Privacy & FOIA Reports

Privacy Office Annual Reports

• Annual Privacy Report to Congress, July 2010 to June 2011 (PDF, 94 pages – 1.58 MB)
• Annual Privacy Report to Congress, July 2009 to June 2010 (PDF, 108 pages – 1.66 MB)
• Annual Privacy Report to Congress, July 2008 to July 2009 (PDF, 98 pages – 1.44 MB)
• Annual Privacy Report to Congress, July 2007 to July 2008 (PDF, 100 pages – 908 KB)
• Annual Privacy Report to Congress, July 2006 to July 2007 (PDF, 58 pages – 417 KB)
• Annual Privacy Report to Congress, July 2004 to July 2006 (PDF, 38 pages – 338 KB)
• Annual Privacy Report to Congress, April 2003 to June 2004 (PDF, 112 pages – 2.2 MB)

Back To Top

Freedom of Information Act (FOIA) Reports

• Freedom of Information Act (FOIA) Annual Reports

Back To Top

Section 803 Reports

In support of Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007, the Privacy Officer will submit a report covering all privacy protection activities of the Department.

• Quarterly Report, June 2011 to August 2011 (PDF, 17 pages - 310 KB) - contains 4th quarter findings for 2011.
• Quarterly Report, March 2011 to May 2011 (PDF, 16 pages - 351 KB) - contains 3rd quarter findings for 2011.
• Quarterly Report, December 2010 to February 2011 (PDF, 14 pages - 299 KB) - contains 2nd quarter findings for 2011.
• Quarterly Report, September 2010 to November 2010 (PDF, 17 pages - 285 KB) - contains 1st quarter findings for 2011.
• Quarterly Report, June 2010 to August 2010 (PDF, 16 pages - 223 KB) - contains 4th quarter findings for 2010.
• Quarterly Report, March 2010 to May 2010 (PDF, 15 pages - 193 KB) - contains 3rd quarter findings for 2010.
• Quarterly Report, December 2009 to February 2010 (PDF, 13 pages - 192 KB) - contains 2nd quarter findings for 2010.
• Quarterly Report, September 1 to November 30, 2009 (PDF, 11 pages - 164 KB) - contains 1st quarter findings for 2010.
• Quarterly Report, June 1, 2009 to August 31, 2009 (PDF, 10 pages - 186 KB) - contains 4th quarter findings for 2009.
• Quarterly Report, March 1, 2009 to May 31, 2009 (PDF, 10 pages - 154 KB) - contains 3rd quarter findings for 2009.
• Quarterly Report, December 2008 to February 2009 (PDF, 9 pages - 176 KB) - contains 2nd quarter findings for 2009.
• Quarterly Report, September 2008 to November 2008 (PDF, 6 pages - 61 KB) - contains 1st quarter findings for 2009.
• Quarterly Report, June 2008 to August 2008 (PDF, 5 pages - 52 KB) - contains 4th quarter findings for 2008.
• Quarterly Report, March 2008 - May 2008 (PDF, 5 pages - 69 KB) - contains 3rd quarter findings for 2008.
• Quarterly Report, December 2007 - February 2008 (PDF, 5 pages - 40 KB) - contains 2nd quarter findings for 2008.
• Quarterly Report, October - December 2007 (PDF, 3 pages - 20 KB) - provides an overview of the reporting requirement.

Back To Top

DHS Data Mining Reports

• 2010 Data Mining Report (PDF, 35 pages - 517 KB). This report describes DHS programs, both operational and in development, that involve data mining as defined by the Federal Agency Data Mining Reporting Act of 2007. The report provides the detailed information required by the Act and includes updates on program modifications and other developments since the Department issued its 2009 Data Mining Report in December 2009.
• 2009 Data Mining Report (PDF, 34 pages - 378 KB). This report was provided to the Congress as required by the Federal Agency Data Mining Reporting Act of 2007.
• 2008 Data Mining Report (PDF, 47 pages – 467 KB). This report was provided to the Congress as required by the Federal Agency Data Mining Reporting Act of 2007.
• 2008 Data Mining Letter Report (PDF, 46 pages - 441 KB). This report was provided to the Congress as required by the Federal Agency Data Mining Reporting Act of 2007.
• 2007 Data Mining Report (PDF, 42 pages - 446 KB). This report was provided to Congress as required by House Report No. 109-699 - Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2007, and for Other Purposes.
• 2006 Data Mining Report July 6, 2006 (PDF, 36 pages - 340 KB). This report was provided to Congress as required by House Report 108-774 - Making Appropriations for the Department of Homeland Security for the Fiscal Year ending September 30, 2005, and for Other Purposes.

Back To Top

Cybersecurity

The Privacy Office works closely with the Office of Cybersecurity & Communications (CS&C), and, within CS&C, the National Cybersecurity Division and the United States Computer Emergency Readiness Team (US-CERT ), to integrate privacy protections into the Department's cybersecurity activities. The following resources provide background on these efforts:

EINSTEIN Program-Related Privacy Impact Assessments

• Privacy Compliance Review of the EINSTEIN Program, January 3, 2012 (PDF, 9 pages - 112 KB). The DHS National Protection and Programs Directorate (NPPD) National Cyber Security Division (NCSD) launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal executive agency information technology enterprises. NCSD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NCSD looks ahead toward the next phase of the program to EINSTEIN 3, the DHS Privacy Office determined that conducting a PCR would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward. The DHS Privacy Office found NPPD/NCSD generally compliant with the requirements outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise PIA. Specifically, NPPD/NCSD is fully compliant on collection of information, use of information, internal sharing and external sharing with federal agencies, and accountability requirements. PRIV identified actions taken to address retention and training requirements as outlined in the relevant EINSTEIN PIAs, but additional actions by the program are needed to bring them into full compliance with these requirements. The DHS Privacy Office is making five recommendations to strengthen program oversight, external sharing, and bring NPPD/NCSD into full compliance with retention and training requirements. NPPD agreed with our findings and is taking steps to address our recommendations.
  
  
• National Cyber Security Division Joint Cybersecurity Services Pilot (JCSP), January 13, 2012 (PDF, 16pages – 248 KB). The Department of Homeland Security (DHS) and the Department of Defense (DoD) are jointly undertaking a proof of concept known as the Joint Cybersecurity Services Pilot (JCSP). The JCSP extends the existing operations of the Defense Industrial Base (DIB) Exploratory Cybersecurity Initiative (DIB Opt-In Pilot) and shifts the operational relationship with the CSPs in the pilot to DHS. The JCSP is part of overall efforts by DHS and DoD to enable the provision of cybersecurity capabilities enhanced by U.S. government information to protect critical infrastructure information systems and networks. The purpose of the JCSP is to enhance the cybersecurity of participating DIB critical infrastructure entities and to protect sensitive DoD information and DIB intellectual property that directly supports DoD missions or the development of DoD capabilities from unauthorized access, exfiltration, and exploitation. The National Protection and Programs Directorate (NPPD) is conducting this Privacy Impact Assessment (PIA) on behalf of DHS because some known or suspected cyber threat information shared under the JCSP may contain information that could be considered personally identifiable information (PII). Associated SORN(s): DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.
  
  
• US-CERT: Initiative Three Exercise. March 18, 2010 (PDF 19 pages – 457 KB) Pursuant to Initiative Three of the Comprehensive National Cybersecurity Initiative, DHS is engaging in an exercise to demonstrate a suite of technologies that could be included in the next generation of the Department's EINSTEIN network security program. This demonstration, (commonly referred to as the "Initiative Three Exercise" or, more simply, as "the Exercise") will use a modified complement of system components currently providing the EINSTEIN 1 and EINSTEIN 2 capabilities, as well as a DHS test deployment of technology developed by the National Security Agency (NSA) that includes an intrusion prevention capability (collectively referred to as "the Exercise technology"). The purpose of the Exercise is to demonstrate the ability of an existing Internet Service Provider that is a designated as a Trusted Internet Connection Access Provider (TICAP) to select and redirect Internet traffic from a single participating government agency through the Exercise technology, for US-CERT to apply intrusion detection and prevention measures to that traffic and for US-CERT to generate automated alerts about selected cyber threats. This PIA is being conducted because the Exercise will analyze Internet traffic which may contain personally identifiable information (PII).
  
  
• EINSTEIN 1 PIA Update. February 19, 2010 (PDF, 12 pages – 194 KB) DHS and the State of Michigan (“Michigan”) plan to engage in a 12-month proof of concept to determine the benefits and issues presented by deploying the EINSTEIN 1 capability to Michigan government networks managed by the Michigan Department of Information Technology (MDIT). This PIA updates the previous EINSTEIN PIAs listed below in one narrow aspect: the use of EINSTEIN 1 technology in a proof of concept with Michigan.
  
  
• EINSTEIN 2 Privacy Impact Assessment. May 19, 2008 (PDF, 23 pages - 423 KB). This is the Privacy Impact Assessment (PIA) for an updated version of the EINSTEIN System. EINSTEIN is a computer network intrusion detection system (IDS) used to help protect federal executive agency information technology (IT) enterprises. EINSTEIN 2 will incorporate network intrusion detection technology capable of alerting the US-CERT to the presence of malicious or potentially harmful computer network activity in federal executive agencies' network traffic.
  
  
• EINSTEIN 1 Privacy Impact Assessment. September 2004 (PDF, 12 pages - 153 KB) This PIA examines the privacy implications of US-CERT's EINSTEIN Program. The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, US-CERT builds and enhances our nation's cyber-related situational awareness.

Other Cybersecurity Privacy Impact Assessments

• Malware Lab Network May 4, 2010 (PDF, 13 pages – 172 KB) The goal of the Department of Homeland Security (DHS or Department) National Protection and Programs Directorate (NPPD) is to advance the risk-reduction segment of the Department's overall mission. To meet this goal, the NPPD/U.S. Computer Emergency Readiness Team (US-CERT) provides key capabilities in four cyber mission areas: 1) Alert, Warning, and Analysis; 2) Coordination and Collaboration; 3) Response and Assistance; and 4) Protection and Detection. The Malware Lab Network (MLN) contributes critical support to existing tools used by US-CERT to better meet these cyber mission areas. The MLN collects, uses, and maintains analytically relevant information in order to support the Department's cyber security mission, including the prevention and mitigation of cyber attacks, protection of information infrastructure, the assessment of cyber vulnerabilities, and response to cyber incidents. DHS is conducting this PIA to publicly analyze and evaluate the personally identifiable information (PII) within the MLN.
  
  
• 24x7 Incident Handling and Response Center, April 2, 2007 (PDF, 17 pages -265 KB) The 24x7 Incident Handling and Response Center ("24x7") focuses on ways to gather cyber information prior to attacks and to use that information to prevent attacks, protect computing infrastructure, and respond/restore where attacks are successful. 24x7 serves as a communication hub for the United States Computer Readiness Team (US-CERT) program, issuing regular security and warning bulletins, serving as a gateway for public contribution and outreach, and also serving as a ticketing center through which tasks may be delegated out to the various US-CERT programs.

Other Cybersecurity Resources

• White Paper on Computer Network Security & Privacy Protection. February 19, 2010 (PDF, 11 pages - 114 KB). Provides an overview of the Department's cybersecurity responsibilities, the role of the EINSTEIN system in implementing those responsibilities, and the integrated privacy protections.
  
  
• White House Cybersecurity Site. The White House recently launched a site dedicated to the federal government's cybersecurity efforts, www.whitehouse.gov/cybersecurity, including the declassified description of the Comprehensive National Cybersecurity Initiative.

Back To Top

Passenger Name Records

The 2007 Passenger Name Record (PNR) Agreement between the United States and the European Union (EU) made possible the transfer of certain passenger data to Customs and Border Protection (CBP) in order to facilitate safe and efficient travel. The documents below demonstrate the progression of the Agreement since its inception and include subsequent reviews conducted by both the United States and the EU to ensure compliance with the Agreement.

• European Commission Report on the Joint Review of the U.S.-E.U. Passenger Name Record Agreement April 7, 2010 (PDF, 34 pages - 409 KB)
• Department Response to the European Commission's Report on the Joint Review of the U.S.-E.U. Passenger Name Record Agreement, March 31, 2010 (PDF, 6 pages - 199 KB)
• U.S.-EU Joint Statement, February 10, 2010 
• Update to the 2008 Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, February 2010 (PDF, 7 pages – 158 KB) 
• Privacy Office Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, December 2008 (PDF, 60 pages - 2.93 MB)
• CBP Passenger Name Record Privacy Statement for PNR Data Received in Connection with Flights Between the U.S. and the European Union (PDF, 3 pages - 142 KB).
  • Answers to Frequently Asked Questions (PDF, 5 pages - 27 KB) 
• 2007 PNR Agreement between the U.S. and the European Union (PDF, 7 pages - 1.7 MB)
• Letter from the Council of the European Union to the U.S. (PDF, 3 pages - 1.5 MB)
• Letter from the U.S. to the Council of the European Union (PDF, 5 pages - 4. 5 MB)
• Privacy Office Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, September 19, 2005 (PDF, 30 pages – 306 KB)

PNR and the Automated Targeting System

PNR data is stored in the Automated Targeting System (ATS). CBP uses ATS to improve the collection, use, analysis, and dissemination of information that is gathered for the primary purpose of targeting, identifying, and preventing potential terrorists and terrorist weapons from entering the United States. For more background information, please consult our ATS Privacy Impact Assessments.

Back To Top

Other Homeland Security Privacy Reports

The following are public reports issued by the Privacy Office:

• Assessment of CBP Training Materials on Border Searches of Electronic Devices (PDF, 6 pages – 138 KB) In August 2009, Secretary Napolitano issued new directives regarding searches of electronic media at the border. In coordination with the release of the directives, the Privacy Office, Customs and Border Protection, and the Office for Civil Rights and Civil Liberties were instructed to assess the CBP training materials and course matter on the border search of electronic devices. This report presents a summary of this joint review.
• Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data, conducted pursuant to Section 222(b)(1)(B) of the Homeland Security Act, in order to enforce the provisions of Article 5 of the 2007 Passenger Name Records (PNR) Agreement. January 16, 2009 (PDF 43 pages – 1.19 MB)
• CCTV: Developing Best Practices, Report on the DHS Privacy Office Public Workshop, December 17 and 18, 2007 (PDF, 66 pages – 528 KB) Report summarizing the CCTV workshop panels and resources to help identify and address privacy concerns, including Best Practices for Government Use of CCTV (Appendix B); Template for Privacy Impact Assessment for the Use of CCTV by DHS Program (Appendix C); Template for Privacy Impact Assessment for the Use of CCTV by State and Local Entities (Appendix D); and Template for Civil Liberties Impact Assessments (CLIA) (Appendix E).
• ADVISE Report, (PDF, 25 pages - 411 KB) Review of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) Program including recommendations.
• Secure Flight Report, December 2006 (PDF, 18 pages - 694.60 KB) DHS Privacy Office Report to the Public on the Transportation Security Administration’s Secure Flight Program and Privacy Recommendations.
• MATRIX Report, December 2006 (PDF, 9 pages – 386.97KB) DHS Privacy Office Report to the Public Concerning the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project.
• Report Assessing the Impact of the Automatic Selectee and No Fly Lists, April 27, 2006 (PDF, 29 pages - 242 KB).
• Report to the Public on Events Surrounding jetBlue Data Transfer February 20, 2004 (PDF, 10 pages - 65 KB)

Back To Top