Department of Homeland Security Updates Privacy Policy on Non-US Persons
The Department of Homeland Security Privacy Office has released this week a memo (pdf) on “DHS Privacy Policy Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. Persons.” An excerpt:
As a matter of law, the Privacy Act of 1974 (“Privacy Act”), 5 U.S.C. § 552a, as amended, provides statutory privacy rights to U.S. citizens and Legal Permanent Residents (LPRs). The Privacy Act does not cover visitors or aliens. As a matter of DHS policy, any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system by DHS shall be treated as a System of Records subject to the Privacy Act regardless of whether the information pertains to a U.S. citizen, Legal Permanent Resident, visitor, or alien.
Under this policy, DHS components will handle non-U.S. person PII held in mixed systems in accordance with the fair information practices, as set forth in the Privacy Act. Non-U.S. persons have the right of access to their PII and the right to amend their records, absent an exemption under the Privacy Act; however, this policy does not extend or create a right of judicial review for non-U.S. persons. [...]
Formalizing the Department’s mixed use privacy policy will have direct benefits for DHS’s obligation to protect information on U.S. persons traveling abroad. Reciprocity is a fundamental condition of international relations and one the U.S. Government has followed with the treatment of persons and exchanges of information. Indeed, it is a fundamental structure of many international agreements7 including arms control, trade and commerce, and law enforcement. Even the Supreme Court has observed, “Public officials should bear in mind that ‘international law is founded upon mutuality and reciprocity. . . .’”
Reciprocity is relevant here because various foreign partners are expected to request personally identifiable information on U.S. persons entering their countries. Indeed, the United Kingdom and France are in the preliminary stages of implementing their own programs for using Passenger Name Records data on travelers entering their countries. If DHS wants foreign partners to afford protections to data collected about U.S. citizens, a positive commitment to honor privacy protections for non-U.S. persons, as demonstrated through application of the Privacy Act to mixed systems, will improve the chances for success. In short, DHS wants to be in a position to be able to say “we’ll give your people the same privacy you give our people.” To do otherwise, would put the Department in an untenable position of seeking a double standard.
DHS has been spending much time lately trying to reconcile the differences between US and European Union data collection, retention and sharing practices. Last month, DHS released a report (pdf): “Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data.” In December, DHS released “A Report Concerning Passenger Name Record Information Delivered from Flights between the U.S. and European Union,” (pdf), which reviewed the sharing of airline passenger information among the US and EU countries and the privacy implications of the datasharing.
Also in December, the Department of Homeland Security released general agency guidelines (pdf) for safeguarding “sensitive personally identifiable information” that it retains or uses. The instructions for protecting sensitive PII follow the Fair Information Practices and OECD Guidelines.
The full memo released this week by DHS: “Privacy Policy Guidance Memorandum 2007-01, Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. Persons,” January 7, 2009 (As amended from January 19, 2007) (pdf).
Possibly related posts: