[Federal Register Volume 76, Number 143 (Tuesday, July 26, 2011)]
[Rules and Regulations]
[Pages 44452-44454]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-18828]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Office of the Secretary
6 CFR Part 5
[Docket No. DHS-2011-0054]
Privacy Act of 1974: Implementation of Exemptions; Department of
Homeland Security National Protection and Programs Directorate--001
National Infrastructure Coordinating Center Records System of Records
AGENCY: Privacy Office, DHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security is issuing a final rule to
amend its regulations to exempt portions of a newly established system
of records titled, ``Department of Homeland Security/National
Protection and Programs Directorate--001 National Infrastructure
Coordinating Center Records System of Records'' from certain provisions
of the Privacy Act. Specifically, the Department exempts portions of
the ``Department of Homeland Security/National Protection and Programs
Directorate--001 National Infrastructure Coordinating Center Records
System of Records'' from one or more provisions of the Privacy Act
because of criminal, civil, and administrative enforcement
requirements. The Department will not claim Privacy Act exemption
(k)(3) as originally published in the Notice of Proposed Rulemaking.
DATES: Effective Date: This final rule is effective July 26, 2011.
FOR FURTHER INFORMATION CONTACT: For general questions please contact:
Emily Andrew (703-235-2182), Senior Privacy Officer, National
Protection and Programs Directorate, Department of Homeland Security,
Washington, DC 20525. For privacy issues please contact: Mary Ellen
Callahan (703-235-0780), Chief Privacy Officer, Privacy Office,
Department of Homeland Security, Washington, DC 20528.
SUPPLEMENTARY INFORMATION:
Background
The Department of Homeland Security (DHS), National Protection and
Programs Directorate (NPPD), published a notice of proposed rulemaking
(NPRM) in the Federal Register, 75 FR 69603, on November 15, 2010,
proposing to exempt portions of the system of records from one or more
provisions of the Privacy Act because of criminal, civil, and
administrative enforcement requirements. The system of records is the
DHS/NPPD--001 National Infrastructure Coordinating Center (NICC)
Records System of Records. The DHS/NPPD--001 NICC Records system of
records notice (SORN) was published concurrently in the Federal
Register, 75 FR 69693, November 15, 2010, and comments were invited on
both the NPRM and SORN. The Department will not claim Privacy Act
exemption (k)(3) as originally published in the NPRM.
Public Comments
DHS received one set of public comments from the Electronic Privacy
Information Center (EPIC). Comments submitted for the NPRM and SORN
were identical. Each comment is outlined below followed by the
Department's response.
1. By exempting this system of records from certain provisions of
the Privacy Act, DHS is contravening the purpose of the Act.
Comment: EPIC urged DHS to limit its exemptions from the Privacy
Act's provisions, including 5 U.S.C. 552a(c)(3), which entitles
individuals to an accounting of disclosures of their records, stating
that individuals should be able to know, after an investigation is
completed or made public, the information stored about them in the
system. Further, EPIC wrote that because information from informants
may be used to initiate investigations,
[[Page 44453]]
individuals may find themselves investigated due to malicious
information. This could be alleviated by providing access to records of
completed investigations with appropriate redactions. EPIC also stated
that DHS is retaining the right to disseminate using the overly broad
standard of ``potential risk of harm to an individual,'' while limiting
access to that same information that may be further disseminated.
Response: DHS recognizes the need to allow individuals the rights
to and an account of disclosures of their records. The determination to
exempt records from 5 U.S.C. 552a(d) is justified on a case-by-case
basis, to be determined at the time a request is made. In those
instances where an individual's records are determined to be exempt
from this provision, the individual may seek access to such records
under 5 U.S.C. 552.
Comment: EPIC stated that DHS is exempting this system from 5
U.S.C. 552a(d) in order to prevent individuals from avoiding detection
or tampering with evidence, which DHS argues would impose an
unreasonable administrative burden by requiring investigations to be
continually reinvestigated. EPIC wrote that this restriction would not
only contravene the Privacy Act, but may also hinder some government
investigations, as was illustrated in a 2007 Department of Justice
Inspector General review of the Transportation Security
Administration's (TSA) Terrorist Screening Center, which indicates that
errors in the watch list obstruct the capture of actual terrorists and
affect innocent individuals. EPIC specifically referenced fusion center
data, writing that by exempting this data, DHS would prevent
individuals from requesting information that DHS may be keeping on
them, limiting their opportunity to seek redress.
Response: DHS recognizes the need to allow individuals the right to
seek redress. The determination to exempt records from 5 U.S.C. 552a(d)
is justified on a case-by-case basis, to be determined at the time a
request is made. In those instances where an individual's records are
determined to be exempt from this provision, the individual may seek
access to such records under 5 U.S.C. 552. With respect to EPIC's
specific comment regarding fusion center data that information falls
outside the scope of this NPRM and SORN.
Comment: EPIC urged DHS to remove this system's exemption from 5
U.S.C. 552a(e)(1), requiring that records maintained in this system be
relevant and necessary to accomplish the agency's purpose, as this
standard is a fundamental and necessary part of the Privacy Act
protections and staves off mission creep. EPIC cited TSA's second-
generation Computer Assisted Passenger Prescreening System (CAPPS II)
program as an example in which mission creep led to additional
opportunity for errors. Further, EPIC wrote that this blanket exemption
would allow records to contain information unrelated to any purpose of
DHS.
Response: In the interest of effective law enforcement, it is
appropriate to retain all information that may aid in establishing
patterns of unlawful activity. The information collected in this system
that may be helpful in a particular investigation would likely be
relevant and necessary to the investigation at some stage, and thus be
in compliance with the standards of the Privacy Act.
Comment: EPIC expressed concerns with the operation of a proposed
fusion center without being subject to the provisions of 5 U.S.C.
552a(e)(4)(G)-(I) and (f), noting that this would prevent individuals
from knowing whether records in this system pertain to them. EPIC wrote
that DHS could promulgate rules requiring notification only after an
active investigation has been concluded or with sensitive information
redacted prior to release.
Response: This comment relates to fusion center activities, which
are outside the scope of this NPRM and SORN.
2. The NICC Proposal Requires a Narrow Mission with Clear Oversight
Mechanisms and Limiting Guidelines.
Comment: EPIC wrote that the NICC mission statement is overly broad
and justifies the collection of personal information for virtually any
reason or for no reason at all. Instead, EPIC would advocate for
meaningful guidance on the reasons and purpose of the creation of the
system of records, arguing that the range of routine uses proposed by
DHS are so broad as to make meaningless any intent to restrict data,
furthering the possibility of mission creep.
Response: Consistent with DHS's information sharing mission,
information contained in the system of records may be shared with other
DHS components, as well as appropriate Federal, state, local, Tribal
territorial, foreign or international government agencies. The sharing
will only take place after DHS determines that the receiving component
or agency has a verifiable need to know the information to carry out
national security, law enforcement, immigration, intelligence-related
activities, or to the functions consistent with the routine uses. DHS
has provided notice of the purpose of the creation of this system of
records in the form of NPRM, the SORN, and the Privacy Impact
Assessment (PIA).
3. The NICC Proposal Requires a New PIA.
Comment: EPIC called for a new PIA to be drafted, which would cover
fusions centers encompassing Federal projects, as opposed to covering
only state, local, and regional fusion center projects.
Response: This comment relates to fusion center activities, which
are outside the scope of this NPRM and SORN.
After careful review and consideration of these public comments
alongside the published PIA and SORN, the Department will implement the
rulemaking as proposed.
List of Subjects in 6 CFR Part 5
Freedom of information; Privacy.
For the reasons stated in the preamble, DHS amends Chapter I of
Title 6, Code of Federal Regulations, as follows:
PART 5--DISCLOSURE OF RECORDS AND INFORMATION
0
1. The authority citation for Part 5 continues to read as follows:
Authority: 6 U.S.C. 101 et seq.; Pub. L. 107-296, 116 Stat.
2135; 5 U.S.C. 301. Subpart A also issued under 5 U.S.C. 552.
Subpart B also issued under 5 U.S.C. 552a.
0
2. Add at the end of Appendix C to Part 5, the following new paragraph
``59'':
Appendix C to Part 5--DHS Systems of Records Exempt From the Privacy
Act
* * * * *
59. The DHS/NPPD-001 NICC Records System of Records consists of
electronic and paper records and will be used by DHS and its
components. The DHS/NPPD-001 NICC Records System of Records is a
repository of information held by DHS in connection with its several
and varied missions and functions, including, but not limited to the
enforcement of civil and criminal laws; investigations, inquiries,
and proceedings there under; national security and intelligence
activities The DHS/NPPD-001 NICC Records System of Records contains
information that is collected by, on behalf of, in support of, or in
cooperation with DHS and its components and may contain personally
identifiable information collected by other Federal, state, local,
Tribal, foreign, or international government agencies. The Secretary
of Homeland Security has exempted this system from the following
provisions of the Privacy Act, subject to limitations set forth in 5
U.S.C. 552a(c)(3); (d); (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), and
(f) pursuant to 5 U.S.C.
[[Page 44454]]
552a(k)(1) and (k)(2). Exemptions from these particular subsections
are justified, on a case-by-case basis to be determined at the time
a request is made, for the following reasons:
(a) From subsection (c)(3) (Accounting for Disclosures) because
release of the accounting of disclosures could alert the subject of
an investigation of an actual or potential criminal, civil, or
regulatory violation to the existence of that investigation and
reveal investigative interest on the part of DHS as well as the
recipient agency. Disclosure of the accounting would therefore
present a serious impediment to law enforcement efforts and/or
efforts to preserve national security. Disclosure of the accounting
would also permit the individual who is the subject of a record to
impede the investigation, to tamper with witnesses or evidence, and
to avoid detection or apprehension, which would undermine the entire
investigative process.
(b) From subsection (d) (Access to Records) because access to
the records contained in this system of records could inform the
subject of an investigation of an actual or potential criminal,
civil, or regulatory violation to the existence of that
investigation and reveal investigative interest on the part of DHS
or another agency. Access to the records could permit the individual
who is the subject of a record to impede the investigation, to
tamper with witnesses or evidence, and to avoid detection or
apprehension. Amendment of the records could interfere with ongoing
investigations and law enforcement activities and would impose an
unreasonable administrative burden by requiring investigations to be
continually reinvestigated. In addition, permitting access and
amendment to such information could disclose security-sensitive
information that could be detrimental to homeland security.
(c) From subsection (e)(1) (Relevancy and Necessity of
Information) because in the course of investigations into potential
violations of Federal law, the accuracy of information obtained or
introduced occasionally may be unclear, or the information may not
be strictly relevant or necessary to a specific investigation. In
the interests of effective law enforcement, it is appropriate to
retain all information that may aid in establishing patterns of
unlawful activity.
(d) From subsections (e)(4)(G), (e)(4)(H), and (e)(4)(I) (Agency
Requirements) and (f) (Agency Rules), because portions of this
system are exempt from the individual access provisions of
subsection (d) for the reasons noted above, and therefore DHS is not
required to establish requirements, rules, or procedures with
respect to such access. Providing notice to individuals with respect
to existence of records pertaining to them in the system of records
or otherwise setting up procedures pursuant to which individuals may
access and view records pertaining to themselves in the system would
undermine investigative efforts and reveal the identities of
witnesses, and potential witnesses, and confidential informants.
Dated: June 28, 2011.
Mary Ellen Callahan,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2011-18828 Filed 7-25-11; 8:45 am]
BILLING CODE 9110-9P-P