Privacy Compliance Review for the Analytical Framework for Intelligence

The Department of Homeland Security (DHS) U.S. Customs and Border Protection (CBP), Office of Intelligence and Investigative Liaison (OIIL) developed the Analytical Framework for Intelligence (AFI) to enhance DHS’s ability to identify, apprehend, and prosecute individuals who pose a potential law enforcement or security risk, and to improve border security. AFI augments DHS’s ability to gather and develop information about persons, events, and cargo of interest by creating an index of the relevant data in existing operational systems and providing DHS AFI analysts with tools that assist in identifying non-obvious relationships. AFI allows analysts to generate tactical, operational, and strategic law enforcement intelligence products. Finished intelligence products better inform finished intelligence product users about why an individual or cargo may be of greater security interest based on the targeting and derogatory information identified in or through CBP’s existing data systems.

The DHS Privacy Office and CBP issued a Privacy Impact Assessment (PIA) and System of Records Notice (SORN) for AFI in 2012. Due to the sensitive nature of the AFI system, including its search and aggregation capabilities, AFI was developed in coordination with the DHS Privacy Office to minimize privacy risks. These privacy risks are identified and discussed in the 2012 AFI PIA.  The DHS Privacy Office also required that AFI undergo a Privacy Compliance Review (PCR) within 12 months of the system’s operational deployment. The objective of this PCR is to assess compliance with the existing compliance documentation published by AFI and ensure the privacy protections in the PIA are followed. This is the first PCR on the AFI system. Between August 2013 and May 2014, the DHS Privacy Office Oversight Team assessed these privacy protections.

The DHS Privacy Office finds that CBP OIIL developed AFI with privacy-protective objectives and continues to operate AFI with sensitivity to privacy and data aggregation risks. During the two years since AFI’s launch, however, CBP has employed new search, analysis, and storage tools that have consolidated more data than was contemplated during the original privacy analysis in the PIA. Accordingly, the DHS Privacy Office makes sixteen (16) specific recommendations for CBP in order to enhance AFI privacy protections commensurate with AFI’s use of these new tools.