DHS PRIVACY OFFICE

DHS PRIVACY OFFICEGuide to Implementing PrivacyVersion 1.0June 2010DEPARTMENT OF HOMELAND SECURITY

TABLE OF CONTENTS1.0 INTRODUCTION. 31.1 Purpose of this Guide . 31.2 Where to go with Questions . 31.3 Other DHS Privacy Office Resources . 32.0 OVERVIEW OF THE DHS PRIVACY OFFICE . 32.1 DHS Privacy Office and the Chief Privacy Officer . 32.2 Organization of the DHS Privacy Office . 42.3 DHS Component Privacy Officers and Privacy Points of Contact . 42.4 DHS Data Privacy and Integrity Advisory Committee . 53.0 POLICY FRAMEWORK . 53.1 Management Directive . 53.2 Privacy Policy Guidance and Memoranda . 63.3 The Fair Information Practice Principles (FIPPs) . 63.4 Component-Level Policies . 73.5 Review and Comment on Federal Privacy Policy Development . 74.0 OVERVIEW OF PII HANDLING REQUIREMENTS . 84.1 Minimizing and Protecting the Collection of PII . 84.2 Handling Sensitive PII . 84.2.1Minimizing the Use of Social Security Numbers . 94.2.2Managing Computer-Readable Extracts Containing Sensitive PII . 94.3 Information on Non-U.S. Persons . 104.4 Information Sharing . 104.5 Securing DHS Information Technology Systems that Contain PII. 104.6 Evaluation of DHS Intelligence Products . 115.0 PRIVACY COMPLIANCE . 115.1 Identification and Compliance Oversight . 115.2 Compliance Documentation . 135.2.1PTAs . 135.2.2PIAs . 145.2.3SORNs . 145.2.4Privacy Act (e)(3) Statements. 165.3 Computer Matching Agreements . 166.0 EDUCATION AND AWARENESS . 176.1 Mandatory Training. 176.2 Supplemental Training . 176.3 Component Privacy Training and Awareness . 186.4 Fusion Center Training. 186.5 DHS Privacy Office Staff Training and Certification . 197.0 PRIVACY COMPLAINTS . 197.1 Managing Privacy Complaints . 197.2 Disposition of Complaints. 207.3 Coordination with the Office of the Inspector General (OIG) . 208.0 MANAGING PRIVACY INCIDENTS . 208.1 Privacy Incident Handling Guidance . 218.2 Privacy Incident Management . 219.0 PUBLIC OUTREACH and TRANSPARENCY . 22i

TABLE OF CONTENTS9.1 U.S. Congress . 229.2 Workshops and Conferences . 229.3 DHS Speaker Series . 229.4 Outreach with the Privacy Community . 239.5 Leadership Journal . 2310.0 INTERNATIONAL ACTIVITIES . 2310.1International Information Sharing and Data Protection . 2410.2Working with the International Community . 2411.0 DEPARTMENTAL DISCLOSURE and FOIA PROGRAM . 2411.1Information on Submitting a FOIA or Privacy Act Request . 2511.2Improving FOIA Operations . 2511.3FOIA Guidance. 2511.4Implementing New Administration FOIA Policy . 2611.5Intra-Departmental Compliance, Outreach and Customer Service . 2612.0 REPORTING . 2712.1Annual Privacy Report to Congress . 2712.2Annual FOIA Report to the Attorney General of the United States . 2812.3Chief FOIA Officer Report to the Attorney General of the United States . 2812.4FISMA Reporting . 2912.4.1 Section 803 Reporting . 2912.4.2 Reporting on Privacy Complaints. 2912.5Section 804 Data Mining Reporting . 3012.6Biennial Matching Activity Report . 3013.0 CONCLUSION . 30Appendix A: Authorities of the DHS Privacy Office . 31Appendix B: DHS Privacy Office Organization Chart . 32Appendix C: DHS Privacy Office Official Guidance and Policy Memoranda . 33ii

The DHS Privacy Office Guide to Implementing Privacy1.0INTRODUCTION1.1Purpose of this GuideThe purpose of the Department of Homeland Security (DHS or Department) Privacy OfficeGuide to Implementing Privacy (Guide) is to inform the Department, other federalagencies, and the public about how the DHS Privacy Office implements privacy at DHS.The Guide provides an overview of the DHS Privacy Office’s functions and transparencyinto its day-to-day operations. This guide may be particularly helpful to federal privacypractitioners, as it not only describes the wide-ranging activities of the Office, but alsoexplains how the office works to build a privacy culture at DHS. The Privacy Office’sdetailed Freedom of Information Act (FOIA) functions are described separately in Section11.1.2Where to go with QuestionsThe DHS Privacy Office maintains a webpage (www.dhs.gov/privacy) where you can findOffice reports and other guidance, as well as information on DHS privacy policy, publicworkshops, and other Privacy Office activities. If you have questions that are notaddressed by the information in this Guide or on the DHS Privacy Office website, pleasecontact the DHS Privacy Office by email at privacy@dhs.gov or by phone at 703-2350780.1.3Other DHS Privacy Office ResourcesThe DHS Privacy Office publishes a number of resources regarding privacyimplementation at DHS, including policy memoranda, official guidance, and workshopreports. This Guide summarizes many of the principles and activities included in theseresources. A list of DHS resources is included in Appendix C. We encourage you toconsult Appendix C for documents that address specific subjects or operational matters ofinterest to you, and to contact the DHS Privacy Office if you have questions regardingthese resources.2.0OVERVIEW OF THE DHS PRIVACY OFFICE2.1DHS Privacy Office and the Chief Privacy OfficerThe DHS Privacy Office is the first statutorily created privacy office in the federalgovernment. The Office operates under the direction of the DHS Chief Privacy Officer,who also serves as the Department’s Chief Freedom of Information Act (FOIA) Officer.1A complete listing of the DHS Chief Privacy Officer’s responsibilities can be found on theDHS Privacy Office’s website at www.dhs.gov/privacy.1The DHS Chief Privacy Officer is appointed by the Secretary of Homeland Security.3

The DHS Privacy Office Guide to Implementing PrivacyThe mission of the DHS Privacy Office is to preserve and enhance privacy protections forall individuals, to promote transparency of DHS operations, and to serve as a leader in theprivacy community. The Office accomplishes its mission by: Requiring compliance with the letter and spirit of federal laws that protect privacy; Centralizing FOIA2 and Privacy Act3 operations to provide policy andprogrammatic oversight and to support operational implementation within the DHScomponents; Providing education and outreach to build a culture of privacy and adherence to theFair Information Practice Principles (FIPPs) across the Department; and Providing transparency to the public through published materials, formal notices,public workshops, and meetings.The activities of the Office serve to build privacy into departmental programs. The Officeimplements privacy laws as well as the numerous Executive Orders, court decisions, andDepartment policies that govern the Department’s collection, use, and disclosure ofpersonally identifiable information (PII). A listing of the authorities, through which thePrivacy Office accomplishes its activities and mission, is contained in Appendix A.2.2Organization of the DHS Privacy OfficeThe DHS Chief Privacy Officer is supported by a number of directors and associatedirectors as well as support staff and contractors. The Office consists of operational teamsincluding: International Privacy Policy; Departmental Disclosure and FOIA; PrivacyCompliance; Privacy Policy (including Communications and Training); Privacy Incidentsand Inquiries; Privacy Technology and Intelligence; and Legislative and RegulatoryAnalysis. See Appendix B for further information on the organizational structure of theOffice.2.3DHS Component Privacy Officers and Privacy Points of ContactEach DHS operational component has either a Privacy Officer or a privacy point of contact(PPOC).4 The DHS Privacy Office works closely with component Privacy Officers andPPOCs to ensure that programs5 in the component agencies identify privacy issues and2Freedom of Information Act (5 U.S.C.§ 552).Privacy Act of 1974 (5 U.S.C.§ 552a).4A PPOC is an individual who is responsible for privacy within his or her component, directorate, or majorprogram, but is not a full-time Privacy Officer. In 2009, the Secretary of DHS directed the followingoperational components to have full-time Privacy Officers who report to the component heads: FederalEmergency Management Agency (FEMA), National Protection and Programs Directorate (NPPD), Office ofIntelligence and Analysis (I&A), Science and Technology Directorate (S&T), Transportation SecurityAdministration (TSA), U.S. Citizenship and Immigration Services (USCIS), U.S. Coast Guard, U.S. Customsand Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and U.S. Secret Service.5Programs within DHS components may also have a Privacy Officer or PPOC if a primary function of theprogram involves collecting, using, maintaining, or disseminating PII (e.g., The USCIS Verification Division,which administers the E-Verify Program, has a designated Privacy Officer).34

The DHS Privacy Office Guide to Implementing Privacywork to address them. The Office coordinates regular meetings with component PrivacyOfficers and PPOCs, including a monthly privacy compliance meeting. In addition, theDHS Privacy Office compliance staff serve as liaisons to each component. The complianceliaisons facilitate outreach to the components through regularly scheduled meetings,coordination of privacy compliance activities, and by serving as a resource for componentprivacy staff in the event privacy issues arise.2.4DHS Data Privacy and Integrity Advisory CommitteeThe DHS Data Privacy and Integrity Advisory Committee (DPIAC) convenes quarterly toadvise the Secretary of Homeland Security and the DHS Chief Privacy Officer on issuesrelating to programmatic, policy, operational, administrative, and technological issueswithin DHS that relate to PII, data integrity, and other privacy-related matters. AdvisoryCommittee members represent a balance of relevant opinions on privacy from the publicsector, private sector, academia, and the privacy advocacy community. More informationabout the DPIAC is available on the DHS Privacy Office website.3.0POLICY FRAMEWORKThe DHS Privacy Office has primary authority under Section 222 of the HomelandSecurity Act of 2002 for privacy policy at DHS.6 Section 222 gives the Office plenaryauthority to ensure that the use of technologies sustains, and does not erode, privacyprotections relating to the collection, use, dissemination, and maintenance of personalinformation, and to ensure that PII in information systems is handled in full compliancewith the fair information practices set forth in the Privacy Act. All DHS personnel,including federal employees, independent consultants, and government contractorsinvolved in DHS programs must comply with DHS privacy policy.3.1Management DirectiveThe DHS Privacy Office Management Directive No. 0470.2: Privacy Act Compliance(Directive) establishes the basis for DHS policy for Privacy Act Compliance. TheDirective, which was issued in 2005, is currently being revised. The Directive requires thatall employees be made aware of, and comply with, the Privacy Act and ensure thatinformation about individuals is collected, maintained, used, and disseminated inaccordance with the Privacy Act and DHS regulations. The Directive outlines theresponsibilities of DHS personnel, including the DHS Chief Privacy Officer, componentheads, component Privacy Officers, and program and system managers as they relate tocompliance with the requirements of the Privacy Act and other federal privacy laws,regulations, and DHS privacy policy.6See Sections 222(a)(1) and (a)(2) of the Homeland Security Act of 2002, 6 U.S.C. § 142.5