Homeland Security Fails To Come Clean On Personal Information Use, Says Report

Why won’t the Bush Administration tell us what it’s doing with our personal information?land Security Fails To Come Clean On Personal Information Use, Says ReportBy Cliff Montgomery – May 24th, 2007The Customs and Border Protection agency (CBP) has not fully informed the public on how the personal information of international travelers is being used, as required by law, according to a new government report.The CBP, a unit of the land Security Department (DHS), is legally bound to complete a number of reports that fully inform the public about how the government uses and protects the personal information of pre-screened passengers for international flights, states the Government Accountability Office (GAO) report.The CBP process currently allows pre-screened passenger information to be used in multiple  procedures and in the free transfer among various CBP systems without full explanations in the agency’s privacy disclosures, the GAO stated.”It is important for CBP’s documentation to describe all of the steps of the pre-screening process because the inter-relationship of various steps of the process allows data to be transferred and used in ways that have not been fully disclosed,” said the report.The 1974 Privacy Act and the 2002 E-Government Act compel government agencies to ensure privacy protections by setting limits on the disclosure of personal data and telling the public how such data are being used and protected. Agencies are to keep the public informed of updates by issuing system of records  notices and privacy impact assessments.In response to the GAO study, Steven Pecinovsky, director of the GAO and inspector general liaison office at DHS, claimed the department has been adhering to both laws, and that statements otherwise are “incorrect and without merit.” But we are compelled to follow the person or group who has produced facts to back up their statements, and not the unproven denials of those with direct ties to the agency being investigated.CBP collects personal information on passengers from numerous sources–including passenger and government databases–and uses it to match identities against risk targeting and passenger document validation as well as the government watch list, said the GAO. CBP officers also have some access to private, corporate databases to assist them in confirming each passenger’s identity, according to the agency.Rep. Bennie Thompson (D-MS), chairman of the House land Security Committee, told Government Executive magazine that although he believes in a thorough screening of airline passengers bound for the United States, CBP is legally bound to conduct its screening in a manner that fully protects privacy rights.Below we offer telling quotes from the May 2007 GAO report:”Despite recent efforts by CBP to provide more detailed information to the public about its use of passenger data during the international passenger pre-screening process, CBP has not fully disclosed or assessed the privacy impacts of its use of personal information during international passenger pre-screening as required by law.”The Privacy Act of 1974 and the E-Government Act of 2002 require federal agencies to protect personal privacy by, among other things, limiting the disclosure of personal information and informing the public about how personal data are being used and protected.”Federal agencies inform the public of their use of personal information by issuing two types of documents:System of records notices: “The Privacy Act requires that agencies publish a notification in the Federal Register that informs the public when they establish or make changes to a system of records.Privacy impact assessment: “The E-Government Act requires that agencies analyze how information is handled to (1) ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (2) determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (3) examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.”The Privacy Act places limitations on agencies’ collection, use, and disclosure of personal information maintained in systems of records, which are groups of personal information that are maintained by an agency from which personal information is retrieved by an individual’s name or identifier. Among the act’s provisions are requirements for agencies to give notice to the public about the use of their personal information.”Also, when agencies establish or make changes to a system of records, they must notify the public by a notice in the Federal Register about the type of data collected; the types of individuals about whom information is collected; the intended “routine” uses of the data; the policies and practices regarding data storage, retrievability, access controls, retention, and disposal; and procedures that individuals can use to review and correct personal information.”The E-Government Act of 2002 requires agencies to conduct a privacy impact assessment when using information technology to process personal information.”CBP’s public disclosures about APIS [Advanced Passenger Information System ] and ATS [Automated Targeting System ] do not describe all of the data inputs or the extent to which the data are combined and used in making pre-screening decisions.”