State police departments serve as the primary gateway for many background checks and fingerprinting services that underpin public safety, employment screening, and licensing decisions. The authority to collect, store, and share biographical and biometric data is not a blank check—it is circumscribed by a dense network of state and federal statutes, administrative rules, and constitutional protections. Understanding the legal procedures that govern these activities is essential for law enforcement officials, human resources professionals, legal counsel, and individuals who undergo background checks. This article provides a comprehensive analysis of the legal framework, step-by-step procedures, privacy safeguards, and best practices that define how state police conduct background checks and fingerprinting.

State Statutory Authority

Every state legislature enacts specific laws that grant state police the authority to perform background checks and fingerprinting. These statutes typically identify the types of checks permitted (e.g., criminal history, driving records, employment background), the individuals or entities that can request them (employers, licensing boards, volunteer organizations), and the permissible uses of the collected data. For example, many states have enacted laws requiring fingerprint-based background checks for individuals working with vulnerable populations such as children, the elderly, or disabled persons. The National Association of State Directors of Law Enforcement Training (NASDLET) provides model standards that many states adopt, but actual procedures vary by jurisdiction.

Federal Law Interplay

State police background checks do not operate in a vacuum. The Federal Bureau of Investigation’s Criminal Justice Information Services (CJIS) Division maintains the national criminal history database. To access FBI records, state agencies must enter into a formal agreement and comply with the National Crime Prevention and Privacy Compact (NCPPC) of 1998. Under the Compact, state police may request criminal history records for noncriminal justice purposes such as employment and licensing, but only if the applicant provides written consent and the request is authorized by state statute. Additionally, the Fair Credit Reporting Act (FCRA) applies to any background check conducted by a third-party consumer reporting agency—though many state police agencies operate directly, they still must heed FCRA’s notice and dispute provisions when their reports are used for employment decisions.

Constitutional Constraints

The Fourth Amendment protects individuals against unreasonable searches and seizures. While fingerprinting has historically been considered a minimal intrusion (see Davis v. Mississippi, 394 U.S. 721 (1969)), the collection of biometric data in non-criminal-justice settings must still be reasonable. Courts have generally upheld fingerprinting as a legitimate governmental interest when accompanied by statutory authority and individual consent. However, the legal landscape is evolving, particularly with the rise of digital databases and concerns over biometric privacy—state laws such as Illinois’ Biometric Information Privacy Act (BIPA) have set new standards for notice and consent.

Procedures for Conducting Background Checks

Before initiating a background check, state police must confirm the identity of the requesting party and the subject of the check. For employment and licensing checks, the subject must provide valid government-issued identification—typically a driver’s license or passport—and sign a written consent form. The consent form must clearly state the purpose of the check, the types of records to be searched (criminal, employment, education), and the agencies that will receive the information. Many states require that the form be notarized or witnessed. The Federal Trade Commission provides guidance on the scope of consent under the FCRA, and state police agencies routinely incorporate those standards to avoid liability.

Selecting the Appropriate Database

Not all background checks are created equal. State police often have access to multiple tiers of data:

  • State criminal history repository – maintained by the state police themselves, containing arrest records, convictions, and sometimes non-conviction data.
  • FBI Criminal Justice Information Services (CJIS) – a national database of criminal history records contributed by federal, state, and local agencies.
  • National Sex Offender Public Registry (NSOPR) – searchable for sex offender status.
  • State-specific databases – e.g., child abuse registries, foster care exclusion lists.

State law determines which database(s) must be queried for a given purpose. For instance, a background check for a school bus driver may require both a state and FBI fingerprint-based check, while a volunteer coach may only need a state name-based check. The U.S. Department of Justice has issued detailed regulations governing access to FBI records (28 C.F.R. Part 20). State police must follow these regulations to ensure legal compliance and data integrity.

Once consent is obtained and the appropriate databases identified, state police technicians execute the search. For name-based checks, the system matches biographical data—name, date of birth, social security number—against criminal records. For fingerprint-based checks, the prints are electronically captured and transmitted to the automated fingerprint identification system (AFIS), both at the state level and to the FBI’s Integrated Automated Fingerprint Identification System (IAFIS). The search algorithms produce a list of potential matches, which are then reviewed by trained examiners to confirm the identity match. Under the National Child Protection Act, states that receive federal funding for background checks in child-care settings must use fingerprint checks for those positions.

Reporting the Results

State police are obligated to report results accurately and promptly. Typical turnaround times range from 24 hours to several weeks, depending on the complexity and volume. Reports are typically transmitted to the requesting entity (e.g., a school district, licensing board, employer) with a notation of any criminal records found. Many states provide an individual’s right to receive a copy of the report, often at no cost, and to challenge inaccuracies through an administrative review or expungement process. The Privacy Act of 1974 also applies to federal records maintained in the CJIS system, granting individuals access to their own records and the ability to request amendments.

Fingerprinting is a biometric collection that requires explicit, informed consent. Consent must be given voluntarily, without coercion, and the individual must understand how the prints will be used, stored, and shared. In many states, the consent form must state: “I authorize the state police to collect my fingerprints and transmit them to the FBI for the purpose of conducting a criminal history background check.” The Illinois Biometric Information Privacy Act (BIPA), one of the strictest biometric privacy laws, mandates that private entities (and in some interpretations, government agencies) must obtain written consent, disclose retention schedules, and prohibit profiting from biometric data. Other states, such as Texas and Washington, have similar laws that state police agencies must navigate carefully.

Fingerprinting Techniques and Equipment

State police employ certified fingerprint technicians who use either ink-and-roll or livescan digital systems. Livescan devices capture fingerprints electronically, eliminating the smudging and distortion common with traditional ink cards. The Federal Bureau of Investigation mandates that all fingerprints submitted to CJIS for criminal background checks must meet the Electronic Fingerprint Transmission Specification (EFTS) standards. State police agencies often maintain their own livescan equipment at regional offices and may also contract with private vendors (e.g., IdentoGO, MorphoTrust) to provide fingerprinting services. Legal procedures require that all equipment be validated regularly to ensure accuracy and that technicians receive ongoing training in legal and ethical standards.

Transmission to the FBI

When a fingerprint check requires a federal search, the state police must transmit the prints electronically to the FBI via CJIS. The transmission must be encrypted and authenticated. The FBI then performs a search against its national database and returns a criminal history record (rap sheet) to the authorized state agency. The state police are responsible for handling the returned data securely and only sharing it with the entity that requested the check. The CJIS Security Policy provides detailed requirements for how fingerprint data must be stored, transmitted, and disposed of, including requirements for two-factor authentication, audit logs, and background checks for all personnel who have access to CJIS systems.

Storage and Retention of Fingerprint Data

Once fingerprint data is collected, state police must follow strict retention policies. Some states permanently retain the fingerprint records of individuals who have been fingerprinted—whether for employment, licensing, or criminal justice purposes. Others require deletion after the background check is completed and a determination made. The National Institute of Standards and Technology (NIST) has published timeframes for retention in various contexts, but state law ultimately governs. For example, California’s Penal Code § 11105 requires the state Department of Justice to retain fingerprint images indefinitely for all individuals fingerprinted for criminal justice purposes, while non-criminal justice prints may be purged after a set number of years. State police must maintain clear audit trails to demonstrate compliance with retention rules and to expunge records when required by law or court order.

Authorized Access and Need-to-Know

Access to background check and fingerprint data is strictly limited to personnel who have a legitimate “need-to-know” for law enforcement or administrative purposes. State police must implement access controls, including role-based permissions, audit logging, and periodic security awareness training. Under 28 C.F.R. Part 20.33(b), dissemination of FBI records is prohibited except as authorized by the NCPPC and state law. Unauthorized access or dissemination can result in civil penalties, criminal sanctions, and loss of access to CJIS systems.

Data Retention Schedules

Legal procedures require that background check reports and fingerprint data be retained only so long as necessary. Many states have specific retention periods:

  • 3–7 years for employment-related background checks after the employment relationship ends.
  • Indefinitely for criminal justice investigations and prosecutions.
  • Purge upon court order for cases where records have been expunged or sealed.

The Federal Records Act imposes additional retention requirements on agencies that receive federal funds. State police should adopt a written retention policy that is publicly available and reviewed annually. Failure to adhere to retention schedules can expose the agency to lawsuits under state privacy acts or the Government in the Sunshine laws that require transparency.

Notification Requirements

When a background check reveals adverse information—such as a criminal conviction—the requesting entity must provide the individual with a copy of the report and a description of their rights under the FCRA before taking adverse action. This is known as pre-adverse action notification. State police agencies that directly supply the report to the individual may also be required to provide notice if the report contains non-conviction data, as some state laws prohibit the consideration of arrests that did not lead to convictions. For example, the Ban the Box movement, which delays inquiries into criminal history until later in the hiring process, is now law in over 30 states. State police procedures must align with these requirements by providing clear documentation that separates conviction data from arrest-only data.

Compliance with Federal and State Privacy Laws

  • Fair Credit Reporting Act (FCRA) – governs the use of third-party background reports; state police are often exempt if they conduct checks directly, but if they contract with a consumer reporting agency, FCRA applies.
  • Family Educational Rights and Privacy Act (FERPA) – limits the sharing of student educational records without consent.
  • Health Insurance Portability and Accountability Act (HIPAA) – protects medical records; relevant if a background check includes drug testing or medical history.
  • State biometric privacy laws – e.g., BIPA, Texas Capture or Use of Biometric Identifier Act, Washington Biometric Privacy Law.
  • State criminal history record laws – many states restrict the disclosure of non-conviction data or records that have been sealed.

Appeals and Disputes

Individuals who believe their background check report is inaccurate have the right to dispute the information. State police must provide a formal mechanism for challenging criminal history records. Under the FBI’s National Crime Information Center (NCIC) appeal process, an individual can request a copy of their FBI record and, if they find errors, file a dispute directly with the FBI or with the state agency that submitted the record. The state police must then reinvestigate the record and correct it if the dispute is valid. Additionally, many states have an independent board or ombudsman (e.g., the New York State Division of Criminal Justice Services) that handles appeals. The entire dispute process must be transparent, timely, and free of charge to the individual.

To ensure that state police procedures remain lawful and effective, agencies should adopt the following best practices:

  • Regular training – all personnel involved in background checks and fingerprinting must receive annual training on federal and state legal updates, privacy obligations, and data security protocols.
  • Audit trails – implement automated logging of each search, transmission, and access event to detect unauthorized use and to satisfy oversight requirements.
  • Transparency – publish clear, plain-language guides for applicants explaining their rights, the consent process, and how to challenge erroneous information.
  • Data minimization – collect only the information necessary for the specific purpose of the background check and avoid extraneous data collection that could violate privacy laws.
  • Coordination with state legislators – proactively engage with lawmakers to ensure that statutory authority keeps pace with technological changes and evolving privacy expectations.
  • Third-party vendor oversight – when contracting with private fingerprinting services, ensure contracts include data protection clauses, third-party audits, and indemnification for data breaches.

Conclusion

Legal procedures for conducting background checks and fingerprinting by state police are not static—they evolve in response to legislative changes, court rulings, and technological advancements. The balance between public safety and individual privacy rights is delicate, and state police must navigate it with precision. By adhering to statutory and regulatory requirements, respecting consent and transparency, and implementing robust data security measures, state police can perform these critical functions lawfully and ethically. For the public and for employers, understanding these legal safeguards ensures that background checks are trusted tools for safety and informed decision-making. For more detailed information on specific state laws and procedures, consult the relevant state police agency or review the FBI’s CJIS Division resources at www.fbi.gov/services/cjis and the National Conference of State Legislatures background check policy guide at www.ncsl.org.