Compliance

The DHS has a very specific privacy compliance process. The DHS Privacy Office is responsible for the assessment of all new or proposed Department activities in order to ensure responsible handling of personally identifiable information (PII) and to mitigate privacy risks.

The following explores the methods by which the Privacy Office ensures compliance in all departmental activities:

• Privacy Threshold Analysis (PTA) – The PTA is a required document that serves as the official determination by the Privacy Office in order to determine if a DHS program or system has privacy implications. Also, PTAs are used to determine of additional privacy compliance documentation is required. PTAs are designed into all DHS processes for technology investments and security. They expire every three years.

PTAs serve the following objectives:

• Identify privacy-sensitive programs and systems
• Demonstrate inclusion of privacy considerations during the review of a program or system
• Provide the Privacy Office with a record of the program or system, as well as its privacy requirements
• Demonstrate compliance with privacy laws and regulations
• Privacy Impact Assessment(PIA) – The PIA is a decision-making tool that is used to identify and mitigate privacy risks at the start, as well as throughout the development lifecycle of a program or system. PIAs aid the public in understanding what PII the DHS is collecting, why the information is being collected, and how it will be used, shared, accessed and stored.

PIAs are required for the following reasons:

• When developing or procuring any new DHS program or system that will handle or collect PII
• For budget submissions to the Office of Management and Budget (OMB) that affect PII
• With pilot tests that affect PII
• When developing program or system revisions that affect PII
• When issuing a new or updated rulemaking that involves collection, use and maintenance of PII
• System of Records Notice(SORN) – A `system of records’ is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual. A SORN is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (i.e. routine uses) and how to access or correct any PII maintained by the DHS.

DHS Privacy Office

The DHS Privacy Office is the first statutorily created privacy office in the Federal government. The Office operates under the direction of the Chief Privacy Officer, a position that is discussed in further detail in the following section. The mission of the Privacy Office is: “… to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the privacy community.”

The Privacy Office carries out the following activities:

• Requires compliance with the letter and spirit of Federal laws that protect privacy
• Centralizes FOI and Privacy Act operations to provide policy and programmatic oversight and to support operational implementation within the DHS components
• Provides education and outreach to build a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the DHS
• Provides transparency to the public through published materials, formal notices, public workshops and meetings

The Privacy Office is made up of the following operational teams:

• International Privacy Policy
• Departmental Disclosure and FOIA
• Privacy Compliances
• Privacy Policy (includes communications and training)
• Privacy Incidents and Inquiries
• Privacy Technology and Intelligence
• Legislative and Regulatory Analysis

Chief Privacy Officer, DHS

The Chief Privacy Officer (CPO) is a position within the DHS, appointed by the US Secretary of Homeland Security. The CPO also serves as the Chief Freedom of Information Act (FOIA) Officer at the DHS Privacy Office.

According to Section 222 of the Homeland Security Act of 2002, the CPO is primarily responsible for the privacy policy at the DHS. Duties include:

• Assuring that technologies used by the DHS to protect the US sustain, rather than erode, privacy protections related to the use, collection and disclosure of personal information
• Assuring that the DHS complies with fair information practices set out in the Privacy Act of 1974
• Conducting privacy impact assessments (PIA) of proposed rules at the DHS
• Evaluating legislative and regulatory proposals involving the collection, use and disclosure of personal information by the Federal government
• Preparing an annual report to Congress on DHS activities that affect privacy

Summary

This article takes a look at the privacy policies and practices at the US Department of Homeland Security (DHS). In addition to compliance with federal privacy legislation, the DHS also has its own privacy guidance, which include security methodologies, as well as a Privacy Office that is responsible for the oversight of systems and programs that deal with personally identifiable information. The article takes a closer look at the DHS Privacy Office, the first statutorily created privacy office in the US federal government, as well as the unique role of the Chief Privacy Officer/Chief Freedom of Information Act (FOIA) Officer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Approaches – Department of Homeland Security (II.A.e.ii.3.)

“To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.”

Section 208 of the E-Government Act is devoted specifically to privacy concerns. It  placed four specific requirements on Government agencies:

• Conduct Privacy Impact Assessments for electronic information systems and records and make them available to the public
• Post privacy policies to all agency websites
• Implement P3P (machine-readable) privacy policies on agency websites
• Submit annual reports to the Office of Management and Budget regarding compliance with the Act

Website Privacy

All government agencies are required to post privacy policies on their general websites as of December 15, 2003. The privacy policy rule does not apply to: information not considered “government information”; intranet websites only used by authorized government users; national security systems.

All Privacy Policies:

• Require consent from the individual for information collection and sharing. Website visitors must be told whether the information requested is voluntary or mandatory as well as how to grant consent for the collection of both voluntarily and mandatorily provided information.
• Must notify individuals of their rights under the Privacy Act and other privacy laws such as HIPAA, the IRS Restructuring and Reform Act of the Family Educational Rights and Privacy Act. Notification must be placed in the body of the website’s privacy policy, linking to the official text of the legislation or the official summary of statutory rights.
• Must implement machine readable (P3P) privacy policies into their websites.
• Must comply with the relevant Office and Management and Budget Memorandums which concern the content and use of privacy policies:
  • Memorandum-99-18 Requires the inclusion of two content areas: Consent to collection and sharing; Rights under the Privacy Act or other privacy laws (as outlined above) OMB M-99-18 also requires the posting of privacy polices on the main web site, any major entry points to the site and on every page that collects personally identifiable information. Further it requires privacy policies to be clear, conspicuous, accessible and easy to understand.
  • Memorandum-99-05 Deals with the administrative side of privacy protection.  M-99-05 requires all employees and contractors to be educated in their responsibility towards privacy protection. All individuals that may have day to day responsibility for implementing section 208 must be identified. A senior official or officials must be appointed to oversee privacy matters in the agency, serve as the principle information technology contact and review the agency’s Privacy Impact Assessments.
  • Memorandum-00-13 Prohibits the use of persistent cookies or web beacons to track visitor traffic at their website unless authorized by a senior official due to compelling need. If tracking cookies are used, the privacy policy on the agency’s website must include the type of information collected, how and why it is collected and used, whether the information is disclosed to third parties and how the information will be protected by privacy safeguards. All agencies must submit reports for the use of persistent tracking cookies. OMB M-00-13 does allow the use of session cookies to track activity during a single session
• Must continue to implement the privacy protections enforced by other regulations. Privacy policies should assure visitors that the information technologies used protect data during all phases of its life cycle. They should assure compliance with the Privacy Act of 1974 regarding how information is handled and complete regular evaluations to ensure compliance. Furthermore, the agency must fully adhere to their stated privacy policies.

Privacy Impact Assessments

The E-Government Act requires agencies to conduct Privacy Impact Assessments to achieve three main goals:

• Ensure that information handling complies with all applicable laws, regulations and policies regarding privacy.
• Assess the risks and effects to the individual of collection, maintaining, using and disclosing personally identifiable information
• Evaluate current protections, their effectiveness and consider possible alternatives better protect data from privacy violations.

When must a PIA be conducted?

All PIA should be conducted to the collection, use or disclosure of information in identifiable form. A PIA is required:

• Prior to developing or obtaining and IT system or process which collects, stores or discloses personally identifiable information
• Prior to instituting a new electronic means of collecting identifiable information from 10 or more individuals
• When converting paper records to electronic records
• When anonymized data in an information system is changed into identifiable form
• Prior to significant changes of an existing IT system when such changes effect how identifiable information is managed in the system
• Prior to the merging of information (most often completed through matching programs with other agencies)
• When a new user authentication technology is used to allow public access to government information
• Before information purchased from commercial or public sources is merged into existing information systems maintaining personally identifiable information
• When two or more agencies work together to share function or uses of personally identifiable information, the lead agency should prepare the PIA
• When internal business process result in significant changes of the use, disclosure or collection of identifiable information.
• When additional data elements containing information in identifiable form are added to an information system and increase the risk to personal privacy.

There are a few exceptions to the Privacy Impact Assessment rule. A PIA is not required:

• When the information relates to internal government operations
• A previous evaluation has been conducted in an assessment  similar to a PIA
• When privacy issues remain unchanged. Examples of such situations include:
  • Government information systems that do not maintain information in identifiable form or about members of the general public
  • When the government-run public website is only used to collect limited information from individuals for the purpose of providing feedback to their inquiries or requesting additional information
  • National security systems
  • When privacy protection is addressed in a matching agreement as pursuant to the Privacy Act
  • When privacy protection is addressed in an interagency agreement allowing the merging of data only for statistical purposes and PII remains private pursuant to Title V of the E-Government Act
  • If the IT systems collects information in non identifiable form for purposes other than the matching or merging of that data with other databases

What does a Privacy Impact Assessment contain?

Each PIA must contain the following information:

• The nature, source of collected information
• The reasons behind the collection of information
• The intended uses and disclosures of collected information and how the individual can provide their consent
• The technical and administrative safeguards used to protect the information
• Whether the information system falls under the definition of system of records under the Privacy Act
• An analysis of the PIA and the steps taken by the agency to remedy and problems or weaknesses

What is the Significance of Privacy Impact Assessments?

Privacy Impact Assessments are public documents that allow ongoing monitoring and assessment of privacy protection implementation and effectiveness. All PIAs must be evaluated by the Chief Information Officer in the Office of Management and Budget. The CIO’s job is to evaluate all PIAs for compliance and ensure implementation of the necessary procedures.

Further more, they provide the public with insight into how the Federal Government collects, uses, maintains and protects personally identifiable information. Under Section 208B, Privacy Impact Assessments should be made available to the public through publication on the agency’s website or publication in the Federal Register, though this requirement may be waived for security purposes.

PIAs are similar to the Systems of Records Notice (SORN) required under the Privacy Act of 1974 which created a Federal Register documenting all information systems which use personally identifiable information to retrieve records. Privacy Impact Assessments allow for stronger privacy protections by requiring greater detail and by applying to some records systems which are exempt from filing SORNs.

Summary:

With the integration of new technology into record keeping systems, the U.S. Government recognized the need for new legislation regulating the use of such technologies by the Federal Government. Section 208 is particularly important in privacy legislation because it increases the protections granted under other privacy legislations such as the Freedom of Information Act and the Privacy Act of 1974. Furthermore, it regulates the collection, use and disclosure of personally identifiable information over the Internet, requires regular enforcement through the use of Privacy Impact Assessments and provides public access to government activities through regular reporting and publication of those assessments.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The E-Government Act of 2002 including website privacy policy and Privacy Impact Assessments (I.C.c.i.-ii.)

The Privacy Act of 1974 is a public sector law that regulates the use of personal information by the United States Government.  Specifically it establishes rules, similar to the Fair Information Practice Principles that determine what information may be collected and how it may be used in order to protect the personal privacy of U.S. citizens.

Data Collection and Management

The Privacy Act of 1974 applies to Federal Government Agencies and governs their use of a system of records. By definition, a system of records is “any group of records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

The following rules govern the use of a system of records:

• No Federal Government record keeping system may be kept secret
• No agency may disclose personal information to third parties without the consent of the individual (with some exceptions)
• No agency may maintain files on how a citizen exercises their First Amendment rights
• Federal personal information files are limited only to data that is relevant and necessary
• Personal information may able be used for the purposes it was originally collected unless consent is received from the individual.
• Citizens must receive notice of any third party disclosures including with whom the information is shared, the type of information disclosed and the reasons for its disclosure.
• Citizens must have access to the files maintained about them by the Federal Government
• Citizens must have the opportunity to correct or amend any inaccuracies or incompleteness in their files

Data Sharing

The Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system of records with third parties, including other agencies. However, the Privacy Act does recognize the need of the government to share records in order to improve security, maintain accuracy and consolidate resources. This is often accomplished through matching programs which allow certain data elements in one system of records to be searched against records in another system in order to find any data matches. Such matches would link together the information from both systems.

In order for any agency to run a matching program with a system of records from an another agency, their must first be a written agreement between both parties. The Committee on Governmental Affairs of the Senate, and the Committee on Government Operations of the House must receive a copy of the agreement. It must also be made available to the public.

A Data Sharing Agreement:

• Must state the purposes and legal justifications for the matching program
• Must provide rational for the program by estimating the results and savings that will be achieved
• Must describe the records to be matched including the specific data elements, estimate the number of records to be matched and provide estimated start and completion dates for the program
• Must describe how the privacy principles of the Privacy Act will be implemented in the program (ie: notice to the individual, ensure accuracy and completeness, limited used of results)
• Must provide an accuracy assessment of the unmatched records
• Must include a statement allowing the Comptroller General to monitor compliance with the Privacy Act if necessary.

Federal Register

To ensure that no system of records is kept secret, the Privacy Act requires all government agencies to provide a System of Records Notice (SORN) to biennially to be published in the Federal Register. Each SORN must also be published on the agencies website under the Electronic Privacy Act Amendment.

Each SORN must contain:

• The name location of the records system
• The title and business address of the individual overseeing the system of records at the agency
• The types of individuals about whom records are kept
• The categories of records kept in the system
• The general sources from which data is collected
• The privacy and usage policies of the agency, including those for access controls, storage, retrievability and destruction.
• How an individual may determine if an agency maintains a record about them in their system of records
• How an individual may gain access to the records an agency maintains about them

Exceptions to the Privacy Act

While the Privacy Act did take significant steps towards protecting privacy, there are a few important distinctions within the act that create holes in its protection.

The Privacy Act only applies to a system of records maintained by an agency. Records systems kept by government institutions not considered an agency are exempt. Further more a system of records is defined as a group of records which uses personally identifiably information or signifiers to retrieve a file. There may be records systems which contain personal information but does not use that information to search for and gain access to a record. Such system of records would also be exempt under the Act.

The Privacy Act also contains a “routine use” exception which allows the disclosure of information without the notice or consent of the individual. Routine use is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” The vague definition of routine use allows agencies to expand their definition of compatible purpose at will, eventually allowing more and more information to be disclosed under the routine use exception. As long as the SORN contains a listing of the routine uses of the information, an agency is considered compliant with the Privacy Act.

Summary

Like the Freedom of Information Act, the Privacy Act of 1974 seeks to protect the privacy of U.S. citizens by giving them the ability to monitor the use of their personal information by the U.S. government. Though the Privacy Act does make significant steps in the protecting the right of privacy, it is also limited enough in its scope and implementation to only provide adequate protection. Privacy professionals and U.S. citizens should be familiar with the Privacy Act of 1974 in order to effectively understand their rights and work to create more comprehensive privacy legislation in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The Privacy Act of 1974 (I.C.b.i.-iv.)