DHS expanding, modifying records system involving sensitive PII sharing
As soon as the public comment period for the Department of Homeland Security’s (DHS) recent system of records notice (SORN) proposal to modify its DHS/All-016 Correspondence Records System of Records was issued, the first response was, “This is violating my right to privacy!”
That comment isn’t necessarily surprising given that, as DHS stated, “The purpose of the proposed new records system is to manage all Personally Identifiable Information (PII) correspondence — including incoming information and responses to inquiries, comments, or complaints made to DHS — obtained from all sources of incoming correspondence and responses by DHS, and that, “A non-exclusive list of correspondence sources includes members of the general public, call and customer service centers, unions, trade organizations, non-profits, business or governmental entities, including the news media and congressional offices.”
Following previous similar SORNS, the Electronic Freedom Foundation argued that the substantive effect of the proposed routine uses within DHS’ system of records is “sufficiently grave” because they “impose directly and significantly upon so many members of the public,” adding, “DHS’ system of records applies to a broad category of individuals, including “members of the public,” and significantly impacts with whom their personal information will be shared.”
DHS is updating this this department-wide SORN under the Privacy Act for DHS correspondence records. DHS will use this system to collect and maintain correspondence records submitted by the general public, DHS personnel, and others, and the SORN does not apply to correspondence related to Freedom of Information Act or Privacy Act requests, or to correspondence received in the course of standard immigration benefit application processes. This SORN also does not cover the underlying records associated with a response to correspondence.
DHS said, the records system DHS is expanding allows DHS “to collect and maintain incoming information and responses to inquiries, comments, or complaints made to the department, and that “categories of individuals, categories of records, and routine uses of this system of records notice have been updated to better reflect the department’s correspondence record systems.”
DHS explained that, “This system modification will expand the categories of individuals to cover third parties whose information is submitted by the sender or recipient through an inquiry, comment, or complaint,” adding, “DHS may [also] collect and respond to this information from a third party. However, any investigations or awards initiated as a consequence of a third party’s correspondence would not be covered [and that] DHS is also expanding the categories of records to permit the collection of an individual’s phone number, call and customer service center records, receipt number, and case or account number associated or referenced in the correspondence.”
DHS said it “safeguards records in this system according to applicable rules and policies, including all applicable DHS automated systems security and access policies [which includes various biometric access controls, and that it has] imposed strict controls to minimize the risk of compromising the information that is being stored. Access to any paper files or computer systems containing the records in this system is limited to those individuals who have a need to know the information for the performance of their official duties and who have appropriate clearances or permissions.
Consequently, as part of its proposed new records system, DHS said, it is also modifying routine use (E) and adding routine use (F) to conform to Office of Management and Budget (OMB) Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information.
DHS explained that, in addition to disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system – which likely includes biometric PII — may be disclosed outside DHS as a routine use “to appropriate agencies, entities, and persons when DHS suspects or has confirmed that there has been a breach of the system of records; DHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, DHS (including its information systems, programs, and operations), the federal government, or national security; and, the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with DHS’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.”
Records containing PII – biometric and otherwise — will also be provided to “another federal agency or federal entity when DHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in responding to a suspected or confirmed breach, or preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the federal government, or national security, resulting from a suspected or confirmed breach.”
Records are also provided to the Department of Justice (DOJ), including Offices of the US Attorneys, or other federal agency conducting litigation or in proceedings before any court, adjudicative, or administrative body, when it is relevant or necessary to the litigation and one of the following is a party to the litigation or has an interest in such litigation:
• DHS or any component thereof;
• Any employee or former employee of DHS in his/her official capacity;
• Any employee or former employee of DHS in his/her individual capacity when DOJ or DHS has agreed to represent the employee;
• Or The United States or any agency thereof.
Records are also provided to congressional offices from the record of an individual in response to an inquiry from a congressional office made at the request of the individual to whom the record pertains; to the National Archives and Records Administration or General Services Administration pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906; and any agency or organization for the purpose of performing audit or oversight operations as authorized by law, but only such information as is necessary and relevant to such audit or oversight function.
In addition, DHS provides records in the system to:
• Contractors and their agents, grantees, experts, consultants, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for DHS, when necessary to accomplish an agency function related to this system of records. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to DHS officers and employees.
• An appropriate federal, state, tribal, territorial, local, international, or foreign law enforcement agency or other appropriate authority charged with investigating or prosecuting a violation or enforcing or implementing a law, rule, regulation, or order, when a record, either on its face or in conjunction with other information, indicates a violation or potential violation of law, which includes criminal, civil, or regulatory violations and such disclosure is proper and consistent with the official duties of the person making the disclosure.
• Another federal agency to refer correspondence or respond to correspondence given the nature of the complaint, compliment, comment, or issue.
• Unions recognized as exclusive bargaining representatives of the individual under the Civil Service Reform Act of 1978, 5 U.S.C. 7111 and 7114, the Merit Systems Protection Board, arbitrators, the Federal Labor Relations Authority, and other parties responsible for the administration of the Federal labor-management program for the purpose of processing any corrective action, or grievances, or conducting administrative hearings or appeals, or if needed in the performance of other authorized duties.
• News media and the public, with the approval of the Chief Privacy Officer in consultation with counsel, when there exists a legitimate public interest in the disclosure of the information, when disclosure is necessary to preserve confidence in the integrity of DHS, or when disclosure is necessary to demonstrate the accountability of DHS’s officers, employees, or individuals covered by the system, except to the extent the Chief Privacy Officer determines that release of the specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy.
Categories of records in the system include, but are not limited to:
• Full name;
• Physical and mailing addresses;
• Email address;
• Phone number;
• Web form information (e.g., IP addresses);
• Who the complaint, compliment, comment, or issue is about;
• Incoming correspondence excluding Privacy Act or FOIA requests, or standard immigration applications;
• DHS’s reply;
• Responder’s name on behalf of DHS;
• Call and Customer Service Center records (to include recordings of calls and online real time interactions with customer service representatives);
• Associated case or file numbers (e.g., Alien Number and other identifiers);
• Receipt number;
• Account ID;
• Additional unsolicited personal information provided by the individual (including Social Security number); and
• Other related materials.