Compliance

The DHS has a very specific privacy compliance process. The DHS Privacy Office is responsible for the assessment of all new or proposed Department activities in order to ensure responsible handling of personally identifiable information (PII) and to mitigate privacy risks.

The following explores the methods by which the Privacy Office ensures compliance in all departmental activities:

• Privacy Threshold Analysis (PTA) – The PTA is a required document that serves as the official determination by the Privacy Office in order to determine if a DHS program or system has privacy implications. Also, PTAs are used to determine of additional privacy compliance documentation is required. PTAs are designed into all DHS processes for technology investments and security. They expire every three years.

PTAs serve the following objectives:

• Identify privacy-sensitive programs and systems
• Demonstrate inclusion of privacy considerations during the review of a program or system
• Provide the Privacy Office with a record of the program or system, as well as its privacy requirements
• Demonstrate compliance with privacy laws and regulations
• Privacy Impact Assessment(PIA) – The PIA is a decision-making tool that is used to identify and mitigate privacy risks at the start, as well as throughout the development lifecycle of a program or system. PIAs aid the public in understanding what PII the DHS is collecting, why the information is being collected, and how it will be used, shared, accessed and stored.

PIAs are required for the following reasons:

• When developing or procuring any new DHS program or system that will handle or collect PII
• For budget submissions to the Office of Management and Budget (OMB) that affect PII
• With pilot tests that affect PII
• When developing program or system revisions that affect PII
• When issuing a new or updated rulemaking that involves collection, use and maintenance of PII
• System of Records Notice(SORN) – A `system of records’ is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual. A SORN is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (i.e. routine uses) and how to access or correct any PII maintained by the DHS.

DHS Privacy Office

The DHS Privacy Office is the first statutorily created privacy office in the Federal government. The Office operates under the direction of the Chief Privacy Officer, a position that is discussed in further detail in the following section. The mission of the Privacy Office is: “… to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the privacy community.”

The Privacy Office carries out the following activities:

• Requires compliance with the letter and spirit of Federal laws that protect privacy
• Centralizes FOI and Privacy Act operations to provide policy and programmatic oversight and to support operational implementation within the DHS components
• Provides education and outreach to build a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the DHS
• Provides transparency to the public through published materials, formal notices, public workshops and meetings

The Privacy Office is made up of the following operational teams:

• International Privacy Policy
• Departmental Disclosure and FOIA
• Privacy Compliances
• Privacy Policy (includes communications and training)
• Privacy Incidents and Inquiries
• Privacy Technology and Intelligence
• Legislative and Regulatory Analysis

Chief Privacy Officer, DHS

The Chief Privacy Officer (CPO) is a position within the DHS, appointed by the US Secretary of Homeland Security. The CPO also serves as the Chief Freedom of Information Act (FOIA) Officer at the DHS Privacy Office.

According to Section 222 of the Homeland Security Act of 2002, the CPO is primarily responsible for the privacy policy at the DHS. Duties include:

• Assuring that technologies used by the DHS to protect the US sustain, rather than erode, privacy protections related to the use, collection and disclosure of personal information
• Assuring that the DHS complies with fair information practices set out in the Privacy Act of 1974
• Conducting privacy impact assessments (PIA) of proposed rules at the DHS
• Evaluating legislative and regulatory proposals involving the collection, use and disclosure of personal information by the Federal government
• Preparing an annual report to Congress on DHS activities that affect privacy

Summary

This article takes a look at the privacy policies and practices at the US Department of Homeland Security (DHS). In addition to compliance with federal privacy legislation, the DHS also has its own privacy guidance, which include security methodologies, as well as a Privacy Office that is responsible for the oversight of systems and programs that deal with personally identifiable information. The article takes a closer look at the DHS Privacy Office, the first statutorily created privacy office in the US federal government, as well as the unique role of the Chief Privacy Officer/Chief Freedom of Information Act (FOIA) Officer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Approaches – Department of Homeland Security (II.A.e.ii.3.)

US Census Bureau: Data Stewardship

The Census Bureau’s objective is to produce accurate, relevant statistics on US economy and population. It is legally and ethically obligated to protect the privacy and confidentiality of the individuals who offer their data. According to the Bureau’s mission statement, “We honor privacy, protect confidentiality, share our expertise globally, and conduct our work openly.” One of the Bureau’s strategic goals is to “Foster an environment that supports innovation, reduces respondent burden, and ensures individual privacy.” The approach that the Census Bureau takes to maintain the trust of US citizens is referred to as “Data Stewardship.”

Data stewardship is the formal process by which the Bureau remains responsible and accountable for data protection throughout the data lifecycle. This is the time which someone responds to a survey, all the way to the release of statistical data products. Each survey and program under the Census Bureau’s responsibility is required to comply with data stewardship policies at every step in the process.

There are three ways that the Bureau protects personal information:

1. Federal Law – Federal law protects personal information. Title 13 of the US Code protects the confidentiality of all information provided to the Bureau. Violation of Title 13 results in severe penalties.
2. Privacy Principles – In addition to federal legislation, the Bureau has developed its own set of privacy principles, which are guidelines for all its activities. Privacy principles include the Bureau’s responsibilities to protect personal information, as well as individuals’ rights as survey respondents.
3. Statistics Safeguards – These include methods to ensure that statistics released by the Bureau do not identify individuals or businesses. All data products are extensively reviewed and analyzed. Disclosure avoidance methodologies (e.g. data suppression, data modification) are also applied.

IRS: Privacy Office

Like other federal agencies, the IRS is committed to protecting Americans’ privacy rights. It notes that individuals’ privacy rights are protected by the following:

• Internal Revenue Code
• Privacy Act of 1974
• Freedom of Information Act
• IRS policies and practices

In addition to adhering to the above, the IRS also has a Privacy Office, which ensures that personal information entrusted with the IRS is protected appropriately. The Office addresses questions regarding IRS privacy policies and concerns regarding how the IRS uses and collects personal information.

Department of Defense: Privacy Policy

The Department of Defense (DoD) provides a website as a public service by the Office of the Assistant Secretary of Defense – Public Affairs. Like other websites, there are options for individuals to offer the DoD personal information and the DoD is responsible for treating this information appropriately. The Dod maintains a wide variety of physical, electronic and procedural safeguards to protect personal information from unauthorized disclosure or data breach.

According to the DoD’s website Privacy Act Statement:

“If you choose to provide us with personal information… we will only use that information to respond to your message or request. We will only share the information you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. We never create individual profiles or give it to any private organizations. Defense.gov never collects information for commercial marketing.”

Summary

This article takes a look at approaches to privacy protection at various agencies of the US federal government: the US Census Bureau, the Internal Revenue Service (IRS) and the US Department of Defense (DoD). Each department or agency is guided by federal privacy legislation, as well as internal policies and practices.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Enforcement – Sample Approaches (II.A.e.ii.)

1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)

The Privacy Act of 1974 is a public sector law that regulates the use of personal information by the United States Government.  Specifically it establishes rules, similar to the Fair Information Practice Principles that determine what information may be collected and how it may be used in order to protect the personal privacy of U.S. citizens.

Data Collection and Management

The Privacy Act of 1974 applies to Federal Government Agencies and governs their use of a system of records. By definition, a system of records is “any group of records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

The following rules govern the use of a system of records:

• No Federal Government record keeping system may be kept secret
• No agency may disclose personal information to third parties without the consent of the individual (with some exceptions)
• No agency may maintain files on how a citizen exercises their First Amendment rights
• Federal personal information files are limited only to data that is relevant and necessary
• Personal information may able be used for the purposes it was originally collected unless consent is received from the individual.
• Citizens must receive notice of any third party disclosures including with whom the information is shared, the type of information disclosed and the reasons for its disclosure.
• Citizens must have access to the files maintained about them by the Federal Government
• Citizens must have the opportunity to correct or amend any inaccuracies or incompleteness in their files

Data Sharing

The Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system of records with third parties, including other agencies. However, the Privacy Act does recognize the need of the government to share records in order to improve security, maintain accuracy and consolidate resources. This is often accomplished through matching programs which allow certain data elements in one system of records to be searched against records in another system in order to find any data matches. Such matches would link together the information from both systems.

In order for any agency to run a matching program with a system of records from an another agency, their must first be a written agreement between both parties. The Committee on Governmental Affairs of the Senate, and the Committee on Government Operations of the House must receive a copy of the agreement. It must also be made available to the public.

A Data Sharing Agreement:

• Must state the purposes and legal justifications for the matching program
• Must provide rational for the program by estimating the results and savings that will be achieved
• Must describe the records to be matched including the specific data elements, estimate the number of records to be matched and provide estimated start and completion dates for the program
• Must describe how the privacy principles of the Privacy Act will be implemented in the program (ie: notice to the individual, ensure accuracy and completeness, limited used of results)
• Must provide an accuracy assessment of the unmatched records
• Must include a statement allowing the Comptroller General to monitor compliance with the Privacy Act if necessary.

Federal Register

To ensure that no system of records is kept secret, the Privacy Act requires all government agencies to provide a System of Records Notice (SORN) to biennially to be published in the Federal Register. Each SORN must also be published on the agencies website under the Electronic Privacy Act Amendment.

Each SORN must contain:

• The name location of the records system
• The title and business address of the individual overseeing the system of records at the agency
• The types of individuals about whom records are kept
• The categories of records kept in the system
• The general sources from which data is collected
• The privacy and usage policies of the agency, including those for access controls, storage, retrievability and destruction.
• How an individual may determine if an agency maintains a record about them in their system of records
• How an individual may gain access to the records an agency maintains about them

Exceptions to the Privacy Act

While the Privacy Act did take significant steps towards protecting privacy, there are a few important distinctions within the act that create holes in its protection.

The Privacy Act only applies to a system of records maintained by an agency. Records systems kept by government institutions not considered an agency are exempt. Further more a system of records is defined as a group of records which uses personally identifiably information or signifiers to retrieve a file. There may be records systems which contain personal information but does not use that information to search for and gain access to a record. Such system of records would also be exempt under the Act.

The Privacy Act also contains a “routine use” exception which allows the disclosure of information without the notice or consent of the individual. Routine use is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” The vague definition of routine use allows agencies to expand their definition of compatible purpose at will, eventually allowing more and more information to be disclosed under the routine use exception. As long as the SORN contains a listing of the routine uses of the information, an agency is considered compliant with the Privacy Act.

Summary

Like the Freedom of Information Act, the Privacy Act of 1974 seeks to protect the privacy of U.S. citizens by giving them the ability to monitor the use of their personal information by the U.S. government. Though the Privacy Act does make significant steps in the protecting the right of privacy, it is also limited enough in its scope and implementation to only provide adequate protection. Privacy professionals and U.S. citizens should be familiar with the Privacy Act of 1974 in order to effectively understand their rights and work to create more comprehensive privacy legislation in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The Privacy Act of 1974 (I.C.b.i.-iv.)

What Information is Viewable Under the Freedom of Information Act?

All records maintained by the Executive branch are viewable except those that meet one or more of the following exceptions:

• The information is classified for national defense or foreign relations
• The information relates only to internal personnel rules and procedures
• The information is prohibited from disclosure by other legislation
• The information contains trade secrets, commercial or financial information that must remain confidential
• The information relates only to communications within the agency or between agencies
• Contain personally identifiable information or personal health information that would violate personal privacy
• Used for law enforcement purposes that may:
  • interfere with law enforcement proceedings
  • interfere with a person’s right to a fair trial
  • constitute an invasion of privacy
  • disclose the identity of a confidential source
  • disclose techniques or procedures used by law enforcement
  • present danger to the life or safety of any individual
• Relate to the supervision of financial institutions
• Relate to geological information on oil wells

It should be note that the Freedom of Information act specifically applies only to the Federal Government and only pertains to the Executive branch. The judicial and legislative branches have different procedures for the release of information to the public. Many states have enacted similar laws to the Freedom of Information Act to provide the same protection on a state level.

How to Obtain Information Under the Freedom of Information Act?

1)  A FOIA request must be submitted in writing to the appropriate agency. In order to protect individual privacy, a request may require authentication of identity through the completion of Form DOJ-361; or submitting an authorized signature.

2)  After the request has been received, the individual will usually receive a confirmation response within a few weeks. Under the FOIA an agency must be respond within 20 working days after receipt at the correct agency.

3)  If the request has been granted, an agency may contact the requester to narrow the scope of the request or discuss fee status. Once all issues are resolved an agency will: release all documents; release parts of the documents; withhold documents; not find any responsive documents.

4)  If the request is denied, the requester may submit an appeal (see below).

Response Times

Though the FOIA requires agencies to grant or deny requests within 20 working days, there are a number of “unusual circumstances” which permit an extension of 10 days for  the granting or denying of a request as long as the requester receives notice of the extension and the reasons behind it such as:

• Need to search and collect requested records
• Need to search, collect and examine a large amount of records demanded in a single request
• Need for consultation with another agency for determination of the request.

Though the FOIA requires timely response, due to the enormous backlog of requests this is not always enforced. The receipt of requested documents may take anywhere from one week to several years.

Some individuals have attempted speed up processing times by submitting multiple requests or submitting several, separate, narrow requests. This may not always effect processing time as the FOIA allows related requests made by the same individual or for similar purposes to be aggregated together.

Expedited processing may occur if:

• Timely receipt of the material is needed to prevent imminent threat to the life or physical safety of an individual
• the information is being used to disseminate information to the public about government activities

Fees

To cover the costs of materials and resources used in completing an FOIA request, a fee may be issued to be paid by the requester. An FOIA request should include a maximum amount the requester is willing to pay in order to be processed. Currently reproduction fees are $0.10 per page plus the hourly search and review fee which depends on the administrative level of the employee required to complete the search (usually between $16 and $80 an hour). If the fee is likely to exceed $250, the agency may request advance payment, otherwise payments should be paid in a timely manner upon receipt of the bill.

Fees may be waived on a case by case basis if the records are considered “likely to contribute significantly to the public understanding of the operations or activities of the government and not primarily in the commercial interest of the requester.” Reduced fees are also available for educational and media related purposes.

Redaction/Segregations

If a requested document contains information that falls under one of the 9 exemptions but also contains information permitted disclosure under FOIA, all information that may disclosed must be released to the requester.The document must use a “black out” or other visible marking of the document to conceal the redacted information so that the requester may see how much information was not released and where if falls in the document. The exemption causing the segregation must also be noted on the document.

Appeals

A requester may appeal if:

• They were denied access to the requested records
• They were partially denied access to the requested records
• They believe the fee to be too high
• They did not receive a response within 20 days.

If a requester seeks to appeal a denial, they must submit the appeal within a timely manner (usually 30-90 days after receipt of the denial.) Agencies should respond within 20 working days, however appeals are known to take much longer. If an appeal ends in a second denial, an individual may file a lawsuit with a U.S. District Court to access their information. Unfortunately the Federal Government may sometimes use denials as a stall tactic or because they know many people will not follow through with an appeal or litigation. Due to the backlog of requests and appeals, some requests are denied when they rightfully should be granted. Pursuing an appeal or filing a complaint often quickly resolves the issue.

Reports

The Freedom of Information Act requires government agencies to file an annual report on the FOIA requests they receive. The Report must contain:

• The number of request received
• Whether the requests were granted or denied
• The processing time for each request
• The number of appeals received
• Whether the appeals were granted or denied

The reports are used to evaluate the effectiveness of the system and to provide citizens with the assurance that their requests are processed fairly.

The Electronic Freedom of Information Act Amendment

The Electronic FOIA Amendment was passed in 1996 to incorporate the use of new technologies such as computers and the Internet into the effective implementation of the Freedom of Information Act. The amendment required that all government agencies make matters of public record available online. Furthermore it allowed the submitting of FOIA requests electronically to help ensure compliance with response times.

Summary

One of the most important tools in making intelligent decisions regarding personal privacy is having access to the information an entity has on record. The Freedom of Information Act protects U.S. citizen’s right access information maintained about themselves by the Federal Government and allows citizens to monitor government activity to discover misconduct and prevent abuse.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The Freedom of Information Act (I.C.a.i-vii.)