(1) What is the Structure of the Office of Privacy and Civil Liberties?
(2) What are OPCL’s Statutory and Administrative Authorities?
(3) What is OPCL’s Privacy Compliance Process?
(4) What Types of Redress are Available through OPCL?
-----------------------------------------------------------------------------------------------
(1) What is the Structure of the Office of Privacy and Civil Liberties?
The mission of the Office of Privacy and Civil Liberties (OPCL) is to provide legal advice and guidance to Departmental components, ensure the Department’s privacy compliance, and develop Departmental privacy policy. This includes matters concerning the Department’s collection, use, and dissemination of personally identifiable information (PII); privacy issues related to the Department’s counterterrorism efforts; and the Department’s compliance with privacy-related laws and policies.
OPCL supports the duties and responsibilities of the Department’s Chief Privacy and Civil Liberties Officer (CPCLO). The CPCLO, who is part of the Office of the Deputy Attorney General (ODAG), is the principal advisor to the Attorney General on privacy and civil liberties matters affecting the Department’s missions and operations. The Director of OPCL reports directly to the CPCLO in ODAG.
In accordance with DOJ Order 0601, Privacy and Civil Liberties (Feb. 6, 2014), Department components are required to identify a Senior Component Official for Privacy (SCOPs) to manage―at the component level―the implementation of privacy rules, regulations, policies, and laws, and to serve as the CPCLO’s and OPCL’s main point of contact. OPCL coordinates privacy compliance with Departmental components through designated SCOPs.
(2) What are OPCL’s Statutory and Administrative Authorities?
(a) Privacy Act of 1974
The Privacy Act of 1974, 5 U.S.C. § 552a, governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual, or by some identifier assigned to the individual. The Privacy Act sets forth various agency record-keeping requirements. The Privacy Act requires that agencies give public notice of their systems of records by publication in the Federal Register. The disclosure of a record about an individual from a system of records is prohibited under the Privacy Act absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. Through the Privacy Act, individuals are able to seek access to, as well as amend, their records.
(b) Section 208 of the E-Government Act of 2002
The E-Government Act of 2002, 44 U.S.C. § 3501, was enacted in recognition of technological changes in computers, digitized networks, internet access, and the creation of new electronically available information. These changes increase the availability of both personal and public information, and have important ramifications for the protection of PII contained in government records and systems. Section 208 requires all federal government agencies to produce a Privacy Impact Assessment (PIA) upon the development or procurement of new information technology involving the collection, maintenance, or dissemination of information in identifiable form (IFF) or once substantial changes are made to existing information technology that manages IIF. The Act requires an agency to make PIAs publicly available, except when an agency, using its discretion, determines that publication of the PIA would raise security concerns, reveal classified (i.e., national security) information or sensitive information (e.g., the assessment contains information potentially damaging to a national interest, law enforcement effort, or competitive business interest).
(3) What is OPCL’s Privacy Compliance Process?
(a) Initial Privacy Assessment (IPA)
The privacy compliance process begins when the Department first determines it needs to collect, maintain, disseminate, or otherwise use PII. The Department has established the IPA template, which consolidates various privacy compliance requirements in to a single, unified, and comprehensive process. The IPA template consists of questions designed to help components and OPCL determine whether a particular information system requires further privacy documentation (e.g., a Privacy Impact Assessment or a System of Records Notice), or raises other privacy issues or concerns. In particular, the IPA bridges the information technology (IT) security with privacy processes and communities, and assists in identifying information assets requiring appropriate security controls, which permits better identification of those systems containing and maintaining PII.
An IPA must be completed prior to the development of an information system, specifically before the initiation of any testing or piloting of an information system. This enables components to identify steps to mitigate any potential adverse impact on privacy at the outset of the information collection or program. For example, an IPA may help a component determine that the collection and use of Social Security Numbers (SSNs) or other sensitive PII within a system is not necessary, and decide to forego the collection of such PII.
The DOJ IPA template can be found here.
(b) Privacy Impact Assessment (PIA)
When an IPA determination requires further privacy documentation of a system, a PIA may be required to be submitted to OPCL for further analysis. PIAs provide an analysis of how information in a system is handled by components to ensure compliance with applicable legal, regulatory, and policy requirements regarding privacy. PIAs determine the risks and effects of collecting, maintaining, and disseminating information in an electronic information system. Additionally, PIAs examine and evaluate protections and alternatives processes for handling information to mitigate potential privacy risks.
A PIA must be completed either before developing or procuring IT systems or projects that collect, maintain, or disseminate IIF about members of the public, or before initiating a new electronic collection of IIF for 10 or more persons. By conducting a PIA at this time, components should consider the privacy impact from the beginning of a system’s development through the system’s lifecycle to ensure that system developers and owners have made technology choices that incorporate privacy protections into the underlying architecture of the system.
A list of, and links to, published DOJ PIAs can be found here.
(c) System of Record Notice (SORN)
The Privacy Act of 1974, 5 U.S.C. § 552a, requires agencies to provide notice to the public and publish a SORN if a component maintains, collects, uses, or disseminates records about an individual and retrieves it by a personal identifier. A SORN provides the public with details about a system of records, including its purpose for collection and maintenance, the categories of individuals serving as the subject of such records, the categories of information to be used and collected by the agency, the location where the agency maintains the information, the means of access and correction available to the individual, the safeguards that will protect the information, and the parties with whom and under what conditions the agency will share the information in the system.
A SORN must be published in the Federal Register before the system is used, unless the system is already covered by an existing SORN (e.g., use of the system is permissible as a routine use listed in another SORN). OPCL advises the Department’s components on whether a particular information system qualifies as a system of records, and whether it is necessary to draft a new SORN, or to modify an existing SORN and any accompanying exemption regulation.
A list of, and links to, completed DOJ SORNs can be found here.
(d) Privacy Advice
In addition to assisting Department components in the drafting of the above-mentioned privacy documentation, OPCL also advises components and the Department’s senior leadership on a variety of privacy issues. For example, OPCL regularly provides guidance to components regarding permitted disclosures of information located in a system of records.
In addition, OPCL advises components on preparing other Privacy Act documents, such as Privacy Act consent forms and Privacy Act notice statements, which provide actual notice to an individual about an agency’s collection authority and the possible uses of information collected from individuals.
OPCL also assists the CPCLO in addressing privacy issues that arise in international agreements and with regard to the Department’s oversight of the Intelligence Community.
(4) What Types of Redress are Available through OPCL?
(a) Privacy and Civil Liberties Complaints
Members of the public may contact OPCL directly. OPCL receives numerous inquiries from members of the public through its email inbox and main phone number, and has established a process to review such inquiries in a timely manner. In this capacity, OPCL acts as an ombudsman for inquirers to ensure that their inquiries are properly reviewed and responses are appropriately provided and/or referred.
(b) Privacy Act Amendment Appeals
Under subsection (d)(2) of the Privacy Act, a member of the public may request that the Department amend records pertaining to him/her that are kept in a DOJ system of records. Most initial amendment requests are sent directly to the Department component that owns the relevant system of records, but if the component denies the amendment request, OPCL will adjudicate any appeal of such denial. In addition, OPCL also adjudicates initial requests to amend records received by the Department’s senior management offices.