In accordance with the Homeland Security Act of 2002, Section 222a (1) (as modified), the Department of Homeland Security (DHS) Chief Privacy Officer is authorized to…make such investigations and reports relating to the administration of the programs and operations of the Department as are, in the senior official's judgment, necessary or desirable.
OIG Privacy Incident Report and Assessment, February 2011, (PDF, 45 pages - 1.01 MB) Chief Privacy Officer (CPO) Mary Ellen Callahan issued a public report on a privacy incident involving the Office of Inspector General (OIG) and contractor KPMG. The report makes findings and recommendations addressing compliance with privacy policies and recommends steps for prevention and mitigation of similar privacy incidents.
The DHS Privacy Office exercises its authority under Section 222 of the Homeland Security Act to assure that technologies sustain and do not erode privacy protections through the conduct of Privacy Compliance Reviews (PCRs). Consistent with the Privacy Office's unique position as both and advisor and oversight body for the Department's privacy sensitive programs and systems, the PCR is designed as a constructive mechanism to improve a program’s ability to comply with assurances made in existing privacy compliance documentation including Privacy Impact Assessments (PIAs), System of Records Notices (SORNs) and/or formal agreements such as Memoranda of Understanding or Memoranda of Agreements.
The most recent PCR is listed first.
DHS Use of Social Media for Communications and Outreach
DHS Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue, and DHS Use of Unidirectional Social Media Applications Communications and Outreach March 28, 2012 (PDF, 10 pages - 96 KB) DHS utilizes social media for communications, public affairs, and outreach purposes and has an official presence on many of the major social media platforms such as Facebook, Twitter, and YouTube. To ensure DHS' use of social media for communications/outreach/dialogue with the public adheres to privacy requirements, DHS developed two Department-wide privacy impact assessments (PIAs): a PIA for Department use of social networking interactions and applications; and a PIA for Department use of unidirectional social media. If an initiative meets the PIA requirements, it is added to the Appendix of the appropriate PIA through the Social Media Privacy Threshold Analysis process. As noted in the PIAs, these initiatives are subject to Privacy Compliance Reviews (PCRs).
The DHS Privacy Office conducted this PCR to: 1) determine whether selected DHS social media uses listed in the DHS-wide social media PIA appendices continue to meet the requirements as described in the PIAs; and 2) to determine if the appendices of the DHS-wide social media PIAs reflect an accurate accounting of DHS users.
EINSTEIN Program January 3, 2012 (PDF, 9 pages -112, KB) The DHS National Protection and Programs Directorate (NPPD) National Cyber Security Division (NCSD) launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal executive agency information technology enterprises. NCSD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NCSD looks ahead toward the next phase of the program to EINSTEIN 3, the DHS Privacy Office determined that conducting a PCR would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward.
The DHS Privacy Office found NPPD/NCSD generally compliant with the requirements outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise PIA. Specifically, NPPD/NCSD is fully compliant on collection of information, use of information, internal sharing and external sharing with federal agencies, and accountability requirements. PRIV identified actions taken to address retention and training requirements as outlined in the relevant EINSTEIN PIAs, but additional actions by the program are needed to bring them into full compliance with these requirements. The DHS Privacy Office is making five recommendations to strengthen program oversight, external sharing, and bring NPPD/NCSD into full compliance with retention and training requirements. NPPD agreed with our findings and is taking steps to address our recommendations.
- Privacy Compliance Review Follow-Up Letter for the EINSTEIN Program, August 26, 2014 (PDF, 7 pages).
Immigration and Customs Enforcement Pattern Analysis and Information Collection Law Enforcement Intelligence Sharing Service
ICE Pattern Analysis and Information Collection Law Enforcement Information Sharing Service December 15, 2011, (PDF, 6 pages – 98.25KB). The U.S. Government Accountability Office (GAO) recently conducted a review of the selected DHS systems that support counterterrorism including the U.S. Immigration and Customs Enforcement Pattern Analysis and Information Collection System (ICEPIC) Law Enforcement Sharing (LEIS) Service. GAO’s review found that the LEIS Service was not described in the Privacy Impact Assessment (PIA) that was approved for the ICEPIC system in January 2008. Given E-Government Act and DHS policy requirements for conducting PIAs, GAO recommended that the Chief Privacy Officer investigate whether the LEIS component of ICEPIC should be deactivated until a PIA that includes this component was approved. DHS concurred with the recommendation and as a result of the report findings and recommendations, the DHS Privacy Office initiated this Privacy Compliance Review (PCR).
ICEPIC is a toolset that assists the U.S. Immigration and Customs Enforcement (ICE) law enforcement agents and analysts in identifying suspect identities and discovering possible non-obvious relationships among individuals and organizations that are indicative of violations of the customs and immigration laws as well as possible terrorist threats and plots. The LEIS Service allows external law enforcement officers (federal, state, local, tribal and international partners) direct access to certain DHS law enforcement data sources compiled by ICEPIC. The objectives of our review were to 1) identify the cause of the privacy compliance gap regarding the LEIS Service and 2) evaluate whether the compliance gap warranted a deactivation of the LEIS Service until the PIA could be approved.
Media Monitoring Initiative
Media Monitoring Initiative, April 16, 2014 (PDF, 24 pages). Privacy Compliance Reviews (PCR) are a key aspect of the layered privacy protections built into this initiative to ensure that the protections described in the PIAs are followed. Since the June 2010 PIA was published, PCRs have been conducted bi-annually. The DHS Privacy Office conducted this sixth PCR to assess compliance with both the April 2013 PIA Update and the February 2011 SORN. We found that the Office of Operations Coordination and Planning, National Operations Center, continues to be in compliance with the privacy requirements identified in both of these documents, and our specific findings are discussed herein.
- Media Monitoring Initiative, November 8, 2012 (PDF, 25 pages - 2.59 MB).
- Media Monitoring Initiative May 3, 2012 (PDF, 33 pages – 898 KB)
- Media Monitoring Initiative November 15, 2011 (PDF, 6 pages – 150 KB)
- Media Monitoring Initiative February 7, 2011 (PDF, 6 pages – 133 KB)
- 2010 Winter Olympics Social Media Event Monitoring Initiative and Haiti Social Media Disaster Monitoring Initiative August 23, 2010 (PDF, 6 pages – 125.18 KB)
Passenger Name Records
The Passenger Name Record (PNR) Agreement between the United States and the European Union (EU) enables the transfer of certain passenger data to Customs and Border Protection (CBP) to help facilitate safe and efficient travel. Reviews of DHS compliance with the agreements and other supporting documents can be found here.