[Federal Register: June 22, 2005 (Volume 70, Number 119)]
[Notices]
[Page 36319-36324]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr22jn05-202]
[[Page 36319]]
-----------------------------------------------------------------------
Part VI
Department of Homeland Security
-----------------------------------------------------------------------
Transportation Security Administration
-----------------------------------------------------------------------
Privacy Act of 1974; Systems of Records: Secure Flight Test Records;
Privacy Impact Assessment; Secure Flight Test Phase; Notice
[[Page 36320]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
[Docket No. TSA-2004-19160]
Privacy Act of 1974; Systems of Records: Secure Flight Test
Records; Privacy Impact Assessment; Secure Flight Test Phase
AGENCY: Transportation Security Administration, DHS.
ACTION: Notice to supplement and amend existing system of records and
privacy impact assessment.
-----------------------------------------------------------------------
SUMMARY: The Transportation Security Administration is amending the
Privacy Act System of Records for the Secure Flight Test Records system
(DHS/TSA 017) and the Privacy Impact Assessment for the Secure Flight
Test Phase.
DATES: This action will be effective upon publication.
FOR FURTHER INFORMATION CONTACT: Lisa S. Dean, Privacy Officer, Office
of Transportation Security Policy, TSA Headquarters, TSA-9, 601 S. 12th
Street, Arlington, VA 22202-4220; telephone (571) 227-3947.
SUPPLEMENTARY INFORMATION:
Background
The Transportation Security Administration (TSA) established the
Secure Flight Test Records system (DHS/TSA 017) on September 24, 2004
(69 FR 57345), to cover records obtained or created in the course of
testing the Secure Flight program. TSA also published on the same day a
notice setting forth the Privacy Impact Assessment (PIA) prepared for
the testing phase of the Secure Flight program (69 FR 57352). The
Secure Flight program will implement the mandate of section 4012(a)(1)
of the Intelligence Reform and Terrorism Prevention Act of 2004 (Pub.
L. 108-458) requiring the Transportation Security Administration to
assume from air carriers the function of conducting pre-flight
comparisons of airline passenger information to Federal Government
watch lists.
TSA has described the testing of Secure Flight in previously-
published documents (69 FR 57345, 57352, Sept. 24, 2004). TSA is
issuing these revised versions of the System of Records Notice and PIA
to provide additional detail regarding the Secure Flight testing
program.
In addition, TSA is amending the Secure Flight Test Records system
to reflect the fact that TSA will not assert any Privacy Act exemptions
for the system. In the system of records notice published on September
24, 2004, TSA stated that it was claiming exemptions for portions of
the system of records from the following provisions of the Privacy Act:
5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G) and (H), and (f) pursuant
to 5 U.S.C. 552a(k)(1) and (k)(2). TSA has not initiated a rulemaking
to implement these exemptions from the Privacy Act, however, because it
became clear from the nature of the records in the system that the
exemptions were not necessary. Rather than claiming Privacy Act
exemptions to withhold this information, TSA has released passenger
name records (PNR) to individuals who have requested them under the
Privacy Act and will continue to respond to such records requests, to
the extent permitted by law. Therefore, TSA is amending the system of
records and the PIA to reflect this practice.
Finally, TSA is making a change to the system of records to reflect
the change of the name of TSA's Office of National Risk Assessment to
the Office of Transportation Vetting and Credentialing.
Summary of Amendments to the Secure Flight Test Records System and the
PIA
TSA is amending the scope of the system of records notice and the
PIA to clarify and describe with greater particularity the categories
of records and categories of individuals covered by the Secure Flight
Test Records system. The categories of records include PNRs enhanced
with certain elements of commercial data that were provided to TSA for
purposes of testing the Secure Flight program and include commercial
data purchased and held by a TSA contractor, EagleForce Associates,
Inc. (EagleForce), for purposes of the commercial data test. In
addition, the categories of individuals covered by the system include
individuals identified in commercial data purchased and held by
EagleForce. Finally, TSA is clarifying that part of the Secure Flight
test involves testing whether watch list matching could be more
effective if the Government were to use certain limited additional data
elements derived from commercial data to enhance PNRs.
1. The complete revised Secure Flight Test records system follows:
DHS/TSA 017
System name:
Secure Flight Test Records.
Security Classification:
Classified, sensitive.
System Location:
Records are maintained at: the Office of Transportation Vetting and
Credentialing (OTVC), Transportation Security Administration (TSA),
Department of Homeland Security, P.O. Box 597, Annapolis Junction, MD
20701-0597; the OTVC assessment facility in Colorado Springs, Colorado;
and at EagleForce Associates, Inc., McLean, VA.
Categories of Individuals Covered by the System:
(a) Individuals traveling within the United States by passenger air
transportation on certain domestic flights completed in June 2004;
(b) Individuals identified in commercial data purchased and held by
a TSA contractor for purposes of comparing such data with the June 2004
Passenger Name Records and testing the Secure Flight program;
(c) Individuals known or reasonably suspected to be or have been
engaged in conduct constituting, in preparation for, in aid of, or
related to terrorism.
Categories of Records in the System:
(a) Passenger Name Records (PNRs) for certain passenger air
transportation flights completed in June 2004 provided by aircraft
operators in response to the Transportation Security Administration
Order issued November 15, 2004 (69 FR 65625), (the June 2004 PNRs), the
specific contents of which often vary by aircraft operator;
(b) Information obtained from the Terrorist Screening Center about
individuals known or reasonably suspected to be or to have been engaged
in conduct constituting, in preparation for, in aid of, or related to
terrorism;
(c) Authentication scores and codes obtained from commercial data
providers;
(d) PNRs that were enhanced with certain fields of information
obtained from commercial data--full name, address, date of birth,
gender--and that were provided to TSA for purposes of testing the
Secure Flight program;
(e) Commercial data purchased and held by a TSA contractor for
purposes of comparing such data with June 2004 PNRs and testing the
Secure Flight program;
(f) Results of comparisons of individuals identified in PNRs to
watch lists obtained from the Terrorist Screening Center.
Authority for Maintenance of the System:
49 U.S.C. 114, 44901, and 44903.
Purpose(s):
The system will be used to test the Secure Flight program. The
purpose of
[[Page 36321]]
the program is to enhance the security of domestic air travel by
identifying passengers who warrant further scrutiny prior to boarding
an aircraft. The purposes of testing the Secure Flight program are: (1)
To test the Government's ability to process and compare passenger
information against terrorist watch list information held by the
Terrorist Screening Center (TSC) in the Terrorist Screening Database
(TSDB); (2) to test the Government's ability to operate a streamlined
version of the rule set used under the existing computer-assisted
passenger prescreening system (CAPPS) currently used by aircraft
operators; and (3) to test the Government's ability to verify the
identities of passengers using commercial data and to improve the
efficacy of watch list comparisons by making passenger information more
complete and accurate using commercial data. For more detail on the
purposes and conduct of the Secure Flight testing, please see the
revised PIA for the Secure Flight Test Phase, which is published below.
Routine Uses of Records Maintained in the System, Including Categories
of Users and the Purposes of Such Uses:
(1) To the Federal Bureau of Investigation where TSA becomes aware
of information that may be related to an individual identified in the
Terrorist Screening Database as known or reasonably suspected to be or
having been engaged in conduct constituting, in preparation for, in aid
of, or related to terrorism.
(2) To contractors, grantees, experts, consultants, or other like
persons when necessary to perform a function or service related to the
Secure Flight program or the system of records for which they have been
engaged. Such recipients are required to comply with the Privacy Act, 5
U.S.C. 552a, as amended.
(3) To the Department of Justice (DOJ) or other Federal agency in
the review, settlement, defense, and prosecution of claims, complaints,
and lawsuits involving matters over which TSA exercises jurisdiction or
when conducting litigation or in proceedings before any court,
adjudicative or administrative body, when: (a) TSA; or (b) any employee
of TSA in his/her official capacity; or (c) any employee of TSA in his/
her individual capacity, where DOJ or TSA has agreed to represent the
employee; or (d) the United States or any agency thereof, is a party to
the litigation or has an interest in such litigation, and TSA
determines that the records are both relevant and necessary to the
litigation and the use of such records is compatible with the purpose
for which TSA collected the records.
(4) To the National Archives and Records Administration (NARA) or
other Federal agencies pursuant to records management inspections being
conducted under the authority of 44 U.S.C. 2904 and 2906.
(5) To a Congressional office from the record of an individual in
response to an inquiry from that Congressional office made at the
request of the individual.
(6) To an agency, organization, or individual for the purposes of
performing authorized audit or oversight operations.
Disclosure to Consumer Reporting Agencies:
None.
Policies and Practices for Storing, Retrieving, Accessing, Retaining
and Disposing of Records in the System:
Storage:
Records are stored electronically in a secure facility at the
Office of Transportation Vetting and Credentialing (OTVC),
Transportation Security Administration (TSA), Department of Homeland
Security, P.O. Box 597, Annapolis Junction, MD 20701-0597; the OTVC
assessment facility in Colorado Springs, Colorado; and at EagleForce,
Inc., McLean, VA. The records are stored on magnetic disc, tape,
digital media, and CD-ROM, and may also be retained in hard copy format
in secure file folders.
Retrievability:
Data are retrievable by the individual's name or other identifier,
as well as non-identifying information.
Safeguards:
Information in this system is safeguarded in accordance with
applicable rules and policies, including any applicable OTVC, TSA, and
DHS automated systems security and access policies. Access to computer
systems containing the records in this system of records is limited and
can be accessed only by those individuals who require it to perform
their official duties. Safeguards also include a real time auditing
function of individuals who access computer systems containing the
records in this system of records. Classified information, if any, will
be appropriately stored in a secured facility, in secured databases and
containers, and in accordance with other applicable requirements,
including those pertaining to classified information.
Retention and Disposal:
TSA has determined that the records contained in the Secure Flight
Test records system are covered by NARA General Records Schedule (GRS)
20, which applies to electronic records. It covers electronic files or
records created solely to test system performance, as well as hard-copy
printouts and related documentation for the electronic files/records.
Under GRS 20, an agency may delete or destroy such records when the
agency determines that they are no longer needed for administrative,
legal, audit, or other operational purposes. In accordance with GRS 20,
TSA has destroyed certain copies of the original PNRs provided by the
air carriers. In addition, in accordance with applicable law, TSA plans
to direct and document the destruction of the remaining PNRs and
commercial data in its possession or in the possession of EagleForce as
testing activities and analyses are completed.
System Manager(s) and Address:
Assistant Administrator, Secure Flight/Registered Traveler,
Transportation Security Administration, P.O. Box 597, Annapolis
Junction, MD 20701-0597.
Notification procedure:
See ``Record Access Procedure''.
Record Access Procedure:
DHS has determined that all persons may request access to
information about them contained in the system by sending a written
request to the TSA Privacy Officer, Transportation Security
Administration (TSA-9), 601 South 12th Street, Arlington, VA 22202.
To the extent permitted by law, such access will be granted.
Individuals requesting access must comply with the Department of
Homeland Security Privacy Act regulations on verification of identity
(6 CFR 5.21(d)). Individuals must submit their full name, current
address, and date and place of birth. Individuals must sign the request
and the signature must either be notarized or submitted under 28 U.S.C.
1746, a law that permits statements to be made under penalty of perjury
as a substitute for notarization.
Exemptions claimed for the system:
None.
2. The complete revised PIA follows:
Secure Flight Test Phase Privacy Impact Assessment
I. Introduction
Pursuant to the authority granted by the Aviation and
Transportation Security Act of 2001 (ATSA) and
[[Page 36322]]
section 4012(a)(1) of the Intelligence Reform and Terrorism Prevention
Act of 2004 (IRTPA) (Pub. L. 108-458, 118 Stat. 3638, Dec. 17, 2004),
TSA is developing a new program for screening domestic airline
passengers in order to enhance the security and safety of domestic
airline travel. Under this program, Secure Flight, the Transportation
Security Administration (TSA) will assume from air carriers the
function of conducting pre-flight comparisons of airline passenger
information to the expanded and consolidated watch lists held in the
Terrorist Screening Database (TSDB) maintained by the Terrorist
Screening Center (TSC).\1\ On November 15, 2004, TSA issued an order
directing U.S. aircraft operators to provide to TSA, by November 23,
2004, a limited set of historical passenger name records (PNRs) for
testing of the Secure Flight program.
---------------------------------------------------------------------------
\1\ The Terrorist Screening Center (TSC), established in
December 2003, maintains a consolidated, comprehensive watch list of
known or suspected terrorists. This database can be used by
Government agencies in screening processes to identify individuals
known to pose or are suspected of posing a risk to the security of
the United States.
---------------------------------------------------------------------------
Because the test involves existing watch lists that are being
consolidated and expanded in the TSC, the E-Government Act of 2002
requires that a Privacy Impact Assessment (PIA) be conducted. The
previously published PIA is being clarified and expanded to reflect
more closely actual experience as the testing program has been
conducted, refined and modified since September 2004. After the testing
has been concluded and the results analyzed, TSA will update the PIA as
necessary prior to actual implementation of the Secure Flight program.
System Overview
What information is to be collected and used for testing
Secure Flight?
In order to conduct testing, TSA obtained historic PNRs for
individuals who completed domestic flight segments during the month of
June 2004. PNR varies according to airline, but generally includes the
following information fields: Full name, contact phone number, mailing
address and travel itinerary. Also for purposes of the test, a TSA
contractor, EagleForce Associates, Inc. (EagleForce), obtained
commercial data from three commercial data aggregators. EagleForce
contracted with each commercial data aggregator to identify records in
its data bases associated with names in a sample set of PNRs and
provide such records to EagleForce, but to provide only certain data
elements associated with the names. Specifically, EagleForce requested
the following data elements: First name; last name; middle name; home
address; home phone number; date of birth; name suffix; second surname;
spouse first name; gender; second address; third address; plus-four
portion of Zip code; address type (residence, business, or mailing
address); latitude of address; and longitude of address. In some cases
the commercial data aggregators provided information that EagleForce
did not request, such as social security numbers, due to the way the
commercial data aggregators packaged their product. Although EagleForce
loaded the commercial data provided by the commercial data aggregators
onto a database, EagleForce has not queried or used any of the data
elements that the commercial data aggregators provided over and above
the specific data elements that EagleForce had specifically requested.
Why is the information being collected and who will be
affected by the collection of the data?
TSA collected the information described above to test the Secure
Flight program, the purpose of which is to enhance the security of
domestic air travel by identifying only those passengers who warrant
further scrutiny. TSA's test of the Secure Flight program has three
objectives. The first objective is to test the Government's ability to
process and compare passenger information against terrorist watch list
information held by the TSC in the TSDB. The second objective is to
test the Government's ability to operate a streamlined version of the
rule set used under the existing computer-assisted passenger
prescreening system (CAPPS) currently used by aircraft operators. The
third objective is to test the Government's ability to verify the
identities of passengers using commercial data and to improve the
efficacy of watch list comparisons by making passenger information more
complete and accurate using commercial data to enhance PNRs with
elements such as full name, address, date of birth, and gender. TSA,
through its contractor IBM, has compared the PNR with data maintained
in the TSDB regarding individuals known or reasonably suspected to be
or have been engaged in conduct constituting, in preparation for, in
aid of, or related to terrorism. TSA is continuing watch list match
testing through it contractor, Mitre, using the original PNRs provided
by the air carriers. TSA also continues to conduct internal system
testing of the watch list matching processes through Mitre and IBM.
To prepare for the commercial data test, two statistically
significant samples of the PNR data were extracted. One sample
consisted of approximately 17,000 PNRs representing a cross section of
air carriers and indicative of a typical PNR. A second sample was also
developed that consisted of approximately 24,000 PNRs that contained
dates of birth.
The sample data sets, which represent PNRs from eight U.S. air
carriers, were stored on CD-ROMs. These data sets are used to perform
watch list match testing in connection with the first objective of the
program described above.
In addition, TSA hand delivered duplicates of the CD-ROMs
containing the two sample PNR data sets to EagleForce. TSA also
provided to EagleForce unparsed copies of other electronically stored
June 2004 PNR data from the air carriers whose PNRs were included in
the representative samples.
In preparing for the commercial test, for each of the approximately
42,000 names in the two sample sets of PNRs, EagleForce created up to
twenty variations of a person's first and last names. Accordingly,
EagleForce generated approximately 240,000 name variations derived from
the approximately 42,000 names in the sample data sets. The original
PIA and system of records notice did not discuss this process, because
TSA had not developed its test plan with this level of detail at the
time the documents were published.
EagleForce submitted the original names and name variations to
three commercial data aggregators: Insight America, Acxiom, and Qsent.
Upon receipt of the information provided by the commercial data
aggregators, EagleForce loaded the records into a database. In order to
accomplish the third test objective identified above, Secure Flight
undertook two steps. First, EagleForce compared information in the
sample PNRs with certain data elements contained in the information in
the commercial data records to attempt to identify instances when the
data in the PNRs was incorrect or inaccurate. In the course of this
activity, EagleForce used only those data elements that it had asked
the commercial data aggregators to provide. EagleForce did not use any
of the data elements that the commercial data aggregators had provided
beyond the specific data elements that EagleForce had specifically
requested.
Second, to further test accuracy through verification testing,
EagleForce used certain records obtained from the three commercial data
aggregators to enhance the sample PNR data in cases
[[Page 36323]]
where PNRs were missing data. If a PNR in the sample data did not have
complete information on a subject's full name, date of birth, address,
gender, or one of the other categories of data that EagleForce
specifically requested from the commercial data aggregators, EagleForce
attempted to incorporate that data from the commercial data records,
thereby ``enhancing'' the PNRs with these specific elements. However,
EagleForce did not use the following data elements to enhance PNRs:
spouse first name; latitude of address; and longitude of address.
EagleForce then produced CD-ROMs containing the PNRs enhanced with the
additional data elements and provided those CD-ROMs to TSA for use in
watch list match testing. TSA currently retains the CD-ROMs containing
the enhanced PNRs and stores these CD-ROMS when they are not in use in
a controlled access safe. TSA provided for a limited period of time the
CD-ROMs containing the enhanced PNRs to employees of TSA's contractor
charged with conducting watch list testing (IBM), to determine whether
using commercial data to enhance passenger information could lower the
number of instances in which a person appears to be a match to the
TSDB, but is not (a false positive) or appears not to be a match, but
in fact is (a false negative).
The categories of individuals covered by the data collection are:
individuals who traveled within the United States during June 2004 by
passenger air transportation and whose PNRs were provided by aircraft
operators in response to the Transportation Security Administration
Order issued November 15, 2004 (69 FR 65625); individuals identified in
commercial data purchased and held by a TSA contractor for purposes of
testing the Secure Flight program; and individuals known or reasonably
suspected to be or have been engaged in conduct constituting, in
preparation for, in aid of, or related to terrorism.
TSA has not and will not use the results of its testing for any
purpose other than analysis of the efficacy of the program unless there
is an indication during the testing of terrorist or possible terrorist
activity. In such a case, appropriate action will be taken, which may
include providing information in the system of records to relevant law
enforcement agencies. To date no such action has been warranted.
What notice or opportunities for consent are provided to
individuals regarding the information that is collected and shared?
The original Privacy Act System of Records Notice and PIA, as well
as the revised versions of each document, provide notice of the scope,
purposes, and effect of the test phase of the Secure Flight program.
Because the test phase uses historical PNR from the month of June 2004
for flights that were completed by the end of that month, as well as
data residing in commercial databases that already had been collected
prior to the test, the notice given did not afford the opportunity for
these individuals to provide consent in advance of this collection.
Nevertheless, Secure Flight has been the subject of Congressional
testimony, public statements by TSA officials, and numerous media
reports that convey additional notice, including information that
appears on the TSA Web site at http://www.tsa.gov/public/.
The information collected has been shared with TSA employees and
contractors who have a ``need to know'' in order to conduct the
required test comparisons. All TSA contractors involved in the testing
of Secure Flight are contractually and legally obligated to comply with
the Privacy Act in their handling, use and dissemination of personal
information in the same manner as TSA employees.
If a comparison using the test data indicates that an individual is
suspected of terrorism, TSA will refer the information to appropriate
law enforcement personnel for further action. Referrals will only
occur, however, in this limited circumstance because the basic purpose
of this information collection is to test the Secure Flight program. To
date, no such referrals have been warranted.
What security protocols are in place to protect the
information?
TSA has employed data security controls, developed with the TSA
Privacy Officer, to protect the data used for Secure Flight testing
activities. Information in TSA's record systems is safeguarded in
accordance with the Federal Information Security Management Act of 2002
(Pub. L. 107-347), which established Government-wide computer security
and training standards for all persons associated with the management
and operation of Federal computer systems. The systems on which the
tests are or have been conducted were assessed for security risks, have
implemented security policies and plans consistent with statutory,
regulatory and internal DHS guidance.
Prior to accepting custody of the PNR data, TSA established chain-
of-custody procedures for the receipt, handling, safeguarding, and
tracking of access to the PNR data and TSA maintained the data at its
secure facility in Annapolis Junction, Maryland. Access to the data was
limited to individuals with a need for access in order to conduct
testing activities.
Records of transmission of PNR data to EagleForce were maintained
by TSA's security officers. EagleForce had measures in place to control
access and handling of PNR data. In addition, EagleForce employees
completed training for handling sensitive information and entered into
non-disclosure agreements covering all data provided by the Government
for use during the test. Copies of these agreements are maintained by
TSA's security office.
TSA and its contractors maintain the PNRs and the limited
commercial data collected for the test in a secure facility on
electronic media and in hard copy format. The information is protected
in accordance with rules and policies established by both TSA and DHS
for automated systems and for hard copy storage, including password
protection and secure file cabinets. Moreover, access is strictly
controlled; only TSA employees and contractors with proper security
credentials and passwords will have permission to use this information
to conduct the required tests, on a need-to-know basis. Additionally, a
real time audit function is part of this record system to track who
accesses the information resident on electronic systems during testing.
Any infractions of information security rules will be dealt with
severely. None has occurred to date. All TSA and assigned contractor
staff receive DHS-mandated privacy training on the use and disclosure
of personal data. The procedures and policies that are in place are
intended to ensure that no unauthorized access to records occurs and
that operational safeguards are firmly in place to prevent system
abuses.
Does this program create a new system of records under the
Privacy Act?
On September 24, 2004, TSA established a new Privacy Act system of
records, known as the Secure Flight Test Records system of records,
DHS/TSA 017, for purposes of Secure Flight testing activities (69 FR
57345). TSA has amended and supplemented that system of records to
clarify the original system of records notice with additional detail on
the Secure Flight testing activities.
What is the intended use of the information?
The information collected by TSA and TSA contractors has been and
will be used solely for the purpose of testing the Secure Flight
program, as described in this PIA, and will be maintained in a Privacy
Act system of records in
[[Page 36324]]
accordance with the published system of records notice for DHS/TSA 017.
Will the information be retained and, if so, for what
period of time?
TSA has determined that the records contained in the Secure Flight
Test Records system are covered by NARA General Records Schedule (GRS)
20, which applies to electronic records. It covers electronic files or
records created solely to test system performance, as well as hard-copy
printouts and related documentation for the electronic files/records.
Under GRS 20, an agency may delete or destroy such records when the
agency determines that they are no longer needed for administrative,
legal, audit, or other operational purposes. In accordance with GRS 20,
TSA has destroyed certain copies of the original PNRs provided by the
air carriers. In addition, TSA, in accordance with applicable law,
plans to direct the destruction of the remaining PNRs and commercial
data in its possession or in the possession of EagleForce as testing
activities and analyses are completed.
How will the passenger be able to seek redress?
During the test phase individuals may request access to information
about themselves contained in the PNR subject to Secure Flight test
phase by sending a written request to TSA. To the extent permitted by
law, access will be granted. If an individual wishes to contest or
amend the records received in this manner, he or she may do so by
sending that request to TSA. The request should conform to DHS
requirements for contesting or amending Privacy Act records, and should
be sent TSA Privacy Officer, Transportation Security Administration
(TSA-9), 601 South 12th Street, Arlington, VA 22202. Before
implementing a final program, however, TSA will create a robust redress
mechanism to resolve disputes concerning the Secure Flight program.
What databases will the names be compared to?
TSA has compared the names against the TSDB, which is a
consolidated, comprehensive watch list of known or suspected
terrorists. This database can be used by Government agencies in
screening processes to identify individuals known to pose or are
suspected of posing a risk to the security of the United States. This
consolidated database contains information contributed by the
Departments of Homeland Security, Justice, and State and by the
intelligence community. Because information related to terrorists is
consolidated in the TSDB, TSA believes that the TSDB provides the most
effective and secure system against which to run airline passenger
names for purposes of identifying whether or not they are known or
reasonably suspected to be engaged in terrorism or terrorist activity.
TSA's contractor has compared names with information provided by
commercial data aggregators to identify commercial data records from
which to enhance PNRs for purposes of the Secure Flight test.
Privacy Effects and Mitigation Measures.
The decision to initiate Secure Flight followed completion of a
thorough review of the TSA's next generation passenger prescreening
program and the mandate of section 4012(a)(1) of the IRTPA.
Testing has been and continues to be governed by strict privacy and
data security protections. TSA will defer any decision on how
commercial data might be used in its prescreening programs, as Secure
Flight, until the completion of the test period, assessment of the test
results and publication of a subsequent System of Records Notice under
the Privacy Act announcing the intended use of such commercial data.
TSA has taken action to mitigate privacy risk by designing its test
activities to address concerns expressed by privacy advocates, foreign
counterparts and others. Under the Secure Flight testing phase, TSA did
not require air carriers to collect any additional information from
their passengers than was already collected by such carriers and
maintained in passenger name records. TSA has adopted and carried out
stringent data security and privacy protections, including contractual
prohibitions on commercial entities' maintenance or use of airline-
provided PNR information for any purposes other than testing under TSA
parameters; real time auditing procedures to determine when data within
the Secure Flight system has been accessed and by whom; and strict
rules prohibiting the accessing or use of commercial data by TSA
employees.
TSA will assess test results prior to any operational use of
commercial data in TSA programs to determine whether its use is
effective in verifying passenger identity or enhancing watch list
comparisons, justifies the associated costs, does not result in
disparate treatment of any class of individuals, and that data security
protections and privacy protections are robust and effective.
TSA also recognizes that there is a privacy risk inherent in the
design of any new system which could result from design mistakes. By
testing the proposed Secure Flight program, TSA has had the opportunity
to modify the program design in ways to enhance protection of
individuals' privacy interests before the program becomes fully
operational, ensuring a better program. TSA is purposely testing the
Secure Flight system and will be carefully scrutinizing the performance
of the system during the test phase--and conducting further analysis
upon completion--to determine the effectiveness of Secure Flight both
for passenger prescreening as well as for protecting the privacy of the
data on which the program is based. By following strict rules for
oversight and training of personnel handling the data as well as strong
system auditing to detect potential abuse and a carefully planned and
executed redress process, TSA will continue to ensure that privacy is
an integral part of the program once it becomes operational, as it has
been during testing. TSA's efforts have been and continue to be
thoroughly examined internally, including review by the TSA Privacy
Officer and the DHS Chief Privacy Officer. In this process, TSA will
carefully review constructive feedback it receives from the public on
this important program.
Issued in Arlington, Virginia, on June 17, 2005.
Lisa S. Dean,
TSA Privacy Officer.
[FR Doc. 05-12405 Filed 6-17-05; 5:02 pm]
BILLING CODE 4910-62-P