REAL ID Act of 2005

Congress passed the REAL ID Act of 2005 to set minimum requirements for state issuance of drivers’ licenses and identification cards required for “official purposes.” The REAL ID rulemaking and implementation continued to be an important policy area for the DHS Privacy Office this year. The REAL ID rule seeks to combat false forms of identification by implementing uniform standards that enhance the integrity and reliability of drivers’ licenses and identification (ID) cards, strengthen identity verification capabilities, and increase security at drivers’ license and ID card production facilities.

The DHS Privacy Office participated in the review of more than 20,000 public comments filed in response to the Department’s NPRM and initial PIA issued in March of 2007. DHS issued the final rule on January 11, 2008. The REAL ID final rule sought to lower the cost of REAL ID and set a phased implementation schedule for the states. States were required to apply for an extension by March 31, 2008, and full compliance was extended to December 1, 2017.

The final rule also addressed a number of the concerns that were raised in the NPRM PIA. First, it assured the public that the rule would not lead to a national ID as the states would continue to issue the drivers’ licenses and each state could set its own numbering system. Second, in response to concerns about the security of the state databases, DHS assured the public that it will monitor state compliance with Federal information security standards. Third, the final rule also required states to create and implement security plans for protecting PII.

In conjunction with the final rule, the DHS Privacy Office issued a PIA, which outlined the changes made to the proposed rule and discussed the remaining privacy issues. The PIA identified continuing concern regarding the states’ implementation of the data verification processes resulting from the new rule. Specifically, the PIA inquired how the states’ Departments of Motor Vehicles (DMVs) will conduct and govern the data verification of federal databases and how they will conduct and govern the state-to-state check to determine whether an applicant for a REAL ID card holds a driver’s license in another state. Additionally, the PIA expressed concerns about third parties’ access and use of PII stored on a REAL ID credential, since no encryption is required, and whether third parties will use REAL ID for purposes other than those expressly outlined in the Act.

In tandem with the PIA, the DHS Privacy Office also issued a set of Best Practices for the Protection of PII to provide guidance to the states’ DMVs on privacy and security protections consistent with the Privacy Act, FISMA, and the information security standards developed by the National Institute of Science and Technology (NIST). Both the final rule and the PIA, which includes the Best Practices guide, can be found on the DHS Privacy Office website. The DHS Privacy Office will continue to work with the REAL ID Program Office to ensure the implementation of the final rule is consistent with the FIPPs.