Principles for Implementing Privacy Protections in Research Projects

The Department is often in the headlines for our high-profile efforts to protect the nation, but there are mission-critical activities going on behind the scenes to advance homeland security—including a recent achievement of our Science and Technology Directorate (S&T) and the Privacy Office. Although many of S&T’s activities, such as our work to develop vaccines for dangerous animal diseases, do not impact personal privacy, some of our efforts—like the development of new physical screening technologies—have potential privacy implications.

As we carry out the S&T mission to encourage innovation in the development and use of new technologies in support of homeland security, we have made it a priority to protect the privacy of individuals. To ensure that goal, the Privacy Office and S&T have just developed "Principles for Implementing Privacy Protections in S&T Research." Working together on this new guidance has been a natural fit, enabling us both to contribute our particular expertise. These Principles enable us to provide advanced tools, technologies, and systems to those working to protect our nation while incorporating privacy protections into privacy-sensitive S&T research.

Key Principles

• Privacy Assessment. An assessment of privacy impacts, conducted jointly by S&T and the Privacy Office, will be an integral part of the design, development and implementation of any S&T research project that is privacy-sensitive or involves or impacts personally identifiable information (PII).
• Purpose Specification. The scope and purpose of any specific S&T project will be clearly articulated and documented through a process that includes reviews of its effectiveness by internal experts (S&T staff other than the project’s proponents) and external experts (with appropriate security clearances).
• Transparency. S&T will conduct Privacy Impact Assessments (PIAs) in conjunction with the Privacy Office, as required by the E-Government Act of 2002, for all research projects that involve or impact PII, and will publish PIAs for all non-classified research.
• Data Quality and Integrity. Projects will endeavor to use only data that is reasonably considered both accurate and appropriate for the project’s documented purpose(s).
• Data Minimization. Projects will use the least amount of PII consistent with their documented purpose(s). Where practicable, S&T will use data minimization techniques to accomplish this goal.
• Use Limitation. Projects will only use data in a manner that is consistent with disclosures in all applicable PIAs and Privacy Act System of Records Notices, and consistent with privacy notices and policies that apply to data originally collected by the private sector.
• Data Security. Researchers will take all reasonable steps necessary to maintain the security of the data they use.
• Training. Personnel involved in a project will receive training on DHS privacy policy and on the privacy protections built into individual research projects.
• Audit. Projects will use automated or non-automated audit procedures to ensure compliance with project access and data usage rules.
• Redress. The Privacy Office, together with S&T’s Privacy Officer, will develop and administer a redress program to handle inquiries and complaints regarding any S&T research project and to provide relief where warranted.

The Principles appear in an appendix to Data Mining: Technology and Policy, the Privacy Office’s 2008 report to Congress on Department data mining activities. The report is available on the Privacy Office website.

We are proud of the collaborative work that led to the creation of these principles, and look forward to continuing to work together in our common mission to protect the American people and our homeland.

Hugo Teufel III
Chief Privacy Officer

Jay M. Cohen
Under Secretary, Science and Technology Directorate