Alice Lipowicz reports:
The Homeland Security Department has agreed to replace its existing information technology support for the Traveler Redress Inquiry Program (TRIP) with a more effective system, according to a new report from DHS Inspector General Richard Skinner.
The support system is an existing system of the Transportation Security Administration. The system was expanded and modified to form the backbone of the multiagency TRIP created in 2007 to deal with travelers’ complaints about errors in watch list databases, document information and other problems.
However, the redress program still needs improvement in security, privacy, reliability, timeliness, transparency and performance management, Skinner said in the report made available Oct. 13.
Read more on FCW.
From the report:
Email Submissions of Personal Information May Expose Redress-Seekers to Avoidable Risks
TRIP offers redress-seekers three options for submitting travel inquiries and supporting identifying information: its secure online portal, conventional mail, and email. However, TRIP redressseekers who initiate requests online can submit copies of identifying documents, such as passports and drivers’ licenses, only by mail or email.
The TRIP website assures the public that the program takes precautions to protect redress-seekers’ personally identifiable information. For example, TSA has established system security features and protocols to protect the TRIP website and the information in its case management system. However, one of the program’s options for gathering information from redressseekers— email—potentially exposes the information to risk of interception by third parties.
However, because TRIP’s IT system is not able to receive copies of identifying documents via its secure online portal, the program has few alternatives. Previously, TRIP officials ruled out faxes as an option for submitting copies of identifying documents because faxed information was frequently transmitted with insufficient clarity for program use. Email submissions are the only alternative to conventional mail, and TRIP officials have opted to receive requests by email to maximize the public’s access to redress services and benefits.
We encourage TRIP officials to reevaluate the program’s practice of receiving personally identifiable information by unencrypted email in the future, when it has the capability of receiving such documents through its secure online portal.
CBP’s Redress Case Processing System Does Not Meet Statutory Privacy Notification Requirements
Two laws govern federal protection of personally identifiable information, the Privacy Act of 1974 and the E-Government Act of 2002. The Privacy Act requires federal agencies that maintain personally identifiable information, retrievable by a personal identifier within a system of records, to publish a related System of Records Notice in the Federal Register. The notice is to include a description of the system and the records contained within it, their uses, and information on how individuals may request access to records about them. Agencies are required to publish these notices before the system of records becomes operational.
The E-Government Act requires federal agencies to conduct and publish Privacy Impact Assessments for all systems that collect, maintain, or share personally identifiable information on members of the public. Government agencies are to complete Privacy Impact Assessments before they develop or procure related IT systems. These impact assessments provide notice to the public, among other things, of the collection, use, retention, and sharing of information maintained within government systems.
CBP processes TRIP redress cases using its redress-related IT case management system. CBP redress staff enter redress case information from TRIP’s RMS into CBP’s system on all TRIP cases that CBP processes. This case information includes addresses; dates of birth; drivers’ license and passport numbers; travel information; heights; weights; hair and eye colors; and copies of identifying documents. CBP staff can electronically retrieve this information from its case management system using identifying information such as a redress case number or date of birth. CBP’s redress case management system is therefore a system of records under the Privacy Act, and an IT system covered by the E-Government Act.
The redress case management system that CBP uses to monitor TRIP cases is not compliant with requirements of the Privacy Act or E-Government Act. CBP is required to issue both a notice and an impact assessment for its redress case management system, but has not done so. Consequently, TRIP redress-seekers do not have access to a full statement of how the government handles their personal information. Because CBP has operated and maintained this system for more than two years, we believe that CBP should
issue the proper notices as soon as possible.