The DHS Privacy Office was created in response to the Homeland Security Act of 2002. The first Chief Privacy Officer was appointed in April 2003. It was the first statutorily mandated privacy office in the federal government.
Its mission is to minimize the impact on an individual's privacy, particularly an individual's personal information and dignity, while achieving the Department's mission to protect the homeland. The DHS Chief Privacy Officer reports directly to the Secretary of the Department, and the Office's mission and authority are founded upon the responsibilities set forth in the Homeland Security Act of 2002.
The Privacy Office serves to implement Section 222 of the Homeland Security Act of 2002, and has programmatic responsibilities involving the Privacy Act of 1974, the Freedom of Information Act ("FOIA"), the privacy provisions of the E-Government Act of 2002, and the numerous laws, Executive Orders, court decisions and Departmental policies that protect the collection, use, and disclosure of personal and Departmental information are all followed.
The mission of the Office is to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the federal privacy community. The Office accomplishes its mission by focusing on by several core activities:
- Requiring compliance with the letter and spirit of federal privacy and disclosure laws and policies in all DHS programs, systems, and operations;
- Centralizing Freedom of Information Act (FOIA) and Privacy Act operations to provide policy and programmatic oversight, to support operational implementation within the DHS components, and to ensure the consistent handling of disclosure requests;
- Providing leadership and guidance to promote a culture of privacy and adherence to the Fair Information Practice Principles across the Department;
- Advancing privacy protections throughout the federal government through active participation in interagency fora;
- Conducting outreach to the Department's international partners to promote understanding of the U.S. privacy framework generally and the Department’s role in protecting individual privacy; and
- Ensuring transparency to the public through published materials, reports, formal notices, public workshops, and meetings.
The DHS Privacy Office promotes the growth of privacy programs within the DHS components as a means of addressing privacy. Further, the DHS Privacy Office is implementing a privacy framework that establishes the roles and responsibilities for component privacy offices. Figure 2 illustrates the DHS privacy framework.
- Organizational Commitment to Privacy: Establish organizational oversight and implement privacy activities.
- Policies for Proper Handling of PII: Define and promote privacy policies and procedures.
- Privacy Compliance Management: Implement tools and processes to ensure privacy compliance (including reporting requirements, privacy impact assessments, systems of records notices, privacy incident handling, and privacy rules of conduct).
- Notice, Complaints, and Redress for Individuals: Establish processes for notices, complaints, and redress for individuals.
- Privacy Awareness and Training: Support privacy requirements through privacy awareness and training.
The DHS Chief Privacy Officer's responsibilities include:
- Assuring that the use of technologies sustains, and does not erode, privacy protections relating to the use, collection, and disclosure of personal information;
- Assuring that personal information contained in Privacy Act systems of records is maintained in full compliance with fair information practices as set out in the Privacy Act of 1974 ("Privacy Act");
- Evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal government;
- Conducting privacy impact assessments (PIAs) of proposed rules of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected;
- Coordinating with the Office for Civil Rights and Civil Liberties (DHS CRCL) to ensure that programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner, and that Congress receives appropriate reports on such programs, policies, and procedures; and
- Preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters.
In addition to the responsibilities described above, the authorities and responsibilities of the Chief Privacy Officer are further amended by the Implementing Recommendations of the 9/11 Commission Act of 2007 ("9/11 Commission Act"), passed on August 3, 2007. Section 802 of the Act codified authority of the Chief Privacy Officer to investigate and or report on DHS programs and operations with respect to privacy, while creating additional obligations to coordinate investigations of violations or abuse related to privacy with the DHS Office of Inspector General (OIG). This investigatory authority now expressly includes: access to all records, reports, audits, reviews, documents, papers, recommendations, and other materials available to the Department that relate to privacy within the programs and operations; the power to issue subpoenas to any person other than a Federal agency, with the approval of the Secretary; and the ability to administer oaths, affirmations, or affidavits necessary to investigate or report on matters relating to responsibilities under Section 222 of the Homeland Security Act of 2002.
The Privacy Office is structured into two functional units: the DHS Privacy Compliance Group and the DHS Departmental Disclosure and FOIA Group. The Privacy Compliance unit manages and formulates the above statutory and policy-based responsibilities, in a collaborative environment with each component and program, to ensure that all privacy issues are provided the appropriate level of review and expertise. The Departmental Disclosure and FOIA unit assures consistent and appropriate Department-wide statutory compliance with the Freedom of Information Act of 1966 (FOIA), as amended, and requests made under the Privacy Act.
Fair Information Practice Principles
The Privacy Office's privacy compliance policies and procedures are based on a set of eight fair information practice principles (FIPPs) that are rooted in the tenets of the Privacy Act and govern the appropriate use of personally identifiable information (PII). DHS uses the FIPPs to enhance privacy protections by assessing the nature and purpose of all PII collected to fulfill DHS’s mission to preserve, protect, and secure the homeland. DHS’s implementation of the FIPPs is described below:
- Transparency: DHS should be transparent and provide notice to the individual regarding its collection, use, dissemination, and maintenance of PII. Technologies or systems using PII must be described in a SORN and PIA, as appropriate. There should be no system the existence of which is a secret. The DHS Privacy Office supports the FIPPs’ transparency principle through its handling of FOIA and Privacy Act requests.
- Individual Participation: DHS should involve the individual in the process of using PII. DHS should, to the extent practical, seek individual consent for the collection, use, dissemination, and maintenance of PII and should provide mechanisms for appropriate access, correction, and redress regarding DHS’s use of PII.
- Purpose Specification: DHS should specifically articulate the authority which permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
- Data Minimization: DHS should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s). PII should be disposed of in accordance with DHS records disposition schedules as approved by the National Archives and Records Administration (NARA).
- Use Limitation: DHS should use PII solely for the purpose(s) specified in the notice. Sharing PII outside the Department should be for a purpose compatible with the purpose for which the PII was collected.
- Data Quality and Integrity: DHS should, to the extent practical, ensure that PII is accurate, relevant, timely, and complete, within the context of each use of the PII.
- Security: DHS should protect PII (in all forms) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- Accountability and Auditing: DHS should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
How role differs from other countries' privacy offices
The positioning of the Privacy Office within DHS differs from the approach used for privacy offices in other countries, such as Canada and the European Union, where privacy offices are independent entities with investigatory powers. Canada’s Privacy Commissioner, for example, reports to the Canadian House of Commons and Senate and has the power to summon witnesses and subpoena documents. In contrast, the DHS privacy officer position was established by the Homeland Security Act of 2002 as an internal component of DHS. As a part of the DHS organizational structure, the DHS Chief Privacy Officer has the ability to serve as a consultant on privacy issues to other departmental entities that may not have adequate expertise on privacy issues.
- Pub. L. No. 107-296, §222, 116 Stat. 2155 (Nov. 25, 2002).
- 6 U.S.C. §142. The authorities and responsibilities of the Chief Privacy Officer were last amended by the Implementing Recommendations of the 9/11 Commission Act of 2007 on August 3, 2007. The 9/11 Commission Act added investigatory authority, the power to issue subpoenas, and the ability to administer oaths, affirmations, or affidavits necessary to investigate or report on matters relating to responsibilities under Section 222 of the Homeland Security Act of 2002. These responsibilities are further described on the DHS Privacy Office website and in the DHS Privacy Office 2009 Annual Report to Congress.
- Section 222 of the Homeland Security Act of 2002, as amended by Section 8305 of the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. No. 108-458 (Dec. 17, 2004), 6 U.S.C. §142.
- Freedom of Information Act, 5 U.S.C. §552.
- 6 U.S.C. §142.
- Id. §142(2).
- DHS Privacy Office, Annual Report to Congress, July 2009-July 2010, at i (Sept. 2010).
- 5 U.S.C. §552a
- Pub. L. No. 110-53.
- 5 U.S.C. §552.
- DHS Privacy Office 2011 Annual Report to Congress
- DHS Privacy Office 2008 Report to Congress Data Mining: Technology and Policy
- DHS Privacy Office Guide to Implementing Privacy
- DHS Privacy Office Handbook
- DHS Privacy Office Management Directive No. 0470.2: Privacy Act Compliance