Home Information Sharing & Analysis Prevention & Protection Preparedness & Response Research Commerce & Trade Travel Security Immigration
About the Department Open for Business Press Room
Current National Threat Level is elevated

The threat level in the airline sector is High or Orange. Read more.

Homeland Security 5 Year Anniversary 2003 - 2008, One Team, One Mission Securing the Homeland

Statement of Maureen Cooney Acting Chief Privacy Officer before the Joint Hearing of the Subcommittee on Commercial and Administrative Law and the Subcommittee on the Constitution, Committee on the Judiciary of the U.S. House of Representatives

Release Date: 04/04/06 00:00:00

Rayburn House Office Building
April 4, 2006
Remarks as Prepared

Chairmen Cannon and Chabot, Ranking Members Watt and Nadler, and Members of the Subcommittees on Commercial and Administrative Law and the Constitution,  it is an honor to testify before you today on the activities of the United States Department of Homeland Security, for which I am privileged to served as the Acting Chief Privacy Officer.

Thank you for inviting me to speak with you on the subject of personal information acquired by the government from information resellers.

As you know, the DHS Chief Privacy Officer is the first statutorily required privacy officer in the Federal government. The responsibilities of the DHS Chief Privacy Officer are set forth in Section 222 of the Homeland Security Act of 2002. They include:

  • Assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection and disclosure of personal information;
  • Assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974;
  • Evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
  • Conducting a privacy impact assessment of proposed rules of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; and
  • Preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls and other matters.

It is upon this statutory authority that the Chief Privacy Officer and the DHS Privacy Office review and approach the use of personal information by the Department, including the use of data from information resellers.

The use of data from information resellers for homeland security involves complex issues that touch on privacy, program effectiveness and operational efficiency. There are many benefits to the government by the responsible use of commercial data. It can save time, it is often more precise, and is updated more quickly and, therefore, in certain circumstances, it could be more accurate and therefore have greater data integrity than other sources. At the same time, the government’s use of commercial data must be transparent and appropriate. The DHS Privacy Office has been part of a broad based dialogue both within and outside of the Department on the use of commercial data.

As noted by the Government Accountability Office (GAO), unless an information reseller is operating a System of Records specifically on behalf of a Federal agency, it is not subject to the provisions of the Privacy Act of 1974. However, the Privacy Act applies to Federal agencies that bring data from information resellers into a Federal System of Records. The Privacy Office exercises oversight over the way Departmental components access, use and maintain data obtained from information resellers as part of our responsibility to assure that Departmental systems operate in accordance with Section 222(b) of our authorizing statute -- that information in DHS Systems of Records is handled in a manner consistent with the fair information practices principles set out in the Privacy Act.

The main oversight mechanism used by the Privacy Office for information systems is the Privacy Impact Assessment (PIA). PIAs are fundamental in making privacy an operational element within the Department. Conducting PIAs demonstrates the Department’s efforts to assess the privacy impact of utilizing new or changing information systems, including attention to mitigating privacy risks. Touching on the breadth of privacy issues, PIAs allow the examination of the privacy questions that may surround a program or system’s collection of information, including commercial reseller data, as well as the system’s overall development and deployment. When worked on early in the development process, PIAs provide an opportunity for program managers and system owners to build privacy protections into a program or system in the beginning. This avoids forcing the protections in at the end of the developmental cycle when remedies can be more difficult and costly to implement.

With respect to the data types that are collected and their handling, the PIA process augments the Systems of Record Notice provisions in the Privacy Act that provide notice to the public about the types of information collected and its treatment. The PIA can be one of the most important instruments in establishing trust between the Department’s operations and the public.

In accordance with Section 208 of the E-Government Act of 2002, the Department of Homeland Security is required to perform PIAs whenever it procures new information technology systems or substantially modifies existing systems that contain personal information. Although the E-Government Act allows exceptions from the PIA requirement for national security systems, DHS is implementing Section 222 of the Homeland Security Act to require that all DHS systems, including national security systems, must undergo a PIA if they contain personal information. The Privacy Office has staff with security clearances that allow them to work with programs to assess the privacy impact of classified systems or systems that contain classified information. In cases where the publication of the PIA would be detrimental to national security, the PIA document may not be published or may be published in redacted form.

Every PIA must address at least two issues:

  1. It must address the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and
  2. It must evaluate the protections and alternative processes for handling information to mitigate potential privacy risks.

The Privacy Office has issued official guidance on the conduct of Privacy Impact Assessments. The most up-to-date version of the guidance is available at the DHS Privacy Office Web site at www.dhs.gov/privacy. However, earlier versions of the guidance have been available internally to DHS for about two years, with initial guidance issued in February 2004.

Various sections of the PIA guidance are particularly relevant to the subject matter of this hearing. First, the guidance states that the PIA requirement applies broadly to personally identifiable information rather than to a much narrower category of “private” information. If information can be connected with an individual, it is personally identifiable information, whether or not the information is private or secret. This is important because much of the information purchased from information resellers is either publicly available, e.g., addresses and telephone numbers, or is derived from public records.

In addition, Section 1.2.2 of the guidance directs programs that use data from commercial data aggregators to state this fact and then to explain in Section 1.3 why data from this source is being used. Section 2.3.4 requires a statement about whether data obtained from commercial data aggregators is assessed for quality, and if so, what quality measures are used.

In the course of performing and reviewing PIAs over the past two years the DHS Privacy Office has been examining appropriate ways to implement OMB guidance that “merely querying [a commercial or public source of data] on an ad hoc basis using existing technology does not trigger the PIA requirement.”  Some products offered by information resellers permit users to “ping” resellers’ databases either to obtain new information or to verify information in government databases. This ability to access information without bringing it into Federal systems raises the question about when information is actually “collected” by a government agency. It is DHS policy that any time information from an information reseller is used in a decision-making process, whether the decision involves correcting existing government information or obtaining new information, a PIA is required.

In order to clarify specific issues related to the use of data from information resellers, the DHS Privacy Office is in the process of drafting specific guidance on the use of commercial data to complement the general PIA guidance. The guidance on the use of commercial data will apply specifically to the use of data from information resellers and will address three broad categories of use: comparing data in commercial and government databases, obtaining data from commercial sources for use in government systems; and use of government analytic tools on commercial databases. The guidance will specify when PIAs must be performed and what additional requirements might apply to programs that use data from commercial sources. We expect this guidance to be released as soon as it completes Departmental clearance, and would be happy to discuss it with you at that time.

The DHS Privacy Office has been part of a broad-based national dialog on these issues. In September of 2005, the Privacy Office held a public workshop on the use of commercial data for homeland security. The objective of the workshop was to look at the policy, legal, and technology issues associated with the government's use of commercial personally identifiable data in homeland security. A broad range of experts, including representatives from government, academia, and business participated in the panel discussions. The panels addressed how government agencies are using commercial data to aid in homeland security; the legal issues raised by the government's use of commercial data, particularly the applicability of the Privacy Act; current and developing technologies that can aid the government in data analysis; ways in which technology can help protect individual privacy while enabling government agencies to analyze data; and ways to build privacy protections into the government's use of commercial data. At the end of each panel, the audience was given an opportunity to address questions to the panelists. The full transcript of the Workshop is available at www.dhs.gov/privacy.

The Privacy Office has also been working with the DHS Data Privacy and Integrity Advisory Committee (DPIAC) on issues related to the use of commercial data. In October 2005, the DPIAC published a report on the use of commercial data to reduce false positives in screening programs. The report is available on the DHS Privacy Office Web site at www.dhs.gov/privacy. The Committee recommends that commercial data be used for screening programs only when:

  • It is necessary to satisfy a defined purpose
  • The minimization principle is used
  • Data quality issues are analyzed and satisfactorily resolved
  • Access to the data is tightly controlled
  • The potential harm to the individual from a false positive misidentification is substantial
  • Use for secondary purposes is tightly controlled
  • Transfer to third parties is carefully managed
  • Robust security measures are employed
  • The data are retained only for the minimum necessary period of time
  • Transparency and oversight are provided
  • The restrictions of the Privacy Act are applied, regardless of whether an exemption may apply
  • Simple and effective redress is provided
  • Less invasive alternatives are exhausted

The Committee is now working on a broader report that addresses the use of commercial data in applications beyond screening. We are using the work of the DPIAC to help inform our work on guidance for the Department.

We are living through a time of tremendous change as more and more personal information becomes electronic. In electronic form such information is more easily collected, analyzed and used for various purposes and serves as a basis for decision-making in personal, social, political and economic spheres. It is the goal of the DHS Privacy Office to ensure that commercial information used by the Department in the performance of its mission is used responsibly and with respect for individuals’ legitimate expectations of privacy. We look forward to working with the Committee and everyone involved on these important issues.

Thank you.

This page was last reviewed/modified on 04/04/06 00:00:00.