17 January 2004 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: January 16, 2004 (Volume 69, Number 11)] [Notices] [Page 2608-2615] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr16ja04-84] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Privacy Impact Assessment and Privacy Policy; US-VISIT Program AGENCY: Department of Homeland Security. ACTION: Notice; Privacy Impact Assessment and Privacy Policy. ----------------------------------------------------------------------- SUMMARY: On January 5, 2004, the Department of Homeland Security (Department) promulgated an interim rule implementing the first phase of the United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT, Increment 1) in accordance with several Congressional mandates requiring that the Department create an integrated, automated entry exit system that records the arrival and departure of aliens and that verifies, through the comparison of biometric identifiers, the identities of aliens and the authentication of their travel documents. In connection with this program, and in accordance with Section 208 of the E-Government Act of 2002, which requires federal agencies to conduct a privacy impact assessment (PIA) when they use information technology to collect new information, the Department of Homeland Security conducted a Privacy Impact Assessment of US-VISIT, which was published on January 4, 2004, at http://www.dhs.gov/privacy. Because Section 208 of the E-Government Act of 2002 requires federal agencies to make PIAs publicly available through their Web sites, publication in the Federal Register, or other means, attached as appendices to this notice are the Department's Executive Summary of the PIA, the PIA, and the Privacy Policy for the US-VISIT Program, Increment 1. ADDRESSES: Written comments about the US-VISIT Program, Increment 1 Privacy Impact Assessment and Privacy Policy may be submitted to Privacy Office, Attn.: US-VISIT PIA, U.S. Department of Homeland Security, Washington, DC 20528, fax (202) 298-5201, or email privacy@dhs.gov. If submitting comments by email, please include the words ``US-VISIT PIA'' in the subject line. FOR FURTHER INFORMATION CONTACT: Steve Yonkers, Privacy Officer, US- VISIT, Border and Transportation Security, U.S. Department of Homeland Security, Washington, DC 20528, telephone (202) 298-5200, fax (202) 298-5201. SUPPLEMENTARY INFORMATION: [[Page 2609]] Note: The following appendices will not appear in the Code of Federal Regulations. Appendix A--US-VISIT Program, Increment 1 Privacy Impact Assessment Executive Summary Appendix B--US-VISIT Program, Increment 1 Privacy Impact Assessment Appendix C--US-VISIT Program Privacy Policy Dated: January 12, 2004. Nuala O'Connor Kelly, Chief Privacy Officer. US-VISIT Program, Increment 1 Privacy Impact Assessment Executive Summary December 18, 2003 Contact Point: Steve Yonkers, US-VISIT Privacy Officer, Department of Homeland Security, (202) 298-5200. Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, Department of Homeland Security, (202) 772-9848. US-VISIT Program, Increment 1 Privacy Impact Assessment Executive Summary Overview US-VISIT, the United States Visitor and Immigrant Status Indicator Technology, is a legislatively-mandated DHS program that is designed to: [sbull] Enhance the security of American citizens, permanent residents, and visitors. [sbull] Expedite legitimate travel and trade. [sbull] Ensure the integrity of the immigration system. [sbull] Safeguard the personal privacy of visitors. When fully implemented, US-VISIT will provide a dynamic, interoperable system involving numerous stakeholders across the government. Increment 1, as the name suggests, is the first step in the implementation process. Increment 1 proposes to integrate and modify the capabilities of several information systems in order to accomplish the mission of US-VISIT. This Privacy Impact Assessment (PIA) focuses on Increment 1 of this entry exit system. What Information Is Collected The US-VISIT program will collect and retain biographic, travel, and biometric information (i.e., photograph and fingerprints) pertaining to visitors. Individuals covered by Increment 1 (``covered individuals'') are nonimmigrant visa holders traveling through air and sea ports.\1\ The DHS regulations and related Federal Register notice for US-VISIT Increment 1 will fully detail coverage of the program. --------------------------------------------------------------------------- \1\ Nonimmigrant visa entrants comprise a small percentage of the 330 million non-citizens admitted annually through ports of entry. Establishing US-VISIT incrementally with this population will allow DHS to test implementation of the system and to make revisions as needed for future increments. --------------------------------------------------------------------------- Why the Information Is Being Collected and Intended Use of the Information In accordance with Congressional mandates for an entry exit system, information is collected from and used to verify the identity of covered individuals who enter or leave the United States. This enables U.S. authorities to enhance the security of the United States by more effectively identifying covered individuals who are: [sbull] Known to pose a threat or are suspected of posing a threat to the security of the United States; [sbull] Known to have violated the terms of their admission to the United States; or [sbull] Wanted for commission of a criminal act in the United States or elsewhere. Information Access and Sharing Information collected and retained by US-VISIT will be accessed by employees of DHS components--Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services, and the Transportation Security Administration--and by consular officers of the Department of State. Strict security controls will be put in place to ensure that only those personnel with a need for the information in the performance of their official duties will be able to access information in the system. If necessary, the information that is collected will be shared with other law enforcement agencies at the federal, state, local, foreign, or tribal level, who are lawfully engaged in collecting law enforcement intelligence information and who need access to the information in order to carry out their law enforcement duties. Consent Mechanisms The admission into the United States of an individual subject to US-VISIT requirements will be contingent upon submission of the information required by US-VISIT, including biometric identifiers. A covered individual who declines to provide biometrics is inadmissible to the United States, unless a discretionary waiver is granted under section 212(d)(3) of the Immigration and Nationality Act. Such an individual may withdraw his or her application for admission, or be subject to removal proceedings. Security Information accessible to US-VISIT will be protected through multi-layer security mechanisms that are physical, technical, administrative and environmental and that are in compliance with the DHS IT Security Program Handbook and DHS Baseline Security Requirements for Automated Information Systems. These security mechanisms provide access control to sensitive data, physical access control to DHS facilities, confidentiality of communications, authentication of sending parties, and careful screening to ensure that all personnel with access to data are screened through background investigations commensurate with the level of access required to perform their duties. System of Records A system of records notice (SORN)--normally required under the Privacy Act--is not necessary for US-VISIT because no new system is being developed for Increment 1. However, the ADIS and IDENT SORNs have been revised to reflect US-VISIT usage. Although US-VISIT derives its capability from the integration and modification of existing systems, it nevertheless represents a new business process that involves new uses of existing data and the collection of new data items. As a result, there is a potential for new privacy risks, which are addressed in the PIA. Privacy Controls US-VISIT collects, integrates, and shares personal information of covered individuals. Covered individuals must consent to the collection, use, and disclosure of this personal information if they wish to enter or leave the U.S. To address the privacy concerns associated with the program, US- VISIT will implement comprehensive privacy controls, which will be modified and updated as the system is revised and expanded. These controls consist of: [sbull] Public education through transparency of the program, including development and publication of a Privacy Policy that will be disseminated prior to the time information is collected from potential visitors;\2\ --------------------------------------------------------------------------- \2\ A copy of the Privacy Policy is appended to the full report. --------------------------------------------------------------------------- [sbull] Establishment of privacy sensitivity awareness programs for US-VISIT operators\3\; --------------------------------------------------------------------------- \3\ The legacy systems on which Increment 1 is built included privacy sensitivity training requirements. This training will be made mandatory for US-VISIT operators. --------------------------------------------------------------------------- [sbull] Establishment of a Privacy Officer for US-VISIT and implementation of an accountability program for those responsible for compliance with the US-VISIT Privacy Policy; [sbull] Periodic strategic reviews of US-VISIT data to ascertain that the collection is limited to that which is necessary for US- VISIT stated purposes; [sbull] Usage agreements between US-VISIT and other agencies authorized to have access to US-VISIT data; [sbull] To the extent permitted by law, regulations, or policy, establishment of opportunity for covered individuals to have access to their information and/or allow them to challenge its completeness; [sbull] Maintenance of security safeguards (physical, electronic and procedural) consistent with federal law and policy to limit access to personal information only to those with appropriate rights, and to protect information from unauthorized disclosure, modification, misuse, and disposal, whether intentional or unintentional; and [sbull] Establishment of administrative controls to prevent improper actions due to data inconsistencies from multiple information sources. Contact Point and Reviewing Official Contact Point: Steve Yonkers, US-VISIT Privacy Officer, (202) 298-5200. [[Page 2610]] Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, DHS, (202) 772-9848. Comments We welcome your comments on this privacy impact assessment. Please write to: Privacy Office, Attn.: US-VISIT PIA, U.S. Department Of Homeland Security, Washington, DC 20528, or email privacy@dhs.gov. Please include US-VISIT PIA in the subject line of the email. US-VISIT Program, Increment 1 Privacy Impact Assessment December 18, 2003 Contact Point: Steve Yonkers, US-VISIT Privacy Officer, Department of Homeland Security, (202) 298-5200. Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, Department of Homeland Security, (202) 772-9848. US-VISIT Program, Increment 1 Privacy Impact Assessment 1. Introduction Congress has directed the Executive Branch to establish an integrated entry and exit data system to accomplish the following goals\1\: --------------------------------------------------------------------------- \1\ Congress enacted several statutory provisions concerning an entry exit program, including provisions in: The Immigration and Naturalization Service Data Management Improvement Act of 2000 (DMIA) Public Law 106-215; The Visa Waiver Permanent Program Act of 2000 (VWPPA); Public Law 106-396; The U.S.A. PATRIOT Act, Public Law 107-56; and The Enhanced Border Security and Visa Entry Reform Act (``Border Security Act''), Public Law 107-173. --------------------------------------------------------------------------- 1. Record the entry into and exit out of the United States of covered individuals; 2. Verify the identity of covered individuals; and 3. Confirm compliance by visitors with the terms of their admission into the United States. The Department of Homeland Security (DHS) proposes to comply with this congressional mandate by establishing the United States Visitor and Immigration Status Indicator Technology (US-VISIT) program. The first phase of US-VISIT, referred to as Increment 1, will capture entry and exit information about non-immigrant visitors whose records are not subject to the Privacy Act. Rather than establishing a new information system, DHS will integrate and enhance the capabilities of existing systems to capture this data. In an effort to make the program transparent, as well as to address any privacy concerns that may arise as a result of the program, DHS's Chief Privacy Officer has directed that this PIA be performed in accordance with the guidance issued by OMB on September 26, 2003. As US-VISIT is further developed and deployed, this PIA will be updated to reflect future increments. 2. System Overview [sbull] What Information Is To Be Collected Individuals subject to the data collection requirements and processes of Increment 1 of the US-VISIT program (``covered individuals'') are nonimmigrant visa holders traveling through air and sea ports. The DHS regulations and related Federal Register notice for US-VISIT Increment 1 will fully detail coverage of the program. The information to be collected from these individuals includes complete name, date of birth, gender, country of citizenship, passport number and country of issuance, country of residence, travel document type (e.g., visa), number, date and country of issuance, complete U.S. address, arrival and departure information, and for the first time, a photograph, and fingerprints. US-VISIT will capture and store this information from existing systems that already record it or are being modified to allow for its collection. [sbull] Why the Information is Being Collected In numerous statutes, Congress has indicated that an entry exit program must be put in place to verify the identity of covered individuals who enter or leave the United States. In keeping with this expression of congressional intent and in furtherance of the mission of the Department of Homeland Security, the purposes of US- VISIT are to identify individuals who may pose a threat to the security of the United States, who may have violated the terms of their admission to the United States, or who may be wanted for the commission of a crime in the U.S. or elsewhere, while at the same time facilitating legitimate travel. [sbull] What Opportunities Individuals Will Have To Decline To Provide Information or To Consent to Particular Uses of the Information and How Individuals Grant Consent The admission into the United States of an individual subject to US-VISIT requirements will be contingent upon submission of the information required by US-VISIT, including biometric identifiers. A covered individual who declines to provide biometrics is inadmissible to the United States, unless a discretionary waiver is granted under section 212(d)(3) of the Immigration and Nationality Act. Such an individual may withdraw his or her application for admission, or be subject to removal proceedings. US-VISIT has its own privacy officer, however, to ensure that the privacy of all visitors is respected and to respond to individual concerns which may be raised about the collection of the required information. Further, the DHS Chief Privacy Officer will exercise comprehensive oversight of all phases of the program to ensure that privacy concerns are respected throughout implementation. The DHS Chief Privacy Officer will also serve as the review authority for all individual complaints and concerns about the program. 3. Increment 1 System Architecture US-VISIT Increment 1 will accomplish its goals primarily through the integration and modification of the capabilities of three existing systems: 1. The Arrival and Departure Information System (ADIS). 2. The Passenger Processing Component of the Treasury Enforcement Communications System (TECS)\2\ --------------------------------------------------------------------------- \2\ As indicated in the US-VISIT Increment 1 Functional Requirements Document (FRD), the Passenger Processing Component of TECS consists of two systems, where ``system'' is used in the sense of the E-Government Act, title 44, Chapter 35, section 3502 of U.S. Code; i.e., ``a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.'' The two systems, and the process relevant to US-VISIT Increment 1 that they support, are (1) Interagency Border Inspection System (IBIS), supporting the lookout process and providing interfaces with the Interpol and National Crime Information Center (NCIC) databases; and (2) Advance Passenger Information System (APIS), supporting the entry process by receiving airline passenger manifest information. --------------------------------------------------------------------------- 3. Automated Biometric Identification System (IDENT). US-VISIT Increment 1 will also involve modification and extension of client software on Port of Entry (POE) workstations and the development of departure kiosks. The changes to these systems include: 1. Modifications of TECS to give immigration inspectors the ability to display non-immigrant-visa (NIV) data. 2. Modifications to the ADIS database to accommodate additional data fields, to interface with other systems, and to generate various types of reports based on the stored data. 3. Modifications to the IDENT database to capture biometrics at the primary port of entry (POE) and to facilitate identity verification. 4. Establishment of interfaces to facilitate the transfer of biometric information from IDENT to ADIS and from ADIS to TECS. 5. Establishment of other interfaces to facilitate transfer of changes in the status of individuals from two other data bases--the Student and Exchange Visitor Information System (SEVIS) and the Computer Linked Application Information Management System (CLAIMS 3) to ADIS. BILLING CODE 4410-10-P [[Page 2611]] [GRAPHIC] [TIFF OMITTED] TN16JA04.000 BILLING CODE 4410-10-C [sbull] Intended Use of the Information DHS intends to use the information collected and maintained by US-VISIT Increment 1 to carry out its national security, law enforcement, immigration control, and other functions. Through the enhancement and integration of existing database systems, DHS will be able to ensure the entry of legitimate visitors, identify, investigate, apprehend and/or remove aliens unlawfully entering or present in the United States beyond the lawful limitations of their visit, and prevent the entry of inadmissible aliens. US-VISIT thus will enable DHS to protect U.S. borders and national security by maintaining improved immigration control. [[Page 2612]] US-VISIT will also help prevent aliens from obtaining benefits to which they are not entitled. 4. Maintenance and Administrative Controls on Access to the Data [sbull] With Whom the Information Will Be Shared The personal information collected and maintained by US-VISIT Increment 1 will be accessed principally by employees of DHS components--Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services, and the Transportation Security Administration--and by consular officers of the Department of State. Additionally, the information may be shared with other law enforcement agencies at the federal, state, local, foreign, or tribal level, who, in accordance with their responsibilities, are lawfully engaged in collecting law enforcement intelligence information (whether civil or criminal) and/or investigating, prosecuting, enforcing, or implementing civil and/or criminal laws, related rules, regulations, or orders. The system of records notices for the existing systems on which US-VISIT draws provide notice as to the conditions of disclosure and routine uses for the information collected by US-VISIT, provided that any disclosure is compatible with the purpose for which the information was collected. US-VISIT transactions will have a unique identifier to differentiate them from other IDENT transactions. This will allow for improved oversight and audit capabilities to ensure that the data are being handled consistent with all applicable federal laws and regulations regarding privacy and data integrity. [sbull] How the Information Will Be Secured The US-VISIT program will secure information and the systems on which that information resides, by complying with the requirements of the DHS IT Security Program Handbook. This handbook establishes a comprehensive program, consistent with federal law and policy, to provide complete information security, including directives on roles and responsibilities, management policies, operational policies, and application rules, which will be applied to component systems, communications between component systems, and at interfaces between component systems and external systems. One aspect of the DHS comprehensive program to provide information security involves the establishment of rules of behavior for each major application, including US-VISIT. These rules of behavior require users to be adequately trained regarding the security of their systems. These rules also require a periodic assessment of technical, administrative and managerial controls to enhance data integrity and accountability. System users must sign statements acknowledging that they have been trained and understand the security aspects of their systems. In addition, the rules of behavior already in effect for each of the component systems on which US-VISIT draws will be applied to the program, adding an additional layer of security protection. The table below provides detail on the various measures employed to address potential security threats to US-VISIT Increment 1. Security Threats and Mitigation Methods Detailed ---------------------------------------------------------------------------------------------------------------- Architectural Nature of threat placement Safeguard Mechanism ---------------------------------------------------------------------------------------------------------------- Intentional physical threats from ADIS................ Physical protection The ADIS database and application unauthorized external entities. is maintained at a Department of Justice Data Center. Physical controls of that facility (e.g., guards, locks) apply and prevent entree by unauthorized entities. Intentional physical threats from Passenger Processing Physical protection The Passenger Processing Component unauthorized external entities. Component of TECS. of TECS is maintained on a mainframe by CBP. Physical controls of the TECS facility (e.g., guards, locks) apply and prevent entree by unauthorized entities. Intentional physical threats from IDENT............... Physical protection IDENT is maintained on an IBM external enemies. cluster. Physical controls of the facility (e.g., guards, locks) apply and prevent entree by unauthorized entities. Intentional physical threats from POE Workstation..... Physical protection Physical controls will be specific external entities. to each POE. Intentional and unintentional System-wide......... Technical User identifier and password, electronic threats from protection: managed by the Password Issuance authorized (internal and Identification and Control System (PICS). external) entities. authentication (I&A). ---------------------------------------------------------------------------------------------------------------- 5. Information Life Cycle and Privacy Impacts The following analysis is structured according to the information life cycle. For each life-cycle stage--collection, use and disclosure, processing, and retention and destruction--key issues are assessed, privacy risks identified, and mitigation measures discussed. Risks are related to fair information principles--notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress--that form the basis of many statutes and codes. [sbull] Collection US-VISIT Increment 1 collects only the personal information necessary for its purposes. While Increment 1 does not constitute a new system of records, it does expand the types of data held in its component systems to include biometric identifiers. By definition this creates a general privacy risk. This risk is mitigated, however, by establishment of a privacy policy supported and enforced by a comprehensive privacy program. This program includes a separate Privacy Officer for US-VISIT, mandatory privacy training for system operators, and appropriate safeguards for data handling. [sbull] Use and Disclosure The IDENT and TECS systems collect data that are used for purposes other than US-VISIT. As a result, data collected for US- VISIT through these systems may become available for another functionality embodied in these component systems. This presents a potential notice risk: will the data be used for a purpose consistent with US-VISIT? This risk is mitigated in several ways. First, US-VISIT isolates US-VISIT data from non US-VISIT data on component systems, and users will be subject to specific privacy and security training for this data. Second, the IDENT and TECS systems already have their own published SORNS, which explain the uses to which the data they collect will be put, for US-VISIT as well as non-US-VISIT purposes. This, too, mitigates the notice risk. Third, Memoranda of Understanding and of Agreement are being negotiated with third parties (including other agencies) that will address protection and use of US-VISIT data, again to mitigate this notice risk. [sbull] Processing Data exchange, which will take place over an encrypted network between US-VISIT Increment 1 component systems and/or applications is limited, and confined only to those that are functionally necessary. Although much of the personal information going into ADIS from SEVIS and CLAIMS 3 is duplicative of data entering ADIS from TECS, this duplication is to ensure that changes in status received from SEVIS or CLAIMS 3 are associated with the correct [[Page 2613]] individual, even in cases of data element mismatches (i.e., differing values for the same data element received from different sources). This mitigates the data integrity risk. A failure to match generates an exception report that prompts action to resolve the issue. This also mitigates integrity risk by guarding against incorrect enforcement actions resulting from lost immigration status changes. (The data flows from SEVIS and CLAIMS 3 principally support changes in status.) On the other hand, if a match is made, but there are some data element mismatches, no report is generated identifying the relevant records and data elements (one or more of which must have inaccurate or improper values) and no corrective action is taken. This is due to the resources that would be required to investigate all such events. This integrity risk again creates a possibility of incorrect enforcement actions if the match was made in error as a result of the data element mismatches. However, this aspect of the integrity risk is mitigated by subjecting all status changes that would result in enforcement actions to manual analysis and verification. A quality assurance process will also be used to identify any problem trends in the matching process. [sbull] Retention and Destruction The policies of individual component systems, as stated in their SORNs, govern the retention of personal information collected by US- VISIT. Because the component systems were created at different times for different purposes, there are inconsistencies across the SORNs with respect to data retention policies. There is also some duplication in the types of data collected by each system. These inconsistencies and duplication result in some heightened degree of risk with respect to integrity/security of the data, and to access and redress principles, because personal information could persist on one or more component systems beyond its period of use or disappear from one or more component systems while still in use. These risks are mitigated, however, by having a Privacy Officer for US-VISIT to handle specific issues that may arise, by providing review of the Privacy Officer's decision by the DHS Chief Privacy Officer, and, to the extent permitted by existing law, regulations, and policy, by allowing covered individuals access to their information and permitting them to challenge its completeness. Additionally, as an overarching mechanism to ensure appropriate privacy protections, US-VISIT operators will conduct periodic strategic reviews of the data to ensure that what is collected is limited to that which is necessary for US-VISIT purposes, US-VISIT Increment 1 will store fingerprint images, both in the IDENT database and transiently on the some POE workstations and departure kiosks. These images are, of course, sensitive, and their storage could present a security as well as a privacy risk. Because retention of fingerprint images is functionally necessary so that manual comparison of fingerprints can be performed to verify biometric watch list matches, appropriate mitigation strategies will be utilized, including encryption on the departure kiosks and physical and logical access controls on the POE workstations and on the IDENT system. The chart below shows, in tabular form, the privacy risks associated with US-VISIT, Increment One, and the mitigation efforts that will address these risks. Privacy Threats and Mitigation Methods Detailed ---------------------------------------------------------------------------------------------------------------- Type of measures to counter/mitigate Type of threat Description of threat threat ---------------------------------------------------------------------------------------------------------------- Unintentional threats from Unintentional threats include flaws in These threats are addressed by (a) insiders \3\. privacy policy definitiion; mistakes in developing a privacy policy consistent information system design, development, with Fair Information Practices, laws, integration, configuration, and regulations, and OMB guidance; (b) operation; and errors made by defining appropriate functional and custodians (i.e., personnel of interface requirements; developing, organizations with custody of the integrating, and configuring the system information). These threats can be in accordance with those requirements physical (e.g., leaving documents in and best security practices; and plain view) or electronic in nature. testing and validating the system These threats can result in insiders against those requirements; and (c) being granted access to information for providing clear operating instructions which they are not authorized or non and training to users and system consistent with their responsibilities. administrators. Intentional threat from Threat actions can be characterized as These threats are addressed by a insiders. improper use of authorized capabilities combination of technical safeguards (e.g., browsing, removing information (e.g., access control, auditing, and from trash) and circumvention of anomaly detection) and administrative controls to take unauthorized actions safeguards (e.g., procedures, (e.g., removing data from a workstation training). that has been not been shut off). Intentional and Intentional: Threat actions can be These threats are addressed by technical unintentional threats from characterized as improper use of safeguards (in particular, boundary authorized external authorized capabilities (e.g., misuse controls such as firewalls) and entities \4\. of information provided by US-VISIT) administrative safeguards in the form and circumvention of controls to take of routine use agreements which require unauthorized actions (e.g., external entities (a) to conform with unauthorized access to systems).. the rules of behavior and (b) to Unintentional: Flaws in privacy policy provide safeguards consistent with, or definition; mistakes in information more stringent than, those of the system design, development, system or program. integration, configuration, and operation; and errors made by custodians. Intentional threats from Threat actions can be characterized by These threats are addressed by physical external unauthorized mechanism: physical attack (e.g., theft safeguards, boundary controls at entities. of equipment), electronic attack (e.g., external interfaces, technical hacking, interception of safeguards (e.g., identification and commuications), and personnel attack authentication, encrypted (e.g., social engineering).. communications), and clear operating instructions and training for users and system administrators. ---------------------------------------------------------------------------------------------------------------- \3\ Here, the term ``insider'' is intended to include individuals acting under the authority of the system owner or program manager. These include users, system administrators, maintenance personnel, and others authorized for physical access to system components. \4\ These include individuals and systems which are not under the authority of the system owner or program manager, but are authorized to receive information from, provide information to, or interface electronically with the system. 6. Summary and Conclusions Legislation both before and after the events of September 11, 2001 led to the development of the US-VISIT Program. The program is based on Congressional concerns with visa overstays, the number of illegal foreign nationals in the country, and overall border security issues. Requirements for the program, including the implementation of an integrated and interoperable border and immigration management system, are embedded in various provisions of The Immigration and Naturalization Service Data Management Improvement Act of 2000 (DMIA) Pub. L. 106-215; The Visa Waiver Permanent Program Act of 2000 (VWPPA); Pub. L. 106-396; The U.S.A. PATRIOT Act, Pub. L. 107-56; and The Enhanced Border [[Page 2614]] Security and Visa Entry Reform Act (``Border Security Act''), Pub. L. 107-173. As a result, many of the characteristics of US-VISIT were pre-determined. These characteristics include: [sbull] Use of a National Institute of Standards and Technology (NIST) biometric standard for identifying foreign nationals; [sbull] Use of biometric identifiers in travel and entry documents issued to foreign nationals, including the ability to read such documents at U.S. ports of entry; [sbull] Integration of arrival/departure data on foreign nationals, including commercial carrier passenger manifests; and [sbull] Integration with other law enforcement and security systems. These and other requirements substantially constrained the high- level design choices available to the US-VISIT Program. A major choice for the program concerned whether to develop an entirely or largely new system or to build upon existing systems. Given the legislatively imposed deadline of December 31, 2003 for establishing an initial operating capability, along with the various integration requirements, the program opted to leverage existing systems--IDENT, ADIS, and the Passenger Processing Component of TECS. As a result of this choice for Increment 1, DHS has determined that a new information system would not be created. Nevertheless, in order to effectively and accurately assess the privacy risks of US- VISIT, and because the program represents a new business process, this Privacy Impact Assessment was performed. In the process of conducting this PIA, DHS identified the need to (1) update the SORNs of the ADIS and IDENT systems to accurately reflect US-VISIT requirements and usage, which has been accomplished, and (2) examine the privacy and security aspects of the existing SORNs and implement any additional necessary strategies to ensure the privacy and security of US-VISIT data. Based on this analysis, it can be concluded that: [sbull] Most of the high-level design choices for US-VISIT Increment 1 were statutorily pre-determined; [sbull] US-VISIT Increment 1 creates a pool of individuals whose personal information is at risk; but [sbull] US-VISIT Increment 1 mitigates specific privacy risks; and [sbull] US-VISIT, through its own Privacy Officer and in collaboration with the DHS Chief Privacy Officer, will continue to track, assess, and address privacy issues throughout the life of the US-VISIT program and update this PIA to reflect additional increments of the program. Contact Point and Reviewing Official Contact Point: Steve Yonkers, US-VISIT Privacy Officer, (202) 298-5200. Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, DHS, (202) 772-9848. Comments We welcome your comments on this privacy impact assessment. Please write to: Privacy Office, Attn.: US-VISIT PIA, U.S. Department Of Homeland Security, Washington, DC 20528, or email privacy@dhs.gov. Please include US-VISIT PIA in the subject line of the email. US-VISIT Program Privacy Policy November 2003 What Is the Purpose of the US-VISIT Program? The United States Visitor Immigrant Status Indicator Technology (US-VISIT) is a United States Department of Homeland Security (DHS) program that enhances the country's entry and exit system. It enables the United States to record the entry into and exit out of the United States of foreign nationals requiring a visa to travel to the U.S., creates a secure travel record, and confirms their compliance with the terms of their admission. The US-VISIT program's goals are to: a. Enhance the security of American citizens, permanent residents, and visitors. b. Facilitate legitimate travel and trade. c. Ensure the integrity of the immigration system. d. Safeguard the personal privacy of visitors. The US-VISIT initiative involves collecting biographic and travel information and biometric identifiers (fingerprints and a digital photograph) from covered individuals to assist border officers in making admissibility decisions. The identity of covered individuals will be verified upon their arrival and departure. Who Is Affected by the Program? Individuals subject to the requirements and processes of the US- VISIT program (``covered individuals'') are those who are not U.S. citizens at the time of entry or exit or are U.S. citizens who have not identified themselves as such at the time of entry or exit. Non- U.S. citizens who later become U.S. citizens will no longer be covered by US-VISIT, but the information about them collected by US- VISIT while they were non-citizens will be retained, as will information collected about citizens who did not identify themselves as such. What Information Is Collected? The US-VISIT program collects biographic, travel, travel document, and biometric information (photographs and fingerprints) pertaining to covered individuals. No personally identifiable information is collected other than that which is necessary and relevant for the purposes of the US-VISIT program. How Is the Information Used? The information that US-VISIT collects is used to verify the identity of covered individuals when entering or leaving the U.S. This enables U.S. authorities to more effectively identify covered individuals that: [sbull] Are known to pose a threat or are suspected of posing a threat to the security of the United States; [sbull] Have violated the terms of their admission to the United States; or [sbull] Are wanted for commission of a criminal act in the United States or elsewhere. Personal information collected by US-VISIT will be used only for the purposes for which it was collected, unless other uses are specifically authorized or mandated by law. Who Will Have Access to the Information? Personal information collected by US-VISIT will be principally accessed by Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services, and Transportation Security Officers of the Department of Homeland Security and Consular Officers of the Department of State. Others to whom this information may be made available include appropriate federal, state, local, or foreign government agencies when needed by these organizations to carry out their law enforcement responsibilities. How Will the Information Be Protected? Personal information will be kept secure and confidential and will not be discussed with, nor disclosed to, any person within or outside the US-VISIT program other than as authorized by law and in the performance of official duties. Careful safeguards, including appropriate security controls, will ensure that the data is not used or accessed improperly. In addition, the DHS Chief Privacy Officer will review pertinent aspects of the program to ensure that proper safeguards are in place. Roles and responsibilities of DHS employees, system owners and managers, and third parties who manage or access information in the US-VISIT program include: 1. DHS Employees As users of US-VISIT systems and records, DHS employees shall: [sbull] Access records containing personal information only when the information is needed to carry out their official duties. [sbull] Disclose personal information only for legitimate business purposes and in accordance with applicable laws, regulations, and US-VISIT policies and procedures. 2. US-VISIT System Owners/Managers System Owners/Managers shall: [sbull] Follow applicable laws, regulations, and US-VISIT program and DHS policies and procedures in the development, implementation, and operation of information systems under their control. [sbull] Conduct a risk assessment to identify privacy risks and determine the appropriate security controls to protect against the risk. [sbull] Ensure that only personal information that is necessary and relevant for legally mandated or authorized purposes is collected. [sbull] Ensure that all business processes that contain personal information have an approved Privacy Impact Assessment. Privacy Impact Assessments will meet appropriate OMB and DHS guidance and will be updated as the system progresses through its development stages. [sbull] Ensure that all personal information is protected and disposed of in accordance with applicable laws, regulations, and US- VISIT program and DHS policies and procedures. [sbull] Use personal information collected only for the purposes for which it was collected, unless other purposes are explicitly mandated or authorized by law. [sbull] Establish and maintain appropriate administrative, technical, and physical security safeguards to protect personal information. [[Page 2615]] 3. Third Parties Third parties shall: [sbull] Follow the same privacy protection guidance as DHS employees. How Long Is Information Retained? Personal information collected by US-VISIT will be retained and destroyed in accordance with applicable legal and regulatory requirements. Who To Contact for More Information About the US-VISIT Program Individuals whose personal information is collected and used by the US-VISIT program may, to the extent permitted by law, examine their information and request correction of inaccuracies. Individuals who believe US-VISIT holds inaccurate information about them, or who have questions or concerns relating to personal information and US-VISIT, should contact the Privacy Officer, US- VISIT Program, Department of Homeland Security, Washington, DC 20528. Further information on the US-VISIT program is also available at http://www.dhs.gov/us-visit. [FR Doc. 04-1016 Filed 1-15-04; 8:45 am] BILLING CODE 4410-10-P