listed in MOUs or user agreements.As always, state and federal statutes should be consulted for regulations on public records, (such as sunshine and open records law), criminal histories, intelligence information, rules regarding redress and correction of information.
In a report for Illinois justice agencies, the Illinois Integrated Justice Information System—or “IIJIS”—developed Privacy Policy Guidance to help Illinois justice agencies develop privacy policies for their integrated justice information systems. This report describes the public's privacy concerns and provides recommendations to justice practitioners and system designers about how to address those concerns. Another area where privacy, civil rights, and civil liberties instruction is provided is in the curriculum for the Illinois State Police Academy’s Cadet Class whose topics include: Civil Rights and Civil LibertiesCriminal LawEthical Conduct in a Diverse WorkplaceFacing Moral Decisions, andRights of the Accused
IIJIS’ Planning and Policy Committee established the Privacy Policy Subcommittee to develop guidance and policies that would govern the sharing of justice information both among justice agencies and with the public. The subcommittee is charged with:“Developing policies to ensure that the enhanced sharing of justice information made possible through advancing information technologies is carried out in accordance with Illinois law and its citizens’ reasonable expectation of privacy.”
It’s important to note that when developing a privacy policy, peer assistance can be of utmost value. Here in Illinois two entities successfully developed comprehensive privacy policies that fully met the U.S. Department of Homeland Security’s (DHS) requirements and were determined by DHS to be “at least as comprehensive as the Information Sharing Environment (ISE) Privacy Guidelines.” These entities used Global’s Privacy Policy Development Template to draft their policies and would be excellent sources for peer assistance.The first, the Illinois Statewide Terrorism Intelligence Center, which is part of the Illinois State Police. On July 27, 2010 this center successfully finalized their privacy policy and received full approval through the U.S. Department of Justice (DOJ)/DHS Fusion Center Privacy TA Program, complying with all ISE Privacy Guidelines and DHS standards.The Global Privacy Policy Development Template encompasses all DHS and ISE requirements.
The second is the Chicago Crime Prevention and Information Center, part of the Chicago Police Department. On March 11, 2011 CPIC’s policy also received full approval that the policy was in compliance with federal requirements.
HIJIS:Is a statewide justice information sharing system which integrated their state court systemReceived privacy TA from NGA’s Center for Best Practices through a Policy AcademyUsed the PIA Guide and the SLT Privacy Policy Development TemplateIDEx:Is managed by the Indiana Department of Homeland Security (IDHS)Received privacy TA sponsored by the Bureau of Justice AssistanceUsed the PIA Guide and the SLT Policy Development Template, as well as many of the Global technical solutions and the National Information Exchange Model (NIEM)Fusion Centers:Received privacy TA and policy review assistance through the DOJ/DHS collaborated Fusion Process Technical Assistance Program92 fusion center policies were completed (77 being DHS-designated fusion centers, and 15 are regional nodes). These were determined by DHS to be “at least as comprehensive as the Information Sharing Environment (ISE) Privacy Guidelines”Utilized the Fusion Center Privacy Policy Development Template which addresses intelligence information, tips and leads, as well as suspicious activity reporting information.
You need leadership to make this happen & you need buy-in from users of the system. You also need to have a person tasked with getting the policy done! Finally, you need to engage in ongoing training and awareness efforts and you need to constantly review policies to make sure they account for new systems, laws and technologies.
Traditional legacy application: all user authentication and authorization logic is hard-wired inside and must be maintained inside. Audit logs are silo’ed – one per application.
First milestone is external user authentication. Treat identity credentialing and authenticating as a service that all of the applications in the information-sharing enterprise can share. This can take several forms. For example, the 4-state Connect project created a federation, meaning that each information-sharing partner maintains its own user tables and then passes those credentials to the other partners. In Orange County, California, user tables are maintained centrally, and then each application in the County pings that Identity Manager. Identity management tools are widely available. Are you familiar with the use of Active Directory in Illinois?