15 November 2004 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: November 15, 2004 (Volume 69, Number 219)] [Notices] [Page 65619-65627] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr15no04-96] [[Page 65619]] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration [Docket No. TSA-2004-19160] Notice of Final Order for Secure Flight Test Phase; Response to Public Comments on Proposed Order and Secure Flight Test Records AGENCY: Transportation Security Administration (TSA), Department of Homeland Security (DHS). ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: This notice responds to public comments received in response to three documents that the Transportation Security Administration (TSA) published in the Federal Register on September 24, 2004, related to testing of a new domestic passenger prescreening program known as Secure Flight. Secure Flight is an aviation passenger prescreening program that, once operational, would identify passengers known or reasonably suspected to be engaged in terrorist activity in order to allow action to be taken to prevent them from boarding a domestic flight or to ensure that appropriate additional security screening procedures are applied. Under the program, TSA would compare passenger reservation information for domestic flights, primarily in the form of passenger name records (PNRs), to information maintained by the Federal Government about individuals known or reasonably suspected to be engaged in terrorist activity. In preparation for testing the feasibility of the Secure Flight program, on September 24, 2004, TSA issued a Federal Register notice establishing a system of records under the Privacy Act for purposes of the Secure Flight program during the test phase. TSA also published a notice in the Federal Register that the agency had submitted to the Office of Management and Budget (OMB) a request for approval to collect PNRs from aircraft operators to test the Secure Flight program. That notice included the text of a proposed order to certain aircraft operators directing them to provide a limited set of historical PNRs to TSA. OMB subsequently has approved the information collection through March 31, 2005, and assigned OMB control number 1652-0025. In addition, TSA published a Privacy Impact Assessment for the testing phase of the Secure Flight program. This Federal Register notice that TSA publishes today addresses public comments received in response to the Federal Register notices published on September 24, 2004, and describes changes made to TSA's proposed order, which TSA now is issuing in final form. FOR FURTHER INFORMATION CONTACT: Lisa Dean, Privacy Officer, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202-4220; telephone (571) 227-3947; facsimile (571) 227-2594; e-mail lisa.dean@dhs.gov. SUPPLEMENTARY INFORMATION: Background On September 24, 2004, TSA published in the Federal Register three notices related to TSA's plan to issue a final order to aircraft operators in order to obtain PNRs for testing of a new domestic passenger prescreening program known as Secure Flight (69 FR 57342, 57345, and 57352). This Federal Register notice that TSA is publishing today responds to public comments received in response to the notices published on September 24, 2004, and provides public notice of the final order that TSA is issuing for purposes of testing the Secure Flight program. Secure Flight Program The Secure Flight program is an effort to move the existing passenger prescreening process into the Federal Government in order to make the process more effective, consistent, and efficient for the traveling public. By administering this screening process within the Federal Government, the Secure Flight program will allow for better protection of government watchlist information that currently is provided to aircraft operators. Secure Flight will involve the comparison of information in PNRs from domestic flights to names in the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center (TSC), including the expanded TSA No-Fly and Selectee Lists, in order to identify individuals known or reasonably suspected to be engaged in terrorist activity. TSA anticipates that it will also apply, within the Secure Flight system, a streamlined version of the existing passenger prescreening process, known as the Computer Assisted Passenger Prescreening System (CAPPS), which evaluates information in PNRs that passengers otherwise provide to aircraft operators in the normal course of business. Simple comparisons of PNR information against records maintained in the TSDB will not permit TSA to identify information provided by passengers that is incorrect or inaccurate, potentially rendering the comparisons less effective. Therefore, on a very limited basis, in addition to testing TSA's ability to compare passenger information with data maintained by TSC, TSA will separately test the use of commercial data to determine if use of such data is effective in identifying passenger information that is incorrect or inaccurate and reducing the number of false positive matches of passenger information against TSDB records. This test will involve commercial data aggregators whose procedures will be governed by strict privacy and data security protections. TSA will not receive the commercially available data that would be used by commercial data aggregators. TSA will use this test of commercial data to determine whether such use: (1) Could identify when passengers' information is inaccurate or incorrect and/or assist with the resolution of false positive matches; (2) would result in inappropriate differences in treatment of any protected category of persons; and (3) could be governed by data security safeguards and privacy protections that are sufficiently robust to ensure that commercial entities or other unauthorized entities do not gain access to passengers' personal information and to ensure that the government does not gain inappropriate access to commercial information about individuals. TSA will defer any decision of whether commercial data will be used in its prescreening programs, such as Secure Flight, until a thorough assessment of test results is completed. If TSA decides to use commercial data for Secure Flight, it will not do so until the agency publishes a new System of Records Notice announcing how commercial data will be used and individuals' privacy will be protected. TSA's efforts to develop and test the Secure Flight program are fully consistent with the recommendation in the final report of the National Commission on Terrorist Attacks Upon the United States (9/11 Commission), which states at page 392: ``[I]mproved use of ``no-fly'' and ``automatic selectee'' lists should not be delayed while the argument about a successor to CAPPS continues. This screening function should be performed by TSA and it should utilize the larger set of watch lists maintained by the Federal Government. Air carriers should be required to supply the information needed to test and implement this new system.'' The expansion of these watchlists to include information not previously included for security reasons will be possible as integration and consolidation of the information related to individuals known or suspected to be engaged in terrorist activity maintained [[Page 65620]] by TSC is completed and the U.S. Government assumes the responsibility for administering the watchlist comparisons. Secure Flight will automate the vast majority of watchlist comparisons, will allow TSA to apply more consistent procedures where automated resolution of potential matches is not possible, and will allow for more consistent response procedures at airports for those passengers identified as potential matches. Secure Flight represents a significant step in securing domestic air travel and safeguarding terrorism-related national security information, namely, the watchlists. It will dramatically improve consistency and effectiveness of comparisons of passenger information with data now maintained by TSC and will reduce the long-term costs to air carriers and passengers associated with maintaining the present system, which is operated individually by each aircraft operator that flies in the United States. Prior Federal Register Notices In order to test the feasibility of the Secure Flight program, TSA must obtain a sample of passenger information for domestic flights. In preparation for obtaining this information for testing purposes, on September 24, 2004, TSA published three public notices in the Federal Register. First, TSA published a system of records notice in accordance with the Privacy Act of 1974 (5 U.S.C. 552a), including a list of the proposed routine uses of information in the system of records. (69 FR 57345). The system of records notice establishes a new system entitled ``Secure Flight Test Records'' (hereafter referred to as DHS/TSA 017), which will govern the collection, maintenance, use, and disclosure of PNRs and other information obtained by TSA for purposes of testing the Secure Flight program. TSA requested public comment on the routine uses for DHS/TSA 017 during a 30-day comment period ending on October 25, 2004. Second, TSA published in the Federal Register a notice that TSA had submitted to the Office of Management and Budget in accordance with the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501, et seq.) a request for emergency processing of OMB's review and approval for TSA to collect PNRs from aircraft operators to test the Secure Flight program (PRA notice). (69 FR 57342). That notice included the text of a proposed order to certain aircraft operators directing them to provide a limited set of historical PNRs to TSA that cover commercial scheduled domestic flights. Specifically, the proposed order covered PNRs with domestic flight segments flown during the month of June 2004 and excluded those PNRs with flight segments that occurred after June 30, 2004. The purpose of this limitation was to ensure that during the test phase, TSA does not obtain any information about future travel plans of passengers on domestic flights. The order also proposed to exclude PNR flight segments to or from the U.S. Although not required to do so, TSA requested public comment on the proposed order during a 30-day comment period ending on October 25, 2004. OMB subsequently has approved the information collection through March 31, 2005, and assigned OMB control number 1652-0025. Third, TSA published in the Federal Register a Privacy Impact Assessment for the test phase of the Secure Flight program, which TSA prepared in accordance with the E-Government Act of 2002. (69 FR 57352). TSA received approximately 500 public comments on the Privacy Act system of records notice for DHS/TSA 017. Identical versions of most of those comments also were sent to OMB in response to TSA's PRA notice. TSA has reviewed and considered the issues raised by the public comments submitted to TSA and OMB. This notice addresses those issues and describes changes made to TSA's proposed order to aircraft operators, which, after carefully considering the comments, TSA now is issuing in final form. Public Comments Public comments on the Secure Flight system of records notice and PRA notice generally focused on one or more of the following categories of issues: (1) The program's effect on individual privacy and civil liberties; (2) the routine uses established for the Secure Flight Test Records System (DHS/TSA 017); (3) passenger consent to the use of historical PNRs; (4) the absence of a redress process; (5) concerns with the use of commercial data; (6) the efficacy of the Secure Flight program; (7) TSA's compliance with the Privacy Act, the PRA, and other laws; and (8) possible conflicts of laws involving European Union (EU) data privacy requirements. Effect on Individual Privacy and Civil Liberties A large majority of the commenters viewed the use of PNRs to prescreen passengers against government watchlists as an invasion of privacy and an infringement on their civil liberties, including individuals' right to travel and exercise other Constitutional rights that might be related to travel, such as the freedom of assembly. The National Business Travel Association (NBTA), stated that TSA should balance the need to establish better security measures with policies and procedures that protect civil liberties and privacy. The NBTA also stated that TSA should not impose unnecessary costs on business travelers. TSA is aware of, and sensitive to, the need to preserve Americans' freedoms while pursing better security. In implementing a new security measure that affects these interests, it is necessary to move deliberately and cautiously. It is for this very reason that TSA is testing the Secure Flight program before moving forward with an operational system. The prescreening of passengers against Government watchlists is a security measure that has been in place for several years, performed by aircraft operators, using watchlists provided by the Federal Government. Because the airlines have varying systems by which they implement passenger prescreening, the effectiveness, efficiency, and consistency in response for airline passengers of the current system is limited. The Secure Flight program is an effort to move this prescreening process into the Federal Government in order to make the process more effective, consistent, and efficient for the traveling public. This effort is consistent with a specific aviation security recommendation of the 9/11 Commission. The Secure Flight program will not impose an unconstitutional burden on an individual's right to travel or exercise other Constitutional rights. The Secure Flight program is a limited, reasonable security screening measure designed to further the Federal Government's compelling interest in protecting aviation security. Except in cases where a passenger may authorize TSA to retain information about him or her for purposes of redress, TSA has no long- term need to retain the information and is seeking approval from the National Archives and Records Administration (NARA) to destroy passenger information shortly after completion of the passenger's itinerary. Similarly, for purposes of the test phase of the program, TSA is seeking NARA approval to destroy PNRs used for the test after the test has been completed and the results have been evaluated. TSA's purpose in obtaining PNRs is to test the program, not to maintain information on individuals' travel. TSA agrees with NBTA's comments regarding the need to have policies and procedures that protect passengers' civil liberties and privacy interests and to ensure the Secure Flight program is [[Page 65621]] effective. TSA is in the process of developing redress procedures that will accomplish these goals, as discussed further below. The Electronic Privacy Information Center (EPIC) objected to TSA's statement in the System of Records notice that the records created and maintained in the course of the Secure Flight test phase should be exempt from a number of the provisions of the Privacy Act, such as the provision allowing individuals to obtain access to certain records containing information about them. The Privacy Act specifically permits agencies to exempt from certain of its provisions investigatory materials compiled for law enforcement purposes, because allowing individuals access to law enforcement files could impair investigations, particularly those involving complex or continuing patterns of behavior. The intent of the exemption is to prevent access to law enforcement records if that access would alert subjects that their activities are being scrutinized and allow them to take countermeasures to escape detection and prosecution. In the Secure Flight system of records notice section entitled ``Exemptions Claimed for the System'', TSA stated that for portions of the system it would invoke exemptions to the Privacy Act's requirements such as those that: (1) Permit individuals to obtain access to, and amend, information pertaining to them; and (2) require that information collected by the agency be relevant and necessary to the agency's statutory purpose. (69 FR 57348). TSA is in the process of preparing a notice of proposed rulemaking to implement these exemptions, which will include a detailed explanation of the basis for invoking the exemptions and will offer the public an opportunity to comment further. At this point, it is unclear whether TSA will need to invoke these exemptions for the Secure Flight program in its operational stage. In order, however, to preserve its ability to protect classified and law enforcement investigatory information from public disclosure, TSA identified these exemptions in the system of records notice as exemptions it may invoke, if necessary. EPIC noted in its comment that certain information in the system of records, such as PNRs, may not be subject to the exemptions and therefore should be releasable to the affected individual under the Privacy Act. TSA agrees with this view. As stated in the system of records notice, TSA will give individuals access to records in the system pertaining to them to the greatest extent feasible, consistent with law enforcement and national security concerns. It should become clearer during the test phase whether the records in the system may be structured in such a way as to exclude any information that must be withheld from the public for the reasons discussed above. With regard to the requirement that information collected by the agency be ``relevant and necessary,'' one of the objectives of the test phase is to confirm what information in a PNR is relevant and necessary to conduct an effective comparison of PNRs to information in the TSDB. The results of the test phase should enable TSA to determine more precisely what passenger information is relevant and necessary to the operation of the Secure Flight program and to limit its collection accordingly during the operational stage. A number of commenters expressed concern that the Secure Flight program could easily be expanded in the future beyond the scope outlined for the test phase. A number of other commenters anticipated that TSA would use passenger data to monitor where individuals travel and with whom they travel or whether they engage in other activities that could come within the First Amendment protection of freedom of assembly. These commenters have misconstrued the purpose of Secure Flight and the requirements that TSA has proposed for this test. TSA will neither use passenger information to monitor individuals' movements within the country nor share such information with other agencies or third parties. In fact, for the operational phase of Secure Flight, TSA intends to seek approval from NARA to destroy passenger information shortly after completion of the passenger's itinerary. This will preclude TSA from keeping any record of passenger movements around the country. TSA will not monitor the individuals with whom a particular passenger travels. If testing of the program indicates that it is a feasible and effective security measure, TSA will initiate a public rulemaking process in which it will provide an appropriate proposal for the workings of the system, as well as the redress process. This process, in conjunction with future publication of a Privacy Act system of records notice for the operational stage of the program will limit TSA's activities under Secure Flight to those outlined in the notice and serve as the basis for the operation of the program. To the extent that there are any substantial changes to collection of use of information under the program, these will be subject to additional notice and opportunity for public comment. This transparency will serve to prevent so-called ``mission creep.'' One commenter asked whether Secure Flight would use race, color, gender, age, religion, national origin, political views, origin of a passenger's name, disability, or other personal characteristics as the basis for screening decisions. One commenter suggested that TSA would use gun ownership as a basis for screening decisions. Several commenters stated that TSA should use ethnicity or national origin as a screening factor. With regard to the use of race, gender, national origin, or other factors listed above, Secure Flight will comply with the Constitution and other applicable law. TSA has adopted and complies with the ``Guidance Regarding Use of Race by Federal Law Enforcement Agencies'' issued by the United States Department of Justice in June 2003. Routine Uses TSA received several comments on TSA's possible disclosure of personal data obtained for testing the Secure Flight program. Under the Privacy Act, TSA is required to list routine uses of the information it will maintain in the system of records created for testing the Secure Flight program. A routine use is a disclosure of a record outside the Department of Homeland Security for a purpose that is compatible with the purpose for which the information was collected. In its system of records notice for DHS/TSA 017, TSA listed the following routine uses for Secure Flight Test Records: (1) To the Federal Bureau of Investigation where TSA becomes aware of information that may be related to an individual identified in the Terrorist Screening Database as known or reasonably suspected to be or having been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism; (2) To contractors, grantees, experts, consultants, or other like persons when necessary to perform a function or service related to the Secure Flight program or the system of records for which they have been engaged. Such recipients are required to comply with the Privacy Act, 5 U.S.C. 552a, as amended; (3) To the Department of Justice (DOJ) or other Federal agency in the review, settlement, defense, and prosecution of claims, complaints, and lawsuits involving matters over which TSA exercises jurisdiction or when conducting litigation or in proceedings before any court, adjudicative or [[Page 65622]] administrative body, when: (a) TSA; or (b) any employee of TSA in his/ her official capacity; or (c) any employee of TSA in his/her individual capacity, where DOJ or TSA has agreed to represent the employee; or (d) the United States or any agency thereof, is a party to the litigation or has an interest in such litigation, and TSA determines that the records are both relevant and necessary to the litigation and the use of such records is compatible with the purpose for which TSA collected the records; (4) To the National Archives and Records Administration (NARA) or other Federal agencies pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906; (5) To a Congressional office from the record of an individual in response to an inquiry from that congressional office made at the request of the individual; and (6) To an agency, organization, or individual for the purposes of performing authorized audit or oversight operations. Some commenters objected to the disclosure of information to other agencies whose missions are unrelated to counterterrorism or security and to foreign governments. TSA has established a very limited set of routine uses for the Secure Flight Test Records. Consistent with the commenters' view, TSA will disclose information to the FBI in connection with its counterterrorism function where TSA becomes aware of information that may be related to an individual identified in the TSDB as known or reasonably suspected to be or having been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism. The other routine uses applicable to DHS/TSA 017 are necessary for the operation of the agency or the operation and oversight of the Secure Flight program. TSA will not provide any of the information related to the Secure Flight program to foreign governments. One commenter expressed concern with TSA's plan to allow government contractors access to personal data and suggested that TSA ensure that strong contractual requirements are in place to deter weak data handling practices. TSA will put such contractual requirements in place. One commenter stated that TSA should ensure that if Secure Flight is used to screen actual passengers, any underlying information about the passenger used to make screening decisions should not be provided to the airlines or screeners. TSA agrees with this comment. One of the main purposes of Secure Flight is to bring within the Federal Government the watchlist comparison results that currently are in the hands of airlines. Passenger Consent Many commenters objected to the government's collection of PNRs for testing purposes because they had not given consent to the collection. As discussed previously, aircraft operators currently use the information in PNRs to conduct passenger prescreening, including watchlists checks and the application of CAPPS. The existence of these prescreening measures has been public knowledge for many years. Therefore, when passengers provide information to aircraft operators in order to purchase air transportation, they have notice that their information will be used for prescreening purposes. In fact, the PNRs TSA will receive for testing Secure Flight already were already used for airline-implemented prescreening in June 2004. Therefore, TSA's collection of the PNRs is consistent with the purposes for which the information in those PNRs originally was collected, and passengers who traveled by air in June 2004 had notice of those purposes. Redress Process Commenters noted that TSA has not yet established detailed redress procedures to handle cases where passengers believe they have been unfairly or inaccurately singled out for additional scrutiny as a result of the comparison of their PNRs to information in the TSDB. NBTA stated that TSA should develop a redress process to address inaccuracies in the databases TSA uses to prescreen passengers, including special procedures for corporate travelers to allow them to continue to fly while any security issue is resolved. TSA is in the process of developing a robust redress program and has begun hiring and is well into the process of developing redress procedures that will be refined during the Secure Flight test in November. For present purposes, however, TSA is only testing the Secure Flight concept. Because the data to be used concerns domestic flights that have already been completed during the month of June 2004 `` meaning that passengers were already screened `` and because the test results will not be used in an operational setting to conduct passenger screening, no passengers will need to avail themselves of the redress process during testing. With respect to special procedures for business travelers, TSA does not, at this point, believe that the Secure Flight program will cause delays that would warrant special treatment for any class of passengers. Information obtained through program testing, however, may be relevant to this issue, and TSA will consider it in developing the operational aspects of the Secure Flight program. Use of Commercial Data A number of commenters had questions and concerns regarding TSA's plan to test the use of commercial data to identify passenger information that is incorrect or inaccurate. Commenters expressed concern that TSA's access to commercial information would open the door to abuse of individuals' privacy rights and possible theft of their personal information. As discussed in detail in the Privacy Impact Assessment for the Secure Flight Test Phase (69 FR 57352), TSA's testing of commercial data will be governed by stringent data security and privacy protections, including: contractual prohibitions on commercial entities' maintenance or use of PNR information for any purposes other than testing under TSA parameters; strict firewalls between the government and commercial data providers; real-time auditing procedures to determine when data has been accessed and by whom; and strict rules prohibiting the access or use of commercially held personal data by TSA. TSA will not have access to or store the commercially available data that would be used by commercial data aggregators. One commenter questioned TSA's need for passengers' credit card information as part of Secure Flight and whether TSA would be using commercial data to check credit histories and other personal information unrelated to Secure Flight. Commenters also had questions about the types of commercial information that could lead TSA to apply enhanced screening or deny an individual access to an aircraft. One commenter suggested that TSA use only those sources of commercial data that are easily corrected by consumers so that if there are errors in commercially available data that lead to incorrect screening decisions by TSA, those errors can be resolved in a timely manner. These are all are key issues that TSA will be attempting to resolve during the testing phase. Once TSA has information about the feasibility and efficacy of using commercial data, such as credit card numbers, to gauge the accuracy of passenger information and reduce false positive matches to information in the TSDB, the agency will be in a position to provide specific answers to the types of questions raised [[Page 65623]] by the commenters. TSA will not have access to individuals' credit histories, medical records, or other personal records. A number of commenters expressed concern over access by data aggregators to passenger information during the testing. TSA will require the data aggregators with whom it works to abide by the requirements of the Privacy Act as well as to execute legally enforceable nondisclosure agreements prohibiting their use of information for any purpose other than for the testing of the effectiveness of the use of commercial data for Secure Flight. As a security mechanism, TSA has installed an auditing system as part of the platform on which the Secure Flight program will operate. The auditing mechanism will immediately detect any unauthorized access to the passenger data. Within TSA, individuals who are not conducting the test of the Secure Flight program will not have access to any passenger information. The real-time auditing mechanisms in place should prevent unauthorized access by individuals who are not part of the team conducting the test. TSA personnel with access to information for the testing phase will undergo specialized privacy training and will be required to hold appropriate security clearances and, therefore, will understand the sensitivity of the information to which they have access. Under section 552(d) of the Department of Homeland Security Appropriations Act, 2005 (Pub. L. 108-334), TSA may not test the use of commercial data until the agency has developed measures to determine the impact of the use of commercial data on aviation security and the Government Accountability Office (GAO) has reported on TSA's evaluation measures. TSA currently is working with GAO to provide the information GAO needs to evaluate TSA's measures. Efficacy of the Program Commenters questioned the potential effectiveness of the Secure Flight program because, they claim, the information in the TSDB regarding individuals known or suspected of being engaged in terrorist activity is inaccurate. A number of commenters stated that TSA should instead focus its resources and effort on improved physical security measures such as improved checkpoint screening, increased numbers of Federal Air Marshals and Federal Flight Deck Officers, and improved screening of baggage and cargo. NBTA stated that TSA should stress test the Secure Flight system and develop operational safeguards and oversight policies for the program. TSA agrees with those commenters who have stated that TSA should ensure that the Secure Flight program is effective before going forward with implementation and should have a quick and effective redress process to address situations in which passengers are mistakenly subjected to enhanced scrutiny or believe that they have wrongly been included on a watchlist. With respect to the suggested choice between developing Secure Flight or directing TSA's resources towards other security measures, TSA approaches security as a layered process. TSA is committed to taking actions that will improve each layer of security and believes that such actions are not mutually exclusive. The American Civil Liberties Union (ACLU) commented that the continued expansion of government watchlists creates a risk of false positive matches of passengers on watchlists. Therefore, the ACLU stated, effective management of the watchlists will become even more important. Again, TSA agrees that the Secure Flight program must be shown to be effective in achieving its stated goals before it is implemented. In order to determine whether the program can be effective, however, TSA must test the system and is doing so while respecting the privacy and civil liberties of individuals. A number of commenters stated that Secure Flight would not be effective in identifying terrorists who may travel by air but are not currently known to the Federal Government and therefore are not included in the TSDB. Commenters also stated that even if an individual is included in the TSDB, Secure Flight will not detect that individual if he or she assumes the identity of a person not included in the TSDB, such as through identity theft. TSA agrees that checking passenger names against information in the TSDB will not identify unknown terrorists or those using a stolen identity. Commercial data may be useful in identifying instances where a passenger may have presented inaccurate or incorrect information. As discussed previously, however, Secure Flight will involve the use of a streamlined version of the existing CAPPS system that aircraft operators currently are using to prescreen passengers. That system evaluates information in PNRs that passengers otherwise provide to aircraft operators in the normal course of business. This element of Secure Flight will address the threat posed by an individual who may pose a threat but is not included in the TSDB or has assumed the identity of a person not included in the TSDB. A number of commenters stated that TSA should make public the results of the Secure Flight test phase. TSA will make the results available to the extent consistent with national security and homeland security. Compliance With the Privacy Act, PRA, and Other Laws The EPIC stated that OMB should not approve the information collection until TSA provides more detailed information to the public about the Secure Flight program. The Secure Flight program is at a very early stage of development. The purpose of the test phase is to determine the technical feasibility of a consolidated system by which TSA may compare information in PNRs to information in the TSDB. At this point, therefore, TSA has provided as much detail as it can about the planned workings of the Secure Flight program. Once the test is completed and the results are analyzed, if the test phase indicates that the program is technically feasible, TSA will then be able to engage in a public rulemaking process that will involve a more detailed proposal for the Secure Flight program. This subsequent rulemaking will provide members of the public further opportunity to comment on operational and policy issues raised by the program. One commenter questioned whether TSA had a basis for receiving emergency processing from OMB of the information collection contained in the proposed order. TSA's request for emergency processing was based on the need to move forward with a new passenger prescreening system as quickly as possible, consistent with the 9/11 Commission's recently issued recommendation that TSA take over from aircraft operators the function of passenger prescreening using government watchlists. The commenter also articulated a number of aspects of the Secure Flight program that he argued are contrary to the requirements of the Privacy Act or other laws. First, he argued that PNRs constitute information regarding an individual's exercise of the First Amendment right of assembly because travel is a form of assembly. The Privacy Act imposes certain limits on an agency's authority to collect records describing an individual's exercise of First Amendment Rights. See 5 U.S.C. 552a(e)(7). TSA does not agree that PNRs contain information related to the exercise of First Amendment rights, including the right of assembly. [[Page 65624]] Second, the commenter argued that TSA's proposed order to aircraft operators to submit PNRs is inconsistent with the requirement that an agency collect information to the maximum extent practical directly from an individual when the information may result in an adverse determination about an individual's rights, benefits, or privileges. See 5 U.S.C. 552a(e)(2). The commenter stated that TSA has failed to show that it would be impractical for TSA staff to collect information about passengers from them directly at the airport prior to boarding. Collecting information from passengers at the airport for purposes of the Secure Flight test would impose a tremendous burden on the flying public in the form of additional time required for security screening. It also would not allow TSA to obtain and test the information in a PNR format, which is the form in which TSA would receive the information during the operational phase of the program. Third, the commenter, as well as others, stated that the proposed order is inconsistent with the Privacy Act because passengers whose information will be submitted to TSA under the order did not receive notice in accordance with section 552a(e)(3) of the Privacy Act, which requires a Federal agency to ``inform each individual whom it asks to supply information'' of: (1) The authority under which the request is made; (2) whether the disclosure of the information is mandatory or voluntary; (3) the principal purpose for which the information is intended to be used and the routine uses which may be made of the information; and (4) the effects on the individual if any, of not providing all or part of the information. The notice requirement under 5 U.S.C. 552a(e)(3) does not apply to the collection of the PNRs described in the proposed order. OMB has interpreted the notice requirement in section 552a(e)(3) to be inapplicable to situations in which an agency collects information about an individual from a third party. Fourth, the commenter argues that the system of records notice for Secure Flight fails to meet the requirement in 5 U.S.C. 552a(e)(4)(B) that it describe the categories of individuals on whom records are maintained in the system. The commenter notes that PNRs may contain the names of travel agents or other individuals who make, pay for, or process a passenger's travel but who are not passengers. The commenter also noted that the proposed order covered PNRs with itineraries that were entirely cancelled, thereby capturing individuals who had not flown. It is our understanding that the inclusion in PNRs of names other than those of passengers is rare. In any case, for purposes of testing the Secure Flight concept, TSA will not retrieve information from PNRs using the names of travel agents or other non-passengers who may be included in a PNR, because the purpose of Secure Flight is to screen passengers. The purpose of listing ``Categories of individuals covered'' in the system of records notice is to provide notice to those individuals whose records are subject to the Privacy Act because the records are retrieved by their name or personal identifier. The purpose is not to provide notice to every individual whose name may be incidentally mentioned in a record retrieved by the name of another individual. In addition, TSA has revised the final order to exclude from its scope any PNRs with itineraries that have been cancelled in whole, thereby avoiding collection of PNRs for individuals who have not actually completed any part of the itinerary in the PNR. For these reasons, the provision in the system of records notice meets the requirements of the Privacy Act. Fifth, the commenter argues that TSA has failed to meet certain requirements applicable to the promulgation of regulations under the Airline Deregulation Act, the Aviation and Transportation Security Act, and the Unfunded Mandates Reform Act of 1995, and the Regulatory Flexibility Act. Other commenters noted that TSA has not published a cost-benefit analysis for the Secure Flight program. As discussed previously, TSA is obtaining historical PNRs for the test phase of Secure Flight through the issuance of an order, not through rulemaking. Therefore, the foregoing statutes, as well as other statutes and Executive Orders that apply to agency rulemaking, do not apply in this instance. If testing of the program indicates that it is a feasible and effective security measure, TSA will initiate a public rulemaking process in which it will again fully comply with all applicable statutory requirements. Sixth, the commenter argued that TSA has no authority to establish a system of records for Secure Flight or order aircraft operators to provide PNRs to TSA. TSA has ample authority to conduct the Secure Flight test. Under the Aviation and Transportation Security Act and authority delegated to the Assistant Secretary of Homeland Security (Transportation Security Administration) by the Secretary of Homeland Security, TSA is responsible for, among other things, the screening of passengers and property transported in air transportation and intrastate air transportation. Also under its delegated authority, TSA has broad authority under 49 U.S.C. 40113(a) to issue orders necessary to carry out its statutory duties, which expressly include providing for security screening, under 49 U.S.C. 44901(a). TSA also is authorized to undertake research and development activities necessary to enhance transportation security under 49 U.S.C. 114(f)(8) and create a successor system to the existing CAPPS under 49 U.S.C. 44903(j)(2). Under these authorities, TSA may order aircraft operators to provide PNRs to TSA to test the Secure Flight program. Implementation of the Secure Flight test also is in furtherance of Homeland Security Presidential Directive-6/HSPD-6 of September 23, 2003 (``Integration and Use of Screening Information to Protect Against Terrorism''), which, among other things, directs Federal agencies to conduct screening at all appropriate opportunities using consolidated terrorist information and intelligence about individuals known or appropriately suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism. Potential Conflict With EU Laws United Airlines and other commenters expressed concern that complying with the proposed order would expose U.S. airlines to liability for violating privacy laws of the Member States of the EU. United suggested that the U.S. government work closely with foreign governments to address any conflicts of laws that may arise. While TSA has clear statutory authority to require the submission of reservation information for use in prescreening passengers on domestic flight segments, TSA understands the sensitivity of aircraft operators to the possibility of conflicting legal obligations under U.S. law and the laws of EU Member States. Therefore, in the interest of implementing this test expeditiously, TSA has determined that for purposes of this test phase, aircraft operators may opt to exclude from PNRs submitted to TSA any PNR that includes a flight segment between the United States and the EU. TSA and Department officials briefed European Commission (EC) representatives on October 25 to provide further details on Secure Flight testing, including the parameters of data to be [[Page 65625]] submitted for the test. TSA informed the EC that carriers may elect not to submit to TSA for use in testing any PNRs with a flight segment between the EU and the United States. The Department and EC representatives will continue regular discussions to keep the EU fully apprised of TSA's progress regarding Secure Flight, and to receive EU feedback on Secure Flight issues. TSA, in conjunction with DHS, will continue to consult with the EU prior to and during Secure Flight implementation. Other Issues United Airlines stated in its comment the concern that the Secure Flight program might result in unnecessary costs to airlines if they are required to establish new systems to transmit passenger information to TSA, rather than relying on existing systems, such as those that U.S. Customs and Border Protection has in place for receiving advance passenger information for international flights. In planning and developing the operational stage of the Secure Flight program, TSA will work to use existing communications links between the airlines and the Federal Government in order to avoid imposing duplicative requirements on the airlines to the greatest extent possible. Final Order The final order is largely unchanged from the proposed order, with the exception of the following provisions. First, in order to simplify and clarify compliance with the order, TSA changed the scope of PNRs that aircraft operators are required to provide and the description of the category of aircraft operators covered by the order. The proposed order would have required the submission of any PNRs with a flight segment completed during June 2004, so long as all the flight segments in the PNR had been completed by the end of June 2004. Thus, the proposed order covered PNRs with flight segments completed many months before June 2004. The final order applies only to those PNRs with all flight segments (flights between two locations) completed in June 2004. The proposed order applied to PNRs for any passenger on ``a scheduled flight within the United States, in operations subject to a full security program under 49 CFR 1544.101(a).'' This language was intended to cover any scheduled passenger or public charter operation conducted under a full security program. Because the proposed order did not specifically mention public charter operations and used the term ``scheduled flight,'' there was some confusion as to whether TSA intended to cover any public charter operations. The final order clarifies this point by stating the following: ``This order applies to aircraft operators that conduct scheduled passenger or public charter operations subject to a full security program under 49 CFR 1544.101(a).'' The proposed order directed aircraft operators to exclude from the PNRs submitted to TSA any flight segment to or from the United States. TSA now understands, however, that deleting information related to flight segments from PNRs is difficult and could inhibit aircraft operators from complying with the order in a timely manner. After reviewing this issue and considering the issues discussed above related to possible conflicts of law with EU Member States, TSA revised the order to allow aircraft operators to exclude entirely from its submission PNRs that include flight segments between the United States and the EU. TSA has modified the proposed order in response to questions about how the order applied to aircraft operators that use passenger manifests rather than PNRs. The final order provides that if an aircraft operator does not use PNRs, the order applies to the reservation data in whatever form the aircraft operators receive or maintain for operation of a flight, such as a passenger manifest. The final order also clarifies that with respect to codesharing operations, if an aircraft operator does not maintain PNRs or other passenger reservation information for the flights that it operates, the aircraft operator may comply with the order by stipulating in writing to TSA that the entity maintaining such PNRs or other passenger reservation information has agreed to provide the information to TSA on behalf of the aircraft operator. For example, a regional aircraft operator that relies on other aircraft operators to maintain PNRs for the regional operator's flights must stipulate that the other aircraft operators will submit PNRs to TSA on the regional aircraft operator's behalf. TSA also received questions about how to address situations where PNR history, which was excluded from the scope of the proposed order, includes completed flight segments, which were included in the scope of the proposed order. The final order clarifies that if the PNR history includes information on flight segments already flown, they must be included in the PNR submitted to TSA. In such cases, the aircraft operator may move information on flights flown out of the PNR history or include the entire PNR history in the information submitted to TSA, and TSA will extract the flown flight segments. The final order also clarifies that PNRs must include all data that would have been available to the aircraft operator prior to the completion of the itinerary (active fields), including any ``remarks'' sections, the reservation creation date, and CAPPS scores and codes. Finally, the final order provides additional information about how the PNRs are to be submitted, including a requirement that they be password protected. Based on the foregoing, TSA will issue the following final order to aircraft operators. The text of the final order is set forth below. Issued in Arlington, Virginia, on November 10, 2004. Lisa S. Dean, Privacy Officer. OMB Control Number 1652-0025 Expiration Date: March 31, 2005 Transportation Security Administration Order Pursuant to the authority vested in me as Assistant Secretary of Homeland Security (Transportation Security Administration) (TSA) by delegation from the Secretary of Homeland Security, 49 U.S.C. 40113(a), and other authorities described below, I hereby direct each aircraft operator listed in Attachment A to this order to provide passenger name records (PNRs) to TSA in accordance with the terms of this order. Background and Authority 1. The Secretary of Homeland Security has delegated to the Assistant Secretary of Homeland Security (TSA), subject to the Secretary's guidance and control, the authority vested in the Secretary by section 403(2) of the Homeland Security Act respecting TSA, including that related to civil aviation security under the Aviation and Transportation Security Act. 2. Under 49 U.S.C. 114(e)(1) and 44901(a), TSA is responsible for, among other things, providing for the screening of passengers traveling in air transportation and intrastate air transportation. 3. One component of passenger screening is the Computer-Assisted Passenger Prescreening System (CAPPS), an automated screening system developed by the Federal Aviation Administration (FAA) in cooperation with U.S. aircraft operators. U.S. aircraft operators implemented CAPPS in 1997. 4. CAPPS evaluates information in PNRs that passengers otherwise provide to aircraft operators in the normal course of business to determine whether a passenger will be selected for a higher level of security screening prior to boarding. A PNR is a record that contains detailed information about an individual's travel on a particular flight, including information provided by the individual when making the flight reservation. While the Federal Government established the CAPPS selection criteria, CAPPS is operated entirely by U.S. aircraft operators. [[Page 65626]] 5. Passenger prescreening also involves the comparison of identifying information of airline passengers against lists of individuals known to pose or suspected of posing a threat to civil aviation or national security. Aircraft operators currently carry out this function, using lists provided by TSA. Because the lists are provided in an unclassified form, the amount of information they include is limited. For this reason, TSA will take over from aircraft operators the function of screening passengers against such lists and use a larger set of data maintained by the Federal Government for this purpose. This is consistent with the recommendation by the National Commission on Terrorist Attacks upon the United States (9/11 Commission) related to the use of expanded ``No-Fly'' and ``Automatic Selectee'' lists, and the 9/11 Commission recommendation that aircraft operators be required to supply the information needed to test and implement such a system. 6. In accordance with the authority in 49 U.S.C. 44903(j)(2), TSA is in the process of developing a successor system to CAPPS that will be operated entirely by TSA and will incorporate the screening of passengers against data maintained by the Terrorist Screening Center (TSC) about individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism. 7. In order to test such a system, TSA must have access to information contained in the PNRs for domestic passenger flights. TSA also must have access to passenger information from aircraft operators that maintain the information in forms other than PNRs, such as passenger manifests. 8. TSA has broad authority under 49 U.S.C. 40113(a) to issue orders necessary to carry out its functions, including its responsibility to provide for the security screening of passengers under 49 U.S.C. 44901(a). TSA also has authority to identify and undertake research and development activities necessary to enhance transportation security under 49 U.S.C. 114(f)(8). Findings 9. The security prescreening of passengers, as mandated by Congress, is vital to aviation security and national security. 10. After a lengthy review of the initial plans for a successor system to CAPPS, and consistent with the recommendation of the 9/11 Commission, the Department of Homeland Security is moving forward with a next generation system of domestic passenger prescreening that meets the following goals: (1) Identifying, in advance of flight, passengers known or suspected to be engaged in terrorist activity; (2) moving of passengers through airport screening more quickly and reducing the number of individuals unnecessarily selected for secondary screening; and (3) fully protecting passengers' privacy and civil liberties. 11. In the revised program, known as Secure Flight, TSA will compare information in airline PNRs or other passenger manifest formats for domestic flights to information in the Terrorist Screening Database (TSDB) maintained by TSC, including expanded TSA No-Fly and Selectee lists, in order to identify individuals known or reasonably suspected to be or having been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism. The Secure Flight program also will test operation of a streamlined version of the existing CAPPS evaluation criteria. TSA will use the PNRs obtained under this order to test these aspects of the program. 12. TSA also will test whether comparing passenger information to other commercially available data can enhance TSA's ability to identify passenger information that is inaccurate or incorrect. 13. In order to develop and test such a system, TSA must obtain passenger information in PNRs, or other passenger manifest formats where PNRs are not used, from aircraft operators. 14. On September 24, 2004, TSA published in the Federal Register a proposed order requiring aircraft operators to provide PNRs for testing the Secure Flight program. After considering the public comments received and making modifications to the proposed order, where appropriate, TSA is issuing this final order to aircraft operators for purposes of obtaining PNRs to test the Secure Flight program. Action Ordered 15. Scope: a. Aircraft Operators: This order applies to aircraft operators that conduct scheduled passenger or public charter operations subject to a full security program under 49 CFR 1544.101(a). b. Information: This order applies to PNRs containing itineraries for domestic flights operated under a full security program and for which all flight segments in the itinerary were flown between June 1, 2004 and June 30, 2004, (after 2400 hours 31 May 2004 and before 0001 hours 1 July 2004). This includes PNRs for non-revenue and space available passengers. For purposes of this order, ``PNR'' means the electronic record maintained by the aircraft operator detailing information about an individual's travel on a particular flight and any other information contained in that record. For purposes of this order, ``domestic flight'' means a flight between two locations in the United States (to include the U.S. Virgin Islands, Puerto Rico, Guam, Saipan, and American Samoa). This order does not apply to PNRs reflecting itineraries that were cancelled in whole. An aircraft operator may elect to exclude from the scope of the order any PNRs which include any flight segments between the EU and the United States. If an aircraft operator does not use PNRs, the order applies to the reservation data in whatever form aircraft operators receive or maintain for operation of a flight, such as a passenger manifest. c. Information in PNRs: PNRs must include all data that would have been available to the aircraft operator in a displayed PNR prior to the completion of the itinerary (active fields), including any ``remarks'' sections, the reservation creation date, and CAPPS scores and codes. PNRs may not include information related to changes in a PNR prior to completion of the flight itinerary (PNR history). If, however, the PNR history includes information on flight segments already flown, they must be included in the PNR. In such cases, the aircraft operator may move information on flights flown out of the PNR history or include the entire PNR history in the information submitted to TSA, and TSA will extract the flown flights segments (itinerary). PNRs may be submitted in archive format. 16. Submission of PNRs: The aircraft operator must submit to TSA all PNRs described in paragraph 15 so that the data is received by TSA no later than 5 p.m. EST on November 23, 2004. Mail all information through overnight carrier to: Lisa Dean, Privacy Officer, Transportation Security Administration, 601 S. 12th Street, TSA-9, Room E7-305N, Arlington, VA 22202, Phone: (571) 227- 3947. 17. Codesharing Operations: If an aircraft operator does not maintain PNRs or other passenger reservation information for the flights that it operates, the aircraft operator may comply with this order by stipulating in writing to TSA that the entity maintaining such PNRs or other passenger reservation information has agreed to provide the information to TSA on behalf of the aircraft operator. For example, a regional aircraft operator that relies on other aircraft operators to maintain PNRs for the regional operator's flights must stipulate the other aircraft operators will submit PNRs to TSA on the regional aircraft operator's behalf. Letters of stipulation, described above, must be signed and on company letterhead. They may be delivered in one of the following three ways: U.S. Mail: TSA/ONRA, Attention: Airline Team, P.O. Box 597, Annapolis Junction, MD 20701. FAX: (240) 568-3528. E-mail (scanned copies): SecureFlight@DHS.gov. 18. The aircraft operator must provide to TSA information about the aircraft operator's PNR data schema and layout, such as a PNR format book and a data dictionary that includes all acronyms and codes not standard to the International Air Transport Association. 19. For purposes of the test, the aircraft operator must provide the PNRs to TSA on optical media in an unpacked or uncompressed form, in a structured data format or XML, if available. Information must be password-protected. The aircraft operator must supply TSA with the password via e-mail at SecureFlight@DHS.gov. Attachment A--Aircraft Operators 1. Air Midwest Inc. 2. Air Wisconsin Airline Corp 3. AirTran Airways Inc. 4. Alaska Airlines Inc. 5. Allegiant Air 6. Aloha Airlines Inc. 7. America West Airlines Inc. 8. American Airlines Inc. 9. American Eagle 10. American Trans Air Inc. [[Page 65627]] 11. Atlantic Southeast Airlines (ASA) 12. Big Sky Airlines 13. Boston and Maine Airways 14. Cape Air (Hyannis Air Service) 15. Caribbean Air 16. Casino Airlines 17. Casino Express TEM Enterprises 18. Champion Air (Grand Holdings) 19. Chautauqua Airlines 20. Chicago Express Airlines 21. Colgan Air 22. Comair, Inc. 23. Commutair (Champlain Ent.) 24. Continental Airlines Inc. 25. Continental Micronesia Inc. 26. Corporate Airlines 27. Delta Air Lines Inc. 28. Executive Airlines/American Eagle 29. Expressjet Airlines (Cont. Express) 30. Falcon Air Express 31. Freedom Air 32. Freedom Airlines 33. Frontier Airlines 34. Great Lakes Aviation Ltd. 35. Gulfstream International Airlines 36. Hawaii Island Air (Island Air) 37. Hawaiian Airlines 38. Horizon Air 39. Independence Air (Atlantic Coast Airline) 40. Jetblue Airways Corp. 41. Kenmore (start-up) 42. Mesa Airlines 43. Mesaba Aviation Inc. 44. Miami Air International 45. Midwest Airlines Inc. 46. North American Airlines 47. Northwest Airlines Inc. 48. Omni 49. Pace/Hooters 50. Pacific Island Aviation Inc. 51. Pacific Wings 52. Pan American Airways Corp. 53. Piedmont Airlines 54. Pinnacle Airlines (d/b/a Northwest Airlink) 55. Planet Air 56. Primaris Airlines, Inc. (Primaris) 57. PSA Airlines 58. Ryan International Airlines 59. Shuttle America 60. Sky King 61. Sky West Airlines 62. Skyway Airlines/Midwest Connect 63. Southeast Airlines 64. Southwest Airlines (U.S.A.) 65. Spirit Airlines 66. Sun Country Airlines Inc. 67. Trans States Airlines 68. Transmeridian Airlines 69. United Airlines Inc. 70. US Airways Inc. 71. USA3000 72. World Airways [FR Doc. 04-25396 Filed 11-12-04; 8:45 am] BILLING CODE 4910-62-P