Archives

US Department of Homeland Security: Privacy Policies & Practices

The US Department of Homeland Security (DHS) is often criticized for its privacy policies and practices, as it handles a vast amount of sensitive personal information. However, it is important to note how the DHS does attempt to protect personal privacy, in policy as well as practice. In addition to compliance with federal privacy legislation, such as the FOIA (Freedom of Information Act) and the Privacy Act, the Department consults with privacy professionals in order to evaluate new or potential programs, systems, technologies and certain rule-making procedures in order to appropriately handle personal information. This article takes a look at exactly how the Department of Homeland Security approaches privacy protection.

Compliance

The DHS has a very specific privacy compliance process. The DHS Privacy Office is responsible for the assessment of all new or proposed Department activities in order to ensure responsible handling of personally identifiable information (PII) and to mitigate privacy risks.

The following explores the methods by which the Privacy Office ensures compliance in all departmental activities:

  • Privacy Threshold Analysis (PTA) – The PTA is a required document that serves as the official determination by the Privacy Office in order to determine if a DHS program or system has privacy implications. Also, PTAs are used to determine of additional privacy compliance documentation is required. PTAs are designed into all DHS processes for technology investments and security. They expire every three years.

PTAs serve the following objectives:

  • Identify privacy-sensitive programs and systems
  • Demonstrate inclusion of privacy considerations during the review of a program or system
  • Provide the Privacy Office with a record of the program or system, as well as its privacy requirements
  • Demonstrate compliance with privacy laws and regulations
  • Privacy Impact Assessment(PIA) – The PIA is a decision-making tool that is used to identify and mitigate privacy risks at the start, as well as throughout the development lifecycle of a program or system. PIAs aid the public in understanding what PII the DHS is collecting, why the information is being collected, and how it will be used, shared, accessed and stored.

PIAs are required for the following reasons:

  • When developing or procuring any new DHS program or system that will handle or collect PII
  • For budget submissions to the Office of Management and Budget (OMB) that affect PII
  • With pilot tests that affect PII
  • When developing program or system revisions that affect PII
  • When issuing a new or updated rulemaking that involves collection, use and maintenance of PII
  • System of Records Notice(SORN) – A `system of records’ is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual. A SORN is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (i.e. routine uses) and how to access or correct any PII maintained by the DHS.

DHS Privacy Office

The DHS Privacy Office is the first statutorily created privacy office in the Federal government. The Office operates under the direction of the Chief Privacy Officer, a position that is discussed in further detail in the following section. The mission of the Privacy Office is: “… to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the privacy community.”

The Privacy Office carries out the following activities:

  • Requires compliance with the letter and spirit of Federal laws that protect privacy
  • Centralizes FOI and Privacy Act operations to provide policy and programmatic oversight and to support operational implementation within the DHS components
  • Provides education and outreach to build a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the DHS
  • Provides transparency to the public through published materials, formal notices, public workshops and meetings

The Privacy Office is made up of the following operational teams:

  • International Privacy Policy
  • Departmental Disclosure and FOIA
  • Privacy Compliances
  • Privacy Policy (includes communications and training)
  • Privacy Incidents and Inquiries
  • Privacy Technology and Intelligence
  • Legislative and Regulatory Analysis

Chief Privacy Officer, DHS

The Chief Privacy Officer (CPO) is a position within the DHS, appointed by the US Secretary of Homeland Security. The CPO also serves as the Chief Freedom of Information Act (FOIA) Officer at the DHS Privacy Office.

According to Section 222 of the Homeland Security Act of 2002, the CPO is primarily responsible for the privacy policy at the DHS. Duties include:

  • Assuring that technologies used by the DHS to protect the US sustain, rather than erode, privacy protections related to the use, collection and disclosure of personal information
  • Assuring that the DHS complies with fair information practices set out in the Privacy Act of 1974
  • Conducting privacy impact assessments (PIA) of proposed rules at the DHS
  • Evaluating legislative and regulatory proposals involving the collection, use and disclosure of personal information by the Federal government
  • Preparing an annual report to Congress on DHS activities that affect privacy

Summary

This article takes a look at the privacy policies and practices at the US Department of Homeland Security (DHS). In addition to compliance with federal privacy legislation, the DHS also has its own privacy guidance, which include security methodologies, as well as a Privacy Office that is responsible for the oversight of systems and programs that deal with personally identifiable information. The article takes a closer look at the DHS Privacy Office, the first statutorily created privacy office in the US federal government, as well as the unique role of the Chief Privacy Officer/Chief Freedom of Information Act (FOIA) Officer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy Policy Approaches – Department of Homeland Security (II.A.e.ii.3.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>