Privacy Investigations & Compliance Reviews

Privacy Investigations

In accordance with the Homeland Security Act of 2002, Section 222a (1) (as modified), the Department of Homeland Security (DHS) Chief Privacy Officer is authorized to…make such investigations and reports relating to the administration of the programs and operations of the Department as are, in the senior official's judgment, necessary or desirable.

OIG Privacy Incident Report and Assessment, February 2011, (PDF, 45 pages - 1.01 MB) Chief Privacy Officer (CPO) Mary Ellen Callahan issued a public report on a privacy incident involving the Office of Inspector General (OIG) and contractor KPMG. The report makes findings and recommendations addressing compliance with privacy policies and recommends steps for prevention and mitigation of similar privacy incidents.

Compliance Reviews

The DHS Privacy Office exercises its authority under Section 222 of the Homeland Security Act to assure that technologies sustain and do not erode privacy protections through the conduct of Privacy Compliance Reviews (PCRs). Consistent with the Privacy Office's unique position as both and advisor and oversight body for the Department's privacy sensitive programs and systems, the PCR is designed as a constructive mechanism to improve a program’s ability to comply with assurances made in existing privacy compliance documentation including Privacy Impact Assessments (PIAs), System of Records Notices (SORNs) and/or formal agreements such as Memoranda of Understanding or Memoranda of Agreements.

The most recent PCR is listed first.

DHS Use of Social Media for Communications and Outreach

DHS Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue, and DHS Use of Unidirectional Social Media Applications Communications and Outreach March 28, 2012 (PDF, 10 pages - 96 KB) DHS utilizes social media for communications, public affairs, and outreach purposes and has an official presence on many of the major social media platforms such as Facebook, Twitter, and YouTube. To ensure DHS' use of social media for communications/outreach/dialogue with the public adheres to privacy requirements, DHS developed two Department-wide privacy impact assessments (PIAs): a PIA for Department use of social networking interactions and applications; and a PIA for Department use of unidirectional social media. If an initiative meets the PIA requirements, it is added to the Appendix of the appropriate PIA through the Social Media Privacy Threshold Analysis process. As noted in the PIAs, these initiatives are subject to Privacy Compliance Reviews (PCRs).

The DHS Privacy Office conducted this PCR to: 1) determine whether selected DHS social media uses listed in the DHS-wide social media PIA appendices continue to meet the requirements as described in the PIAs; and 2) to determine if the appendices of the DHS-wide social media PIAs reflect an accurate accounting of DHS users.

EINSTEIN Program

EINSTEIN Program January 3, 2012 (PDF, 9 pages -112, KB) The DHS National Protection and Programs Directorate (NPPD) National Cyber Security Division (NCSD) launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal executive agency information technology enterprises. NCSD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NCSD looks ahead toward the next phase of the program to EINSTEIN 3, the DHS Privacy Office determined that conducting a PCR would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward.

The DHS Privacy Office found NPPD/NCSD generally compliant with the requirements outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise PIA. Specifically, NPPD/NCSD is fully compliant on collection of information, use of information, internal sharing and external sharing with federal agencies, and accountability requirements. PRIV identified actions taken to address retention and training requirements as outlined in the relevant EINSTEIN PIAs, but additional actions by the program are needed to bring them into full compliance with these requirements. The DHS Privacy Office is making five recommendations to strengthen program oversight, external sharing, and bring NPPD/NCSD into full compliance with retention and training requirements. NPPD agreed with our findings and is taking steps to address our recommendations.

Immigration and Customs Enforcement Pattern Analysis and Information Collection Law Enforcement Intelligence Sharing Service

ICE Pattern Analysis and Information Collection Law Enforcement Information Sharing Service December 15, 2011, (PDF, 6 pages – 98.25KB). The U.S. Government Accountability Office (GAO) recently conducted a review of the selected DHS systems that support counterterrorism including the U.S. Immigration and Customs Enforcement Pattern Analysis and Information Collection System (ICEPIC) Law Enforcement Sharing (LEIS) Service. GAO’s review found that the LEIS Service was not described in the Privacy Impact Assessment (PIA) that was approved for the ICEPIC system in January 2008. Given E-Government Act and DHS policy requirements for conducting PIAs, GAO recommended that the Chief Privacy Officer investigate whether the LEIS component of ICEPIC should be deactivated until a PIA that includes this component was approved. DHS concurred with the recommendation and as a result of the report findings and recommendations, the DHS Privacy Office initiated this Privacy Compliance Review (PCR).

ICEPIC is a toolset that assists the U.S. Immigration and Customs Enforcement (ICE) law enforcement agents and analysts in identifying suspect identities and discovering possible non-obvious relationships among individuals and organizations that are indicative of violations of the customs and immigration laws as well as possible terrorist threats and plots. The LEIS Service allows external law enforcement officers (federal, state, local, tribal and international partners) direct access to certain DHS law enforcement data sources compiled by ICEPIC. The objectives of our review were to 1) identify the cause of the privacy compliance gap regarding the LEIS Service and 2) evaluate whether the compliance gap warranted a deactivation of the LEIS Service until the PIA could be approved.

Media Monitoring Initiative

• Media Monitoring Initiative May 3, 2012 (PDF, 33 pages – 898 KB) Privacy Compliance Reviews (PCRs) are a key aspect of the layered privacy protections built into this initiative to ensure protections described in the PIAs are followed.  Accordingly, the DHS Privacy Office conducted this bi-annual PCR to: 1) assess compliance with the January 2011 PIA Update and February 2011 SORN; and 2) review and update, as appropriate, the 2011 Analyst’s Desktop Binder and Standard Operating Procedures (SOPs) to ensure they accurately reflect the scope of the initiative. The DHS Privacy Office found OPS/NOC to be in compliance with the privacy requirements identified in the January 2011 PIA Update and the February 2011 SORN. Our specific findings are discussed herein.
• Media Monitoring Initiative November 15, 2011 (PDF, 6 pages – 150 KB) The Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPS), including the National Operations Center (NOC), launched the Social Networking/Media Capability (SNMC) to assist DHS and its components involved in the response, recovery, and rebuilding effort resulting from the earthquake and after-effects in Haiti as well as the security, safety, and border control associated with the 2010 Winter Olympics. These limited purposes were expanded in June 2010 to meet the operational needs of the Department. Since then, and to meet its statutory requirements, OPS, through SNMC analysts, monitored publicly available online forums, blogs, public websites, and message boards to collect information used in providing situational awareness and establishing a common operating picture.
  
  The DHS Privacy Office (PRIV) and OPS/NOC decided to further broaden the program's capability to collect additional information, including limited instances of personally identifiable information (PII). As such, a Publicly Available Social Media Monitoring and Situational Awareness Initiative Privacy Impact Assessment (PIA) Update and new DHS/OPS-004 - Publicly Available Social Media Monitoring and Situational Awareness Initiative System of Records Notice (SORN) were issued on January 6, 2011 and February 1, 2011 respectively and are the basis for this Privacy Compliance Review (PCR).
  
  PRIV found OPS/NOC to be in compliance with the privacy parameters set forth in the January 6, 2011 PIA update and February 1, 2011 SORN.
• Media Monitoring Initiative February 7, 2011 (PDF, 6 pages – 133 KB) The Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPS), including the National Operations Center (NOC), launched the Social Networking/Media Capability (SNMC) to assist DHS and its components involved in the security, safety, and border control associated with the 2010 Winter Olympics as well as the response, recovery, and rebuilding effort resulting from the earthquake and after-effects in Haiti. This limited purpose was expanded in June to meet the operational needs of the Department. Since then, and to meet its statutory requirements,1 OPS, through SNMC analysts, monitors publicly available online forums, blogs, public websites, and message boards to collect information used in providing situational awareness and establishing a common operating picture.
  
  As outlined in the Publicly Available Social Media Monitoring and Situational Awareness Initiative PIA (June 22, 2010), DHS Privacy Office (PRIV) has conducted a Privacy Compliance Review (PCR) on November 30, 2010 based on this PIA and OPS/NOC operational needs. PRIV found OPS/NOC generally in compliance and provided one recommendation for improving accountability. Based on OPS/NOC’s demonstrated compliance with the June 22, 2010 PIA, PRIV and OPS/NOC decided to further broaden the program’s capability to collect additional information, including limited instances of personally identifiable information (PII). As such, a new PIA and SORN were issued on January 7, 2011 and February 1, 2011 respectively and will be the basis for the next PCR.
  
  
• 2010 Winter Olympics Social Media Event Monitoring Initiative and Haiti Social Media Disaster Monitoring Initiative August 23, 2010 (PDF, 6 pages – 125.18 KB) The Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPS), including the National Operations Center (NOC), launched the Social Networking/Media Capability (SNMC) to assist DHS and its components involved in the response, recovery, and rebuilding effort resulting from the earthquake and after-effects in Haiti as well as the security, safety, and border control associated with the 2010 Winter Olympics in Vancouver, British Columbia (BC). In compliance with its statutory obligation, OPS, through SNMC Analysts in the NOC, monitored publicly available online forums, blogs, public websites, and message boards to collect information used in providing situational awareness and establishing a common operating picture. The DHS Privacy Office (PRIV) conducted a Privacy Compliance Review (PCR) of SNMC Analyst activities, as outlined in both the Haiti Social Media Disaster Monitoring Initiative PIA (January 21, 2010) and 2010 Winter Olympics Social Media Event Monitoring Initiative PIA (February 10, 2010).

Passenger Name Records

The 2007 Passenger Name Record (PNR) Agreement between the United States and the European Union (EU) made possible the transfer of certain passenger data to Customs and Border Protection (CBP) in order to facilitate safe and efficient travel. The documents below demonstrate the progression of the Agreement since its inception and include subsequent reviews conducted by both the United States and the EU to ensure compliance with the Agreement.