The Department of Homeland Security Privacy Office has released its “Guide to Implementing Privacy” (pdf). A DHS spokesman said, “The Guide is an in-depth look at DHS Privacy Office operations and how we implement privacy throughout the Department. We believe the Guide can serve as an aid not only to DHS staff but also to other federal and international privacy professionals, by providing insight into how DHS builds its culture of privacy.”
In the guide, the Privacy Office sets out its Fair Information Practice Principles, which are based on the Fair Information Practices set out in the 1970s. (Congress has reaffirmed its commitment to the Fair Information Practices numerous times. Congress used the Fair Information Practices as the basis of the Privacy Act of 1974, which restricts the amount of personal data that Federal agencies can collect and requires agencies to be transparent in their information practices. When Congress created the Department of Homeland Security’s Privacy Office several years ago, Fair Information Practices were included in the establishing legislation.)
The DHS FIPPs:
- Transparency: DHS should be transparent and provide notice to the individual regarding its collection, use, dissemination, and maintenance of PII.
- Individual Participation: DHS should, to the extent practical, seek individual consent for the collection, use, dissemination, and maintenance of PII and should provide mechanisms for appropriate access, correction, and redress regarding DHS’s use of PII.
- Purpose Specification: DHS should specifically articulate the authority, which permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
- Data Minimization: DHS should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
- Use Limitation: DHS should use PII solely for the purpose(s) specified in the notice. Sharing PII outside the Department should be for a purpose compatible with the purpose for which the PII was collected.
- Data Quality and Integrity: DHS should, to the extent practical, ensure that PII is accurate, relevant, timely, and complete, within the context of each use of the PII;
- Security: DHS should protect PII (in all forms) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure; and
- Accountability and Auditing: DHS should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.