DHS/ALL/PIA-004 REAL-ID

The Department of Homeland Security (DHS) is issuing a final rule establishing minimum standards for State-issued driver’s licenses and identification cards that Federal agencies will accept for official purposes after May 11, 2008, in accordance with the REAL ID Act of 2005, Pub. L. 109-13, 119 Stat. 231, 302 (2005) (codified at 49 U.S.C. 30301 note) (the Act). The final rule establishes standards to meet the minimum requirements of the Act including: information and security features that must be incorporated into each card; application information to establish the identity and lawful status of an applicant before a card can be issued; and physical security standards for locations issuing driver’s licenses and identification cards.

This Privacy Impact Assessment (PIA) updates the PIA issued on March 1, 2007, in conjunction with the Notice of Proposed Rulemaking (NPRM). DHS received over 21,000 comments on the NPRM, including comments on the PIA or privacy issues related to the NPRM. The DHS Data Privacy and Integrity Advisory Committee separately submitted to the DHS Chief Privacy Officer a recommendation on the privacy implications of the requirements proposed in the NPRM. The final rule summarizes the comments and provides brief responses outlining the Department’s decisions. This PIA does not duplicate the comment summaries or responses but rather highlights how the final rule addresses the privacy issues outlined in the NPRM PIA. In addition, the “Privacy Considerations” section of the final rule (IV.D.) provides a general response to each of the areas noted in the NPRM PIA.

The DHS Privacy Office is updating the March PIA under the authority of Subsection 4 of Section 222 of the Homeland Security Act of 2002, as amended, which calls for the DHS Chief Privacy Officer to conduct a “privacy impact assessment of proposed rules of the Department.” The PIA analysis reflects the framework of the Privacy Office’s Fair Information Practice Principles (FIPPs): Transparency, Individual Participation, Purpose Specification, Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. In addition, the DHS Privacy Office is releasing its Best Practices for the Protection of Personally Identifiable Information Associated with State Implementation of the Real ID Act (Best Practices for Protection of PII) (Attachment A) to provide guidance to State DMVs on privacy and security protections consistent with the FIPPs standards and practices equivalent to those required under the Privacy Act of 1974 (5 U.S.C. § 552a), the Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C. § 3542), and the information security standards issued by the National Institute of Standards and Technology (NIST). January 2008