The Department of Homeland Security has released its 2009 Data Mining Report:
This report describes DHS programs, both operational and in development, that involve data mining as defined by the Federal Agency Data Mining Reporting Act of 2007. The report provides the detailed information required by the Act and includes updates on program modifications and other developments since the Department issued its 2008 Data Mining Report in December 2008.
From the Executive Summary:
The Department of Homeland Security Privacy Office (DHS Privacy Office or Office) is providing this report to the Congress pursuant to the Department’s obligations under section 804 of the Implementing the Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act), entitled the Federal Agency Data Mining Reporting Act of 2007 (Data Mining Reporting Act).1 This report discusses activities currently deployed or under development in the Department that meet the Data Mining Reporting Act’s definition of data mining, and provides the information set out in the Act’s reporting requirements for data mining activities.
In the Department’s 2008 report to Congress, Data Mining: Technology and Policy (2008 Data Mining Report),2 the DHS Privacy Office identified three DHS programs that engage in activities that meet the Data Mining Reporting Act’s definition of data mining: (1) the Automated Targeting System (ATS) Inbound, Outbound, and Passenger modules administered by U.S. Customs and Border Protection (CBP); (2) the Data Analysis and Research for Trade Transparency System (DARTTS) administered by U.S. Immigration and Customs Enforcement (ICE); and (3) the Freight Assessment System (FAS) administered by the Transportation Security Administration (TSA). This year’s report, covering the time period from December 2008 through November 2009, includes complete descriptions of each of these programs, with updates on modifications, additions, or other developments that have occurred since the 2008 Data Mining Report was issued. After working with all DHS components to review DHS activities against the Data Mining Reporting Act’s definition of data mining, the DHS Privacy Office identified no additional DHS data mining activities during the current reporting year.
The Homeland Security Act of 2002, as amended (Homeland Security Act), expressly authorizes the Department to use data mining, among other analytical tools, in furtherance of its mission.3 DHS exercises this authority to engage in data mining in the programs discussed in this report, all of which have been reviewed by the DHS Chief Privacy Officer for potential impact on privacy. The Chief Privacy Officer’s authority for reviewing DHS data mining activities stems from three principal sources: the Privacy Act of 1974, as amended (Privacy Act);4 the E-Government Act of 2002 (E-Government Act);5 and section 222 of the Homeland Security Act, which states, in part, that the Chief Privacy Officer is responsible for “assuring that the [Department’s] use of technologies sustains, and does not erode, privacy protections relating to the use, collection, and disclosure of personal information.”6
The DHS Privacy Office’s privacy compliance policies and procedures are based on a set of eight Fair Information Practice Principles (FIPPs) that are rooted in the tenets of the Privacy Act and memorialized in Privacy Policy Guidance Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security, which the DHS Privacy Office released in December 2008.7 The DHS Privacy Office applies the FIPPs to the full breadth and diversity of information and interactions within DHS, including DHS activities that involve data mining.
As described more fully below, the DHS Privacy Office’s compliance process requires programs using personally identifiable information (PII) to complete federally-mandated privacy documentation, consisting of a Privacy Impact Assessment (PIA), as required by the E-Government Act,8 and a System of Records Notice (SORN), as required by the Privacy Act.9 The DHS Privacy Office has worked closely with the programs discussed in this report to complete the required privacy compliance documentation. The programs that use PII – ATS and DARTTS – have issued both PIAs and SORNs.
While each of the programs described below engages to some extent in data mining, none uses data mining to make unevaluated automated decisions about individuals (i.e., none of these programs makes decisions about individuals solely on the basis of data mining results). In all cases, DHS employees conduct investigations to verify (or disprove) the results of data mining, and then bring their own judgment and experience to bear in making determinations about individuals initially identified through data mining activities.