Found via PogoWasRight.org
On May 21, 2009, the Department of Homeland Security’sÂ Data Privacy and Integrity Advisory Committee sent to Secretary Napolitano and Chief Privacy Officer Callahan aÂ White Paper on DHSÂ Information Sharing and Access Agreements (pdf).
As DHS continues to consolidate its operations, it is taking steps to implement the Information Sharing Environment required under the Intelligence Reform and Terrorism Prevention Act (IRTPA) and the supporting One DHS policy addressing the need for improved information sharing. […] IRTPA and the One DHS policy could potentially lead to widespread sharing of personal data, not only within DHS, but also between DHS and other US Federal agencies, as well as between DHS and other non-Federal government agencies, including those of other countries. […]
For these reasons, the Information Sharing Environment (ISE) and the One DHS policy raise information protection and privacy concerns. It is critical that DHS establish specific policies and practices to govern broad information sharing to ensure that personal data is respected and protected for sharing between DHS and organizations external to DHS. The Committee also recommends DHS review the content of this paper to determine which controls would be appropriate to apply to information sharing within DHS. Governments have recognized that there are two key elements to implementing any process for sharing personal data between agencies. Initially, it is important to decide whether it is appropriate to share the data for a specified purpose. Then, a determination has to be made as to how the data should be shared, particularly the type and volume of data as well as the means for sharing.
The Committee agrees that these two key steps should be considered in all decisions about sharing information; in addition, the Committee believes that a third step must be added, which is a process to review whether the personal data will be shared and protected appropriately.
The committee also makes specific recommendations:
- “The Secretary direct all components to utilize ISAAs when sharing personal information between DHS and other Federal agencies, as well as other external parties.”
- “The Secretary establish an Information Sharing Review Board (ISRB) to develop, manage, and oversee a Department-wide information sharing process, including guidance for threshold analysis, agreement requirements, communications, and audit procedures.”
- “The Secretary require all component CPOâ€™s, or responsible parties in components lacking a CPO, to complete an information sharing threshold analysis (ISTA) whenever they receive an inquiry for information sharing to organizations external to DHS. Also, the DHS Privacy Office should include a question in the template Privacy Impact Assessment to trigger the determination of whether an ISTA is necessary.”
- “DHS prepare and document components of the ISAA itself, including a template, with robust information privacy and security provisions based on the FIPPs policy framework.”
- “DHS Privacy Office develop and implement a comprehensive information sharing training program for component CPOâ€™s and other parties responsible for sharing agreements.”
- “DHS Privacy Office develop and implement a communications protocol designed to support CPOâ€™s and other responsible parties in communicating the terms and compliance requirements of ISAAs to affected individuals.”
- “DHS prepare, document, and apply auditing standards and protocols to measure compliance with the information sharing process and ISAA terms.”