- Privacy Office Annual Reports
- Freedom of Information Act (FOIA) Reports
- Section 803 Reports
- DHS Data Mining Reports
- Cybersecurity
- Passenger Name Records
- Other Homeland Security Privacy Reports
Privacy Office Annual Reports
- Annual Privacy Report to Congress, July 2011 to June 2012 (PDF, 90 pages - 5.74 MB)
- Annual Privacy Report to Congress, July 2010 to June 2011 (PDF, 94 pages – 1.58 MB)
- Annual Privacy Report to Congress, July 2009 to June 2010 (PDF, 108 pages – 1.66 MB)
- Annual Privacy Report to Congress, July 2008 to July 2009 (PDF, 98 pages – 1.44 MB)
- Annual Privacy Report to Congress, July 2007 to July 2008 (PDF, 100 pages – 908 KB)
- Annual Privacy Report to Congress, July 2006 to July 2007 (PDF, 58 pages – 417 KB)
- Annual Privacy Report to Congress, July 2004 to July 2006 (PDF, 38 pages – 338 KB)
- Annual Privacy Report to Congress, April 2003 to June 2004 (PDF, 112 pages – 2.2 MB)
Freedom of Information Act (FOIA) Reports
Section 803 Reports
In support of Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007, the Privacy Officer will submit a report covering all privacy protection activities of the Department. Please note that the quarterly reporting period follows the FISMA reporting period and not fiscal or calendar year reporting periods.
- Quarterly Report, June 2012 to August 2012 - contains 4th quarter findings for 2012.
- Quarterly Report, March 2012 to May 2012 (PDF, 22 pages - 1.01 MB) - contains 3rd quarter findings for 2012.
- Quarterly Report, December 2011 to February 2012 (PDF, 19 pages - 983 KB) - contains 2nd quarter findings for 2012.
- Quarterly Report, September 2011 to November 2011 (PDF, 16 pages - 938 KB) - contains 1st quarter findings for 2012.
- Quarterly Report, June 2011 to August 2011 (PDF, 17 pages - 310 KB) - contains 4th quarter findings for 2011.
- Quarterly Report, March 2011 to May 2011 (PDF, 16 pages - 351 KB) - contains 3rd quarter findings for 2011.
- Quarterly Report, December 2010 to February 2011 (PDF, 14 pages - 299 KB) - contains 2nd quarter findings for 2011.
- Quarterly Report, September 2010 to November 2010 (PDF, 17 pages - 285 KB) - contains 1st quarter findings for 2011.
- Quarterly Report, June 2010 to August 2010 (PDF, 16 pages - 223 KB) - contains 4th quarter findings for 2010.
- Quarterly Report, March 2010 to May 2010 (PDF, 15 pages - 193 KB) - contains 3rd quarter findings for 2010.
- Quarterly Report, December 2009 to February 2010 (PDF, 13 pages - 192 KB) - contains 2nd quarter findings for 2010.
- Quarterly Report, September 1 to November 30, 2009 (PDF, 11 pages - 164 KB) - contains 1st quarter findings for 2010.
- Quarterly Report, June 1, 2009 to August 31, 2009 (PDF, 10 pages - 186 KB) - contains 4th quarter findings for 2009.
- Quarterly Report, March 1, 2009 to May 31, 2009 (PDF, 10 pages - 154 KB) - contains 3rd quarter findings for 2009.
- Quarterly Report, December 2008 to February 2009 (PDF, 9 pages - 176 KB) - contains 2nd quarter findings for 2009.
- Quarterly Report, September 2008 to November 2008 (PDF, 6 pages - 61 KB) - contains 1st quarter findings for 2009.
- Quarterly Report, June 2008 to August 2008 (PDF, 5 pages - 52 KB) - contains 4th quarter findings for 2008.
- Quarterly Report, March 2008 - May 2008 (PDF, 5 pages - 69 KB) - contains 3rd quarter findings for 2008.
- Quarterly Report, December 2007 - February 2008 (PDF, 5 pages - 40 KB) - contains 2nd quarter findings for 2008.
- Quarterly Report, October - December 2007 (PDF, 3 pages - 20 KB) - provides an overview of the reporting requirement.
DHS Data Mining Reports
The Data Mining Report, which is provided to Congress each year, describes DHS programs, both operational and in development, that involve data mining as defined by the Federal Agency Data Mining Reporting Act of 2007.
- 2011 Data Mining Report (PDF, 37 pages - 1.61 MB).
- 2010 Data Mining Report (PDF, 35 pages - 517 KB).
- 2009 Data Mining Report (PDF, 34 pages - 378 KB).
- 2008 Data Mining Report (PDF, 47 pages – 467 KB).
- 2008 Data Mining Letter Report (PDF, 46 pages - 441 KB).
- 2007 Data Mining Report (PDF, 42 pages - 446 KB).
- 2006 Data Mining Report July 6, 2006 (PDF, 36 pages - 340 KB).
Cybersecurity
The Privacy Office works closely with the Office of Cybersecurity & Communications (CS&C), and, within CS&C, the National Cybersecurity Division and the United States Computer Emergency Readiness Team (US-CERT ), to integrate privacy protections into the Department's cybersecurity activities. The following resources provide background on these efforts:
EINSTEIN Program-Related Privacy Impact Assessments
- DHS/NPPD/PIA-026 National Cybersecurity Protection System (NCPS), July 30, 2012 (PDF, 37 Pages – 7.91MB) The National Cybersecurity Protection System (NCPS) is an integrated system for intrusion detection, analysis, intrusion prevention, and information sharing capabilities that are used to defend the federal civilian government’s information technology infrastructure from cyber threats. The NCPS includes the hardware, software, supporting processes, training, and services that are developed and acquired to support its mission. The Department of Homeland Security (DHS), National Protection and Programs Directorate (NPPD), National Cyber Security Division (NCSD) is conducting this Privacy Impact Assessment (PIA) because personally identifiable information (PII) may be collected by the NCPS, or through submissions of known or suspected cyber threats received by the United States–Computer Emergency Readiness Team (US-CERT) for analysis. This PIA will serve as a replacement for previously published PIAs submitted by NSCD for the 24/7 Incident Handling Center (March 29, 2007), and the Malware Lab Network (May 4, 2010), and is a program-focused PIA to better characterize the efforts of NCPS and US-CERT.
DHS/NPPD/PIA-021(a) Joint Cybersecurity Services Program (JCSP), Defense Industrial Base (DIB) – Enhanced Cybersecurity Services (DECS), July 18, 2012 (PDF, 9 pages - 1.7MB) The Joint Cybersecurity Services Pilot (JCSP) is the Department of Homeland Security’s (DHS) voluntary information sharing initiative with the Department of Defense (DOD) and participating commercial companies. The National Protection and Programs Directorate (NPPD) is updating the DHS/NPPD/PIA-021 National Cyber Security Division Joint Cybersecurity Services Pilot PIA published on January 13, 2012 to reflect the establishment of the JCSP as an ongoing permanent program (now known as the Joint Cybersecurity Services Program (JCSP)). The purpose of the program is to enhance the cybersecurity of participating critical infrastructure entities through information sharing partnerships with the critical infrastructure organization or their Commercial Service Provider (CSP). The first phase of the JCSP will focus on the cyber protection of the Defense Industrial Base (DIB) companies that are participating in the DoD’s Cyber Security/Information Assurance (CS/IA) Program. This sub-program is known as the DIB Enhanced Cybersecurity Services (DECS). The JCSP may also be used to provide equivalent protection to participating Federal civilian agencies pending deployment of EINSTEIN intrusion prevention capabilities.
- Privacy Compliance Review of the EINSTEIN Program, January 3, 2012 (PDF, 9 pages - 112 KB). The DHS National Protection and Programs Directorate (NPPD) National Cyber Security Division (NCSD) launched the EINSTEIN program in 2004 as a computer network intrusion detection system to help protect federal executive agency information technology enterprises. NCSD conducted PIAs for each phase of the EINSTEIN program, which the DHS Privacy Office reviewed and approved. As NCSD looks ahead toward the next phase of the program to EINSTEIN 3, the DHS Privacy Office determined that conducting a PCR would be timely to ensure the accuracy of compliance documentation and transparency of the EINSTEIN program moving forward. The DHS Privacy Office found NPPD/NCSD generally compliant with the requirements outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise PIA. Specifically, NPPD/NCSD is fully compliant on collection of information, use of information, internal sharing and external sharing with federal agencies, and accountability requirements. PRIV identified actions taken to address retention and training requirements as outlined in the relevant EINSTEIN PIAs, but additional actions by the program are needed to bring them into full compliance with these requirements. The DHS Privacy Office is making five recommendations to strengthen program oversight, external sharing, and bring NPPD/NCSD into full compliance with retention and training requirements. NPPD agreed with our findings and is taking steps to address our recommendations.
- National Cyber Security Division Joint Cybersecurity Services Pilot (JCSP), January 13, 2012 (PDF, 16pages – 248 KB). The Department of Homeland Security (DHS) and the Department of Defense (DoD) are jointly undertaking a proof of concept known as the Joint Cybersecurity Services Pilot (JCSP). The JCSP extends the existing operations of the Defense Industrial Base (DIB) Exploratory Cybersecurity Initiative (DIB Opt-In Pilot) and shifts the operational relationship with the CSPs in the pilot to DHS. The JCSP is part of overall efforts by DHS and DoD to enable the provision of cybersecurity capabilities enhanced by U.S. government information to protect critical infrastructure information systems and networks. The purpose of the JCSP is to enhance the cybersecurity of participating DIB critical infrastructure entities and to protect sensitive DoD information and DIB intellectual property that directly supports DoD missions or the development of DoD capabilities from unauthorized access, exfiltration, and exploitation. The National Protection and Programs Directorate (NPPD) is conducting this Privacy Impact Assessment (PIA) on behalf of DHS because some known or suspected cyber threat information shared under the JCSP may contain information that could be considered personally identifiable information (PII). Associated SORN(s): DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.
- US-CERT: Initiative Three Exercise. March 18, 2010 (PDF 19 pages – 457 KB) Pursuant to Initiative Three of the Comprehensive National Cybersecurity Initiative, DHS is engaging in an exercise to demonstrate a suite of technologies that could be included in the next generation of the Department's EINSTEIN network security program. This demonstration, (commonly referred to as the "Initiative Three Exercise" or, more simply, as "the Exercise") will use a modified complement of system components currently providing the EINSTEIN 1 and EINSTEIN 2 capabilities, as well as a DHS test deployment of technology developed by the National Security Agency (NSA) that includes an intrusion prevention capability (collectively referred to as "the Exercise technology"). The purpose of the Exercise is to demonstrate the ability of an existing Internet Service Provider that is a designated as a Trusted Internet Connection Access Provider (TICAP) to select and redirect Internet traffic from a single participating government agency through the Exercise technology, for US-CERT to apply intrusion detection and prevention measures to that traffic and for US-CERT to generate automated alerts about selected cyber threats. This PIA is being conducted because the Exercise will analyze Internet traffic which may contain personally identifiable information (PII).
- EINSTEIN 1 PIA Update. February 19, 2010 (PDF, 12 pages – 194 KB) DHS and the State of Michigan (“Michigan”) plan to engage in a 12-month proof of concept to determine the benefits and issues presented by deploying the EINSTEIN 1 capability to Michigan government networks managed by the Michigan Department of Information Technology (MDIT). This PIA updates the previous EINSTEIN PIAs listed below in one narrow aspect: the use of EINSTEIN 1 technology in a proof of concept with Michigan.
- EINSTEIN 2 Privacy Impact Assessment. May 19, 2008 (PDF, 23 pages - 423 KB). This is the Privacy Impact Assessment (PIA) for an updated version of the EINSTEIN System. EINSTEIN is a computer network intrusion detection system (IDS) used to help protect federal executive agency information technology (IT) enterprises. EINSTEIN 2 will incorporate network intrusion detection technology capable of alerting the US-CERT to the presence of malicious or potentially harmful computer network activity in federal executive agencies' network traffic.
- EINSTEIN 1 Privacy Impact Assessment. September 2004 (PDF, 12 pages - 153 KB) This PIA examines the privacy implications of US-CERT's EINSTEIN Program. The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian government. By collecting information from participating federal government agencies, US-CERT builds and enhances our nation's cyber-related situational awareness.
Other Cybersecurity Privacy Impact Assessments
- Malware Lab Network May 4, 2010 (PDF, 13 pages – 172 KB) The goal of the Department of Homeland Security (DHS or Department) National Protection and Programs Directorate (NPPD) is to advance the risk-reduction segment of the Department's overall mission. To meet this goal, the NPPD/U.S. Computer Emergency Readiness Team (US-CERT) provides key capabilities in four cyber mission areas: 1) Alert, Warning, and Analysis; 2) Coordination and Collaboration; 3) Response and Assistance; and 4) Protection and Detection. The Malware Lab Network (MLN) contributes critical support to existing tools used by US-CERT to better meet these cyber mission areas. The MLN collects, uses, and maintains analytically relevant information in order to support the Department's cyber security mission, including the prevention and mitigation of cyber attacks, protection of information infrastructure, the assessment of cyber vulnerabilities, and response to cyber incidents. DHS is conducting this PIA to publicly analyze and evaluate the personally identifiable information (PII) within the MLN.
- 24x7 Incident Handling and Response Center, April 2, 2007 (PDF, 17 pages -265 KB) The 24x7 Incident Handling and Response Center ("24x7") focuses on ways to gather cyber information prior to attacks and to use that information to prevent attacks, protect computing infrastructure, and respond/restore where attacks are successful. 24x7 serves as a communication hub for the United States Computer Readiness Team (US-CERT) program, issuing regular security and warning bulletins, serving as a gateway for public contribution and outreach, and also serving as a ticketing center through which tasks may be delegated out to the various US-CERT programs.
Other Cybersecurity Resources
- White Paper on Computer Network Security & Privacy Protection. February 19, 2010 (PDF, 11 pages - 114 KB). Provides an overview of the Department's cybersecurity responsibilities, the role of the EINSTEIN system in implementing those responsibilities, and the integrated privacy protections.
- White House Cybersecurity Site. The White House recently launched a site dedicated to the federal government's cybersecurity efforts,www.whitehouse.gov/cybersecurity, including the declassified description of the Comprehensive National Cybersecurity Initiative.
Passenger Name Records
The 2007 Passenger Name Record (PNR) Agreement between the United States and the European Union (EU) made possible the transfer of certain passenger data to Customs and Border Protection (CBP) in order to facilitate safe and efficient travel. The documents below demonstrate the progression of the Agreement since its inception and include subsequent reviews conducted by both the United States and the EU to ensure compliance with the Agreement.
- DHS Procedures for Access, Correction or Rectification, and Redress for Passenger Name Record, July 27, 2012 (PDF 2 pages, 44 KB).
- 2011 PNR Agreement between the U.S. and the European Union, December 14, 2011 (PDF 36 pages, 615 KB).
- European Commission Report on the Joint Review of the U.S.-E.U. Passenger Name Record Agreement April 7, 2010 (PDF, 34 pages - 409 KB)
- Department Response to the European Commission's Report on the Joint Review of the U.S.-E.U. Passenger Name Record Agreement, March 31, 2010 (PDF, 6 pages - 199 KB)
- Update to the 2008 Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, February 2010 (PDF, 7 pages – 158 KB)
- Privacy Office Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, December 2008 (PDF, 60 pages - 2.93 MB)
- CBP Passenger Name Record Privacy Statement for PNR Data Received in Connection with Flights Between the U.S. and the European Union (PDF, 3 pages - 142 KB).
- Answers to Frequently Asked Questions (PDF, 5 pages - 27 KB)
- 2007 PNR Agreement between the U.S. and the European Union (PDF, 7 pages - 1.7 MB)
- Letter from the Council of the European Union to the U.S. (PDF, 3 pages - 1.5 MB)
- Letter from the U.S. to the Council of the European Union (PDF, 5 pages - 4. 5 MB)
- Privacy Office Report Concerning Passenger Name Record Information Derived from Flights Between the U.S. and the European Union, September 19, 2005 (PDF, 30 pages – 306 KB)
PNR and the Automated Targeting System
PNR data is stored in the Automated Targeting System (ATS). CBP uses ATS to improve the collection, use, analysis, and dissemination of information that is gathered for the primary purpose of targeting, identifying, and preventing potential terrorists and terrorist weapons from entering the United States. For more background information, please consult our ATS Privacy Impact Assessments.
Other Homeland Security Privacy Reports
The following are public reports issued by the Privacy Office:
- Assessment of CBP Training Materials on Border Searches of Electronic Devices (PDF, 6 pages – 138 KB) In August 2009, Secretary Napolitano issued new directives regarding searches of electronic media at the border. In coordination with the release of the directives, the Privacy Office, Customs and Border Protection, and the Office for Civil Rights and Civil Liberties were instructed to assess the CBP training materials and course matter on the border search of electronic devices. This report presents a summary of this joint review.
- Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data, conducted pursuant to Section 222(b)(1)(B) of the Homeland Security Act, in order to enforce the provisions of Article 5 of the 2007 Passenger Name Records (PNR) Agreement. January 16, 2009 (PDF 43 pages – 1.19 MB)
- CCTV: Developing Best Practices, Report on the DHS Privacy Office Public Workshop, December 17 and 18, 2007 (PDF, 66 pages – 528 KB) Report summarizing the CCTV workshop panels and resources to help identify and address privacy concerns, including Best Practices for Government Use of CCTV (Appendix B); Template for Privacy Impact Assessment for the Use of CCTV by DHS Program (Appendix C); Template for Privacy Impact Assessment for the Use of CCTV by State and Local Entities (Appendix D); and Template for Civil Liberties Impact Assessments (CLIA) (Appendix E).
- ADVISE Report, (PDF, 25 pages - 411 KB) Review of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) Program including recommendations.
- Secure Flight Report, December 2006 (PDF, 18 pages - 694.60 KB) DHS Privacy Office Report to the Public on the Transportation Security Administration’s Secure Flight Program and Privacy Recommendations.
- MATRIX Report, December 2006 (PDF, 9 pages – 386.97KB) DHS Privacy Office Report to the Public Concerning the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project.
- Report Assessing the Impact of the Automatic Selectee and No Fly Lists, April 27, 2006 (PDF, 29 pages - 242 KB).
- Report to the Public on Events Surrounding jetBlue Data Transfer February 20, 2004 (PDF, 10 pages - 65 KB)