The Protected Critical Infrastructure Information (PCII) Program, part of the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), Infrastructure Security Division (ISD), Infrastructure Assessments and Analysis (IAA) Sub-Division, facilitates the sharing of PCII between the Government and the private sector. CISA has conducted this privacy impact assessment (PIA) to analyze and evaluate the privacy impact of the PCII Program’s overall operations, including the PCII submission and validation process, and user access management. Most of this work occurs on the Protected Critical Infrastructure Information Management System (PCIIMS). PCIIMS is an Information Technology (IT) system and the means by which PCII submissions from non-federal critical infrastructure owners and operators are received and cataloged, and PCII Authorized Users are registered, trained, and managed. This system receives, provides validation processes, and securely stores critical infrastructure information (physical and cyber systems and assets) meeting the PCII program definition for validation. This PIA replaces DHS/NPPD/PIA-006 Protected Critical Infrastructure Information Management System, published July 13, 2011.

The Department of Homeland Security (DHS) Geospatial Information Infrastructure (GII) is a major application infrastructure, maintained by the Geospatial Management Office (GMO), representing the physical and logical implementation of the Department’s Geospatial Services Segment Architecture (GSSA). The purpose of the GII is to deliver a geospatial technology platform composed of geospatial enterprise applications, tools, and information to facilitate secure information-sharing between federal, state, local, tribal, territorial, private sector, international, and other non-governmental partners who support the homeland security mission. DHS is conducting this Privacy Impact Assessment (PIA) because the information viewed and shared in the GII may contain personally identifiable information (PII) on DHS personnel and members of the public.

The Department of Homeland Security’s (DHS) Federal Protective Service (FPS) is developing the Post Tracking System (PTS). PTS will be used to verify the identity, suitability, training completion, and time and attendance of Protective Security Officers (PSO) who serve as contracted guards at federal facilities. FPS is conducting this Privacy Impact Assessment (PIA) because PTS collects personally identifiable information (PII) of DHS employees and contract personnel.

The Department of Homeland Security (DHS) Office of Intelligence and Analysis (I&A) manages data on behalf of DHS Components when there is a need to share that data with the Intelligence Community (IC) and other national security partners or to support DHS mission use cases and applications using a secure data environment. The Data Management Hub (or “Data Hub”) is a set of technical components that facilitates the storage, enrichment, tagging, and movement of DHS and partner data by I&A on the classified network fabric. The goal of the Data Hub is to provide a single authoritative data store of datasets in order to reduce data duplication and improve the authorized usage of data for data-sharing and analysis. It also centralizes and streamlines the data formatting, tagging, and transfer of data for approved internal and external mission applications, including bulk sharing with national security partners and other government agencies.

The Data Hub is a series of technical components and, while it does not itself use specific information about individuals, it supports the storage and use of data and datasets that contain personally identifiable information (PII). The Data Hub simply transports and stores data and datasets; there is no data or dataset inherent to it. As such, data or datasets that use the Data Hub process will be listed in the appendices to this PIA.

U.S. Customs and Border Protection (CBP) requires air-cargo and shipping companies to submit their electronic manifest information in advance to CBP under the Air Cargo Advance Screening (ACAS) program. This advance information improves CBP’s ability to conduct risk assessments of incoming shipments in order to improve security and compliance with customs and other laws CBP enforces at the border. CBP is publishing this new Privacy Impact Assessment (PIA) to provide notice of the new mandatory requirements for ACAS participants, and to assess the privacy risks of its collection and use of personally identifiable information under this program.

The Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP) is responsible for securing the United States and its borders while facilitating lawful travel and trade. The CBP Office of Trade (OT) facilitates lawful international trade activities, enforces violations of various trade laws and regulations, and investigates allegations of trade violations made by the members of the public. CBP created a public-facing website called “e-Allegations” for members of the public and the trade community to report potential violation of criminal and trade laws and regulations.

The DHS Privacy Office conducted a Privacy Compliance Review (PCR) of FEMA that focused on information sharing practices and oversight in response to two major privacy incidents that occurred during Fiscal Year 2019.  This PCR details six recommendations to improve FEMA’s implementation of information sharing and safeguarding activities that adequately protect individuals’ privacy.

Memo signed by Secretary John Kelly on May 24, 2017, directing the Department to enhance biometric collection practices to improve identity resolution and encounter management.

U.S. Customs and Border Protection (CBP) is conducting a voluntary test to collect certain advance data related to shipments potentially eligible for release under Section 321 of the Tariff Act of 1930, as amended, 19 U.S.C. § 1321 (“Section 321”). Section 321 provides for an administrative exemption from duty and taxes for shipments of merchandise (other than bona-fide gifts and certain personal and household goods) imported by one person on one day having an aggregate fair retail value in the country of shipment of not more than $800. Pursuant to this test, participants will electronically transmit certain data elements pertaining to these shipments to CBP in advance of arrival. CBP is conducting this test to determine the feasibility of requiring advance data from different types of parties and requiring additional data that is generally not required under current regulations in order to effectively identify and target high-risk shipments in the e-commerce1 environment. CBP published a Notice in the Federal Register on July 23, 2019, announcing the pilot.2 CBP is publishing this new Privacy Impact Assessment (PIA) to provide notice of information collection requirements for the Section 321 Data Pilot, and to assess the privacy risks of its collection and use of personally identifiable information under this pilot.

Workforce Analytics and Employee Records is a Federal Human Capital Business Function whereby federal agencies implement a systematic process to review workforce and performance data, metrics, and results. Federal agencies conduct these reviews in an effort to anticipate and plan for future strategic and operational requirements and to make holistically informed Human Capital Management decisions. Specifically, federal human capital organizations generate evidence-based metrics to support decision-making concerning recruitment, staffing, training, and workforce development. The Workforce Analytics and Employee Records Business Function also facilitates compensation and benefits modeling, as well as the application of statistical models on such human resources (HR) issues as retention rates, time to on-board, retirement trends, and employee engagement. The Department of Homeland Security (DHS) is conducting this Privacy Impact Assessment (PIA) because the systems and data sources that support Workforce Analytics and Employee Records at DHS collect, use, store, and transmit personally identifiable information (PII) and sensitive personally identifiable information (SPII).