Embed Size (px)
DESCRIPTION
1. State and Local Fusion Center Training Part 1. The Privacy Office www.dhs.gov/privacy Ken Hunt Rebecca Richards Toby Levin (Training). The Office for Civil Rights and Civil Liberties www.dhs.gov/CivilLibertiesInstitute. 2. Two Offices. The Privacy Office - PowerPoint PPT Presentation
Citation preview
11
22
State and Local Fusion Center Training Part 1
The Privacy Office
www.dhs.gov/privacy
Ken Hunt
Rebecca Richards
Toby Levin (Training)
The Office for Civil Rights and Civil Libertieswww.dhs.gov/CivilLibertiesInstitute
33
Two Offices
The Privacy Office
First statutorily –created Privacy Office in the Federal government – Section 222 of the Homeland Security Act
Responsible for privacy policy across the Department
Hugo Teufel III, Privacy Officer
Office located in Virginia Q
Office for Civil Rights and Civil Liberties (CRCL)
Responsible for advising on civil rights and civil liberties policy within DHS
Responsible for ensuring compliance with civil liberties protections of persons affected by DHS programs and activities
Daniel Sutherland, Officer for Civil Rights and Civil Liberties
Offices located in Washington, DC
44
“In the News”: Privacy, civil rights, civil liberties and SLFCs
55
How Our Offices Support Fusion Centers
Privacy Office Conducting a Privacy
Impact Assessment on Fusion Centers
Available for requests for guidance on privacy issues from Fusion Centers and their Federal partners
CRCL Has conducted a soon-to-be-released Civil
Liberties Impact Assessment
Responds to informal requests for guidance on CRCL issues from SLFC and their Federal partners
CRCL leads domestic Federal government engagement with American Arab, Muslim, Sikh communities and supports SLFCs in pursuing similar engagement activities
Available to receive and investigate complaints related to Fusion Centers from those alleging that their civil rights and civil liberties have been compromised Q
66
Both the Privacy Office and CRCL:
Actively participate in the Information Sharing Privacy Guidelines Committee and
Have been tasked by Congress with providing training on privacy, civil rights and civil liberties to Fusion Center staff
How Our Offices Support Fusion Centers
77
Goals for Today's Session
To increase awareness among DHS staff deployed to the SLFCs of the privacy, civil rights and civil liberties protections required by law , the polices and procedures to ensure that protection, and the resources we can offer to assist SLFC in these areas.
To jointly plan the development of a “toolkit” and future training for all staff at SLFC on these issues.
Q
88
99
Why Privacy Matters – it’s the Law
The Privacy Act
Applies to all Federal Agencies
Code of Fair Information Practices (FIP)
Governs personally identifiable information (PII)
Requires system of records notices (SORNs)
Civil and criminal penalties for misuse of PII.
Privacy Impact Assessments mandated for all Federal Agencies where new collections OR new technologies applied to PII
E-Government Act of 2002
1010
Question For the Record: What checks are in place at fusion centers that might help them avoid becoming mini spy agencies?
CRS Report: Privacy issues a potential risk to the program.
Why Privacy Matters – Public Support
1111
TSA’s Secure Flight ProgramPurpose: to prevent known terrorists from boarding aircraft or gaining access to “sterile” areas of an airport.
Privacy issues not addressed AND…
$$$ withheld by Congress“None of the funds provided by this or previous appropriations acts may be obligated for deployment or implementation… of the Secure Flight Program…, until the Government Accountability Office has reported to Congress that there are no specific privacy concerns with the technological architecture of the system.” DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS ACT, 2005 - PUBLIC LAW 108–334
1212
A Possible Future We Cannot Allow !!!
“None of the funds provided by this or previous appropriations Acts may be obligated for personnel deployment to or information sharing with State and Local Fusion Centers until the Government Accountability Office has reported to Congress that the Centers have addressed privacy.”
DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS ACT, 2009
1313
… or Worse
Outright Cancellation – MATRIX pilot program involved information sharing agreement between states – Privacy concerns eroded public confidence.
Litigation – CRS Report: “without federal oversight, litigation is likely to serve as the only significant oversight mechanism”.
1414
Personally Identifiable Information(PII)
Personally identifiable information is…
Q
15
PII Any information that permits the identity of an individual
to be directly or indirectly inferred,
including any other information which is: linked or linkable
to an individual.
regardless of whether the individual is a U.S. Citizen, Legal Permanent Resident, alien or a visitor to the U.S.
1616
8 Fair Information Practice Principles (FIPPs) rooted in the
tenets of the Privacy ActTransparency
Purpose Specification
Use Limitation Data Minimization
Individual Participation
Security Safeguards
Data Quality
Accountability
1717
Transparency
No Secret Systems.
Notice to the public on the collection, use, dissemination, and maintenance of PII.
DHS satisfies this principle with System of Record Notices and Privacy Impact Assessments.
Published at www.dhs.gov/privacy.
1818
Purpose Specification
DHS must specifically articulate:
the authority which permits the collection of PII and
the purpose for which the PII is intended to be used.
1919
Use Limitation
Use only for the purpose specified in the SORN.
Share outside the Department only for a purpose compatible with the purpose for which the PII was collected.
2020
Data Minimization
Collection: DHS should collect PII only if it is: directly relevant and necessary to accomplish the stated purpose.
Retention: Dispose of PII following the DHS records disposition schedules (as approved by NARA).
2121
Data Quality & Integrity
Data must be accurate, relevant, timely and complete
for each use.
2222
Individual Participation
Obligated to involve the individual in the use of PII through:
Consent – direct collection. Examples
Mechanism for appropriate access, correction, and redress.
2323
Security
Protect against: loss, unauthorized access or use, destruction, modification, or inappropriate or unintended disclosure.
2424
Accountability and Auditing
DHS is accountable for complying with the FIPPs.
Provide training.
Audit to demonstrate compliance.
25
2 questions summarize it all!
#1 Should this information be collected?
# 2 Should this information be shared?
2626
Top 5 Privacy Rules
# 1 Collect and use PII only for I&A approved purposes.
# 2 Understand which SORN covers the information you want to share.
# 3 Share PII only if the SORN authorizes it.
# 4 Minimize the PII when sharing.
# 5 Document with whom and why PII was shared.
Call Ole Broughton or Tim Bailey if you have a question.
27
2 questions summarize it all!
#1 Should this information be collected?
# 2 Should this information be shared?
2828
Collection: First Ask…Identify which I&A functional responsibilities your collection
falls under:
1. Terrorism or Terrorist Related ActivityNOTE: If intelligence information does not fall under “terrorism or terrorist-
related activity”, must consult with Tim Bailey for guidance before undertaking any collection activity.
2. Other Threats to the Homeland
3. Support to a Component of DHS
4. Support to or Activities Directed by the Secretary
5. Directed by Statute or Presidential Directive
2929
Do you anticipate collecting information associated with the First Amendment (such as an individual’s race, religion, speech, and/or the groups he/she
associates with) in order to draft this product? ____Yes ____No
If YES, is it part of any ongoing authorized law enforcement investigation or lawful national security intelligence investigation? ____Yes ____No
If NO, the information may NOT be collected.
Collection: Then Ask…
30
2 questions summarize it all!
#1 Should this information be collected?
# 2 Should this information be shared?
Q
3131
_____1. Ask why specifically the PII is needed.
_____2. Look at the context of the request. ▫ Is it related to the DHS I&A mission?
_____3. Share information only if there is an approved Privacy Act routine use.
_____4. If sharing information directly out of a non I&A system, identify which SORN covers the PII being requested.
_____5. Check with the Watch at the NOC if uncertain.
_____6. If you are asked for information related to a name check, ask the NOC to process the request.
_____7. Document why and with whom the PII is shared.
Privacy Checklist for Sharing
3232
Generally Applicable HSOC Routine Uses (RU)
A. Violation of the Law
If the record, (on its face or in conjunction with other info),
indicates a violation (or potential violation) of any law,
the record may be disclosed to the entity charged with investigating, prosecuting and/or enforcing such law or contract.
Sharing: Privacy Act authorized sharing for I&A systems
3333
Generally Applicable HSOC Routine Use (RU)
B. Serves Security InterestRecord disclosure is OK if it will “promote, assist, or otherwise serve
homeland or national security interests”
May be disclosed to:
Federal, State, local, joint or tribal agencies
foreign, international or other public agency or organization, or
to any person or entity in either the public or private sector, (domestic or foreign)
Sharing: Privacy Act authorized sharing for
I&A systems
3434
If sharing meets either of these routine uses,
document in the comments section of I&A 24 Hour Log
▫ Name of the agency with which the information is being shared.
▫ Justification for sharing the information.▫ What information was shared.
Sharing: Privacy Act authorized sharing for
I&A systems
3535
Applicable CBP TECS Routine Use
If agency is aware of a violation of the law (potential, civil or criminal)
You may disclose pertinent information to appropriate Federal, State, local or foreign agencies responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license.
Q
Sharing: Privacy Act authorized sharing for non I&A systems:
3636
If sharing meets this routine use,
Fill out the CBP Form 191 that comes up in TECS when you are ready to share information.
Sharing: Privacy Act authorized sharing for non I&A systems:
3737
Other Important Reminders
Safeguard PII ▫ Secure transfer
▫ Extracts and mobile devices pose risks
▫ Hard copies also pose risks
Report Privacy Incidents to your Program Manager.
SLFCs must also comply with State privacy laws, which may be stricter, and State open access laws.
3838
When You Have a Privacy Question,
Contact: Your I&A counsel: XXXX
Your Intelligence Oversight Officer: XXXXXXX
Your Component Privacy Point of Contact: XXXX
The DHS Privacy Office:
Ken Hunt
Becky Richards
Toby Levin
3939
40
Summary of CRCL Mission
Helping DHS respect civil rights and civil liberties while we protect the homeland and our way of life.
The Intelligence Reform and Terrorism Prevention Act of 2004 added this language to the DHS mission (codifying existing DHS policy):
“to ensure that civil rights and civil liberties of persons are not diminished by efforts, activities and programs aimed at securing the homeland”.
8
4141
Understanding the Terms: Civil Rights and Civil Liberties
Quick Summary
Civil rights – generally involves affirmative government action to protect against infringement
Civil liberties – involves restrictions on government to protect individual liberties
4242
Your Mission and CRCL Issues
How does the CRCL mission relate to your role?
Q
4343
Red Flags #1 What are the primary CRCL concerns related to the
open flow of information?
Information about activities that are protected, such as protest or criticisms of the government, boycott of products, exercise of religious freedom, freedom of assembly, etc.;
Capture of video feeds that are retained and used to identify people;
Extending the mission of a particular partner agency without assuring proper authorities, procedures and protections;
4444
Red Flags #2 What are the primary CRCL concerns related to the
open flow of information?
Information Sharing can have “downstream” consequences
Use of materially inaccurate or misleading information
Search and seizure issue (4th Amendment)
Due process issues (5th and 14th Amendment)
Capture or sharing demographics that could be used to target or watch a class of people in a community;
Need for redress – sufficient? Q
4545
Suspicious Activity Reporting
This man is the subject of one of your center’s suspicious activity reports.
Describe him.
4646
Red Flags #3What are the primary CRCL concerns related to the
open flow of information?
Collection/retention of information or descriptions of individuals perpetuating or relying on racial or ethnic stereotypes
Requests to vet private sector personnel who are involved in critical infrastructure
Tension between federal and state law and practice on what information should be public: FOIA, Sunshine laws (EPIC and VA Fusion Center)
Data tracking and criminal record expungement Q
4747
1. Know your operating statutes and authorities.
2. Adopt a civil rights and civil liberties policy.
3. Train Fusion Center staff and partners on privacy, civil rights and civil liberties standards and best practices.
4. Encourage engagement with the public, media, and outside groups to provide a level of transparency.
5. Identify a coordinator to address privacy, civil rights and civil liberties issues.
Integrating Civil Liberties @ Your SLFC: 5 Best Practices (KATEI)
4848
Engage with the public, media, and outside groups to provide a level of transparency.
Common Question: Should we engage community groups, advocacy groups and others that are curious / critical of the fusion centers? Q
General approach: CRCL encourages meeting with community and advocacy groups SLFC Director determines appropriate level of engagement, transparency Meetings, some degree of transparency and explanation can build bridges You don’t have to agree with the groups, and their criticism may be helpful
DHS HQ Elements and the Secretary meet with similar groups.
Community Engagement Best Practices
4949
Q
Leverage the CRCL Training & Awareness Materials Develop an Incident Management plan – CRCL can offer technical
assistance Hold Community Forums & Outreach Through Community Media Treat Seriously Complaints and Suggestions Regarding DHS Activities Read the CRCL terminology paper
Engagement – a good practice for working with any community of concern
Integrating Civil Liberties: Potential SLFC Engagement Activities
5050
