You pull up a criminal history record on a potential hire. It’s right there in the system. Easy. But using it? That’s where people get into trouble.
It happens all the time. Someone runs a check, finds an old arrest, and makes a hiring decision based on it. Or an agency shares a snippet of information with the wrong party because they thought "criminal justice information" meant it was open game. Consider this: that’s not how it works. Access to and use of CJI and CHRI isn't a free-for-all. It’s governed by strict rules, privacy laws, and legitimate purpose requirements Worth keeping that in mind. Worth knowing..
If you’re handling these records—whether you're in law enforcement, HR, or compliance—you need to understand the boundaries. In real terms, not just the technical ones, but the legal and ethical ones. Because a mistake here isn't just a policy violation. It can be a lawsuit waiting to happen Small thing, real impact..
What Is CJI and CHRI
Let’s get the acronyms straight, because people mix them up constantly And that's really what it comes down to..
CJI stands for Criminal Justice Information. Plus, it includes everything from NCIC (National Crime Information Center) hits to wiretap data, fugitive files, and court documents. Think of it as the broad category. It’s the stuff that moves between agencies—local cops talking to the feds, state police sharing data with the FBI But it adds up..
CHRI is Criminal History Records. Consider this: this is usually the state-level stuff. The rap sheet. The repository of arrests, convictions, and sentencing data held by your state’s department of justice or public safety.
Here’s the short version: CJI is the ecosystem. CHRI is the specific document inside that ecosystem.
The Difference in Practice
In practice, the distinction matters more than you'd think. CJI often comes with tighter controls because it’s tied to federal systems (NCIC/NLETS). If you query NCIC without a legitimate law enforcement purpose, you’re violating federal guidelines.
CHRI is often more accessible on the state level, but "accessible" doesn't mean "usable for anything." State repositories have their own statutes about who can query them and what the results can be used for.
Why the Distinction Matters
Why does this matter? Also, because the rules for CJI are usually stricter than the rules for general background checks. If you’re an employer running a check through a consumer reporting agency, you’re dealing with FCRA (Fair Credit Reporting Act) rules, not necessarily CJI/CHRI privacy laws. But if you're accessing the raw state repository directly? Think about it: that’s CHRI. And that’s where things get tricky It's one of those things that adds up..
Why It Matters / Why People Care
Most people assume that if data exists, it can be used. Consider this: that’s the default assumption in a world of Google searches and public records requests. But criminal justice data is different Practical, not theoretical..
It’s sensitive. It touches on someone’s liberty, reputation, and privacy.
When you access CJI and CHRI, you are accessing data that, in many cases, is protected by specific privacy statutes. Day to day, in the US, the Privacy Act of 1974 covers federal systems, but state laws often go further. They restrict how you can disseminate information.
The official docs gloss over this. That's a mistake.
What Happens When You Get It Wrong
Real talk: the consequences are real. Agencies have lost accreditation. Officers have faced internal discipline. HR departments have faced lawsuits. It usually comes down to one thing: using the information for a purpose they weren't authorized for.
Here's one way to look at it: let's say you're a sheriff's office. You run a name through NCIC. Plus, you get a hit—a warrant in another state. In practice, you take action based on that hit. Great. Legitimate use Not complicated — just consistent. Turns out it matters..
Now, imagine you run that same name through the system because you heard a
rumor a coworker was “sketchy.Because of that, ” You pull the record, discover an old misdemeanor from 1998, and then decide not to promote the employee. That’s a misuse of CJI, and it can trigger federal penalties, civil lawsuits, and even criminal contempt charges That's the part that actually makes a difference..
The Legal Landscape: A Quick Reference
| Jurisdiction | Data Type | Primary Statute / Regulation | Typical Authorized Users | Typical Permitted Uses |
|---|---|---|---|---|
| Federal (NCIC) | CJI | 28 C.Think about it: s. , Cal. §§ 1681‑1681x) | Consumer reporting agencies (CRAs), employers, landlords (with consent) | Employment, housing, credit, volunteer work (with proper disclosure) |
| Public‑record request | Non‑CJI public data | Freedom of Information Act (5 U.Also, penal Code §§ 11170‑11178) | State police, DOJ, certain licensing boards | Background checks for licensing, employment (when permitted), sentencing, parole decisions |
| Private Sector | Consumer‑report data | Fair Credit Reporting Act (15 U. Here's the thing — 8 (FBI) | Same as NCIC + certain state agencies | Same as NCIC |
| State (CHRI) | CHRI | State‑specific criminal‑history statutes (e. Worth adding: f. R. 2‑23.S.Practically speaking, §§ 23. C. But 8 (FBI) | Law enforcement, courts, authorized contractors | Arrest, prosecution, flight‑risk assessment, victim protection |
| Federal (NLETS) | CJI | 28 C. 2‑23.Also, g. F.Even so, r. §§ 23.C. |
Bottom line: If the data you’re pulling is part of the NCIC/NLETS or a state CHRI, you’re dealing with criminal justice information and must treat it according to the stricter statutes that govern that ecosystem.
Real‑World Scenarios: How the Rules Play Out
1. The Employer Who Went Too Far
Scenario: A regional retailer runs a background check through a third‑party CRA. The report flags a “pending felony” that turns out to be a federal NCIC warrant that the CRA is not authorized to disclose Simple, but easy to overlook..
Outcome: The employee sues under the FCRA and the federal Privacy Act. The retailer settles for $150,000 and implements a new policy that only CRA‑certified reports are used, never raw NCIC data Not complicated — just consistent..
Lesson: Federal CJI cannot be obtained via consumer‑report channels. If a CRA presents something that looks like a warrant, they are likely violating both the CRA’s certification and the employer’s compliance obligations.
2. The Sheriff Who Misused a CHRI
Scenario: A county sheriff’s office runs a CHRI query on a local business owner to “see if they have a criminal past” before awarding a contract Most people skip this — try not to..
Outcome: The state DOJ issues a cease‑and‑desist, citing the state’s criminal‑history statutes that limit CHRI use to law‑enforcement, licensing, and court‑ordered purposes. The sheriff’s office faces a $25,000 fine and mandatory training Still holds up..
Lesson: Even at the state level, CHRI is not a free‑for‑all background check. The purpose limitation is a hard line.
3. The Journalist’s FOIA Win
Scenario: An investigative reporter files a state FOIA request for “all arrest records” related to a high‑profile protest.
Outcome: The state releases the public‑record portion (arrest logs, booking photos) but withholds the CJI elements (e.g., pending warrants, confidential informant status) citing the “law‑enforcement investigative material” exemption But it adds up..
Lesson: FOIA can be a powerful tool, but it does not override the privacy protections built into CJI/CHRI. Expect redactions.
Best Practices for Anyone Touching Criminal Justice Data
-
Know Your Role – Are you a law‑enforcement officer, a licensing official, an employer, or a private citizen? Your authorized uses flow directly from that designation.
-
Identify the Source – Is the data coming from NCIC, NLETS, a state CHRI system, or a consumer‑report agency? Each source has its own compliance checklist Most people skip this — try not to..
-
Document the Purpose – Before you query, write down why you need the information. If the purpose isn’t listed in the governing statute, you likely need higher‑level authorization.
-
Limit Dissemination – Share the data only with individuals who have a need‑to‑know and are themselves authorized. Use secure transmission methods (encrypted email, sealed hard copies).
-
Retention Policies – Most statutes require you to destroy the data after a specific period (often 30‑90 days) unless it’s needed for an ongoing investigation or legal proceeding Took long enough..
-
Training & Auditing – Conduct annual refresher courses on CJI/CHRI handling, and schedule random audits to catch inadvertent misuse before it becomes a liability And that's really what it comes down to..
-
Seek Legal Counsel – When in doubt, involve your agency’s legal office or an external attorney familiar with criminal‑justice privacy law. A quick consult can prevent a costly breach.
The Future: Technology, Reform, and the Blurring Lines
The digital age is accelerating the convergence of federal and state criminal‑justice databases. Projects like the National Integrated Ballistics Information Network (NIBIN) and the National Sex Offender Registry are already pulling data from both CJI and CHRI sources into single dashboards accessible to dozens of agencies And that's really what it comes down to..
At the same time, bipartisan reform efforts—spurred by concerns over “ban the box,” mass incarceration, and data‑driven policing—are pushing for:
- Greater Transparency: Some states are mandating that individuals receive a copy of their CHRI upon request, with clear explanations of how it can be used.
- Stricter Purpose Limitations: Bills like the Federal Law Enforcement Access Reform Act (proposed) would tighten who can query NCIC and for what reasons, adding an “audit‑trail” requirement for every search.
- Data Minimization: Emerging guidelines from the National Institute of Justice (NIJ) encourage agencies to store only the data necessary for a given case, reducing the risk of over‑collection.
These reforms aim to balance two competing public interests: public safety (the legitimate need for law‑enforcement agencies to share timely, accurate information) and individual privacy (the right to not be perpetually haunted by old or irrelevant offenses) Simple, but easy to overlook. But it adds up..
For practitioners, the takeaway is clear: stay ahead of the policy curve. Subscribe to updates from the FBI’s Criminal Justice Information Services (CJIS) Security Policy portal, monitor state legislative sessions, and participate in inter‑agency working groups that discuss data governance.
Conclusion
Understanding the distinction between Criminal Justice Information (CJI) and Criminal History Records Information (CHRI) isn’t an academic exercise—it’s a daily operational reality for anyone who touches law‑enforcement data. Which means cJI lives in the tightly regulated federal ecosystem (NCIC, NLETS) and carries the heaviest compliance burden. CHRI resides at the state level, still protected but governed by a patchwork of statutes that vary from one jurisdiction to the next.
Misusing either can result in federal penalties, civil lawsuits, loss of accreditation, and—most importantly—real harm to the individuals whose records are being examined. By recognizing the source of the data, aligning your purpose with statutory allowances, and instituting rigorous handling protocols, you can work through this complex terrain responsibly.
As technology continues to knit together federal and state databases, the line between CJI and CHRI will blur, but the underlying principle remains: data is power, and with power comes the duty to protect privacy, ensure accuracy, and respect the legal limits of its use. Keep those principles front and center, and you’ll stay on the right side of the law—while still doing the vital work of keeping our communities safe.
