Data: Access and Related ConfidentialityPrivacy Issues

1
Data Access and Related Confidentiality/Privacy
Issues

• National Chemical Control Symposium
• June 10 11, 2008

2
Presentation Overview

• Basic Privacy Concepts
• Privacy Policies
• Key Privacy and Civil Liberties Initiatives
• Policy Development Process
• 28 CFR Part 23
• Discussion of Privacy Issues

3
What Is Personally Identifiable Information?

• Personally identifiable information is one or
  more pieces of information that when considered
  together or when considered in the context of how
  it is presented or how it is gathered is
  sufficient to specify a unique individual

4
What Is Privacy?

• The term privacy refers to individuals
  interests in preventing the inappropriate
  collection, use, and release of personally
  identifiable information
• Privacy interests include privacy of personal
  behavior, privacy of personal communications, and
  privacy of personal data

5
What Are Civil Liberties?

• Civil liberties are fundamental individual rights
  or freedoms, such as freedom of speech, press,
  assembly, or religion the right to due process,
  to fair trial, and to privacy and other
  limitations on the power of the government to
  restrain or dictate the actions of individuals
• Civil liberties are the freedoms that are
  guaranteed by the Bill of Rights?the first ten
  Amendments?to the Constitution of the United
  States
• Civil liberties offer protection to individuals
  from improper government action and arbitrary
  governmental interference

6
What Are Civil Rights?

• Civil rights involve positive (or affirmative)
  government action, while civil liberties involve
  restrictions on government
• The term civil rights is used to imply that the
  state has a role in ensuring all citizens have
  equal protection under the law and equal
  opportunity to exercise the privileges of
  citizenship regardless of race, religion, gender,
  or other characteristics unrelated to the worth
  of the individual
• Civil rights are, therefore, obligations imposed
  upon government to affirmatively promote equality
• Civil rights are the rights to personal liberty
  guaranteed to all U.S. citizens by the Thirteenth
  and Fourteenth Amendments and by acts of Congress

7
Basic Concepts

• Privacy, civil rights, and civil liberties
  concerns arise when
• Collecting information
• Keeping information
• Linking or merging information from several
  databases
• Analyzing information
• Disclosing or sharing information
• Destroying information

8
Privacy and Civil Rights Policies Why Do We Need
Them?

• What can happen if privacy is not protected?
• Loss of funding and resources
• Loss of means and methods
• Loss of public support and confidence (tips,
  leads, and citizen cooperation could cease)
• Getting sued and paying settlements or judgments
• Getting shut down (MATRIX, TIA)

9
Privacy and Civil Rights Policies Why Do We Need
Them?

• Justice Dept. Database Stirs Privacy Fears
• The Washington Post
• The scale and contents of the proposed database
  raise immediate privacy and civil rights
  concerns, in part because tens of thousands of
  local police officers could gain access to
  personal details about people who have not been
  arrested or charged with crimes
• Loss of public support for law enforcement
  activities

10
Privacy and Civil Liberties Policy Overview

• What is a Privacy and Civil Liberties Policy?
• A privacy and civil liberties policy is a
  written, published statement that articulates the
  policy position of an organization on how it
  handles the personally identifiable information
  that it gathers and uses in the normal course of
  business. The policy should include information
  relating to the process of information
  collection, analysis, maintenance, dissemination,
  access, expungement, and disposition

11
Privacy and Civil LibertiesPolicy Overview
(continued)

• What is the Purpose of a Privacy and Civil
  Liberties Policy?
• The purpose of a privacy and civil liberties
  policy is to articulate publicly that the agency
  will adhere to legal requirements and agency
  policy determinations that enable gathering and
  sharing of information to occur in a manner that
  protects personal privacy interests
• A well-developed and implemented privacy and
  civil liberties policy protects the agency, the
  individual, and the public and contributes to
  public trust and confidence that the justice
  system understands its role and promotes the rule
  of law

12
Privacy and Civil LibertiesPolicy Overview
(continued)

• Intersection between Privacy and Security
• Security refers to the information system
  controls that protect personally identifiable
  information through reasonable safeguards against
  risk of loss, unauthorized access, modification,
  use, destruction, or disclosure
• A security policy alone may not adequately
  address the protection of personally identifiable
  information or the requirements of a privacy and
  civil liberties policy in their entirety
• An effective privacy and civil liberties policy
  should describe how security is implemented
  within the information system to protect
  personally identifiable information. Similarly,
  a security policy should address information
  classification, protection, and periodic review
  to ensure information is being stewarded in
  accordance with an organizations privacy and
  civil liberties policy

13
Privacy and Civil Liberties Policies Why Do We
Need Them?

• The objective is to protect
• Privacy
• Civil rights
• Civil liberties
• While promoting
• Public safety
• Individual safety
• When fighting crime and terrorism

14
Key Privacy and Civil Liberties Initiatives

• U.S. Department of Justices (DOJ) Global Justice
  Information Sharing Initiative (Global) published
  a guide for state and local justice agencies when
  developing a privacy and civil liberties policy,
  entitled Privacy and Civil Liberties Policy
  Development Guide and Implementation Templates
• This guide and templates have been used by
  numerous agencies and organizations throughout
  the country to develop privacy and civil
  liberties policies, including most recently the
  U.S. Department of Defense

15
Key Privacy and Civil Liberties Initiatives

• Privacy and Civil Liberties Officials from DOJ
  and the Office of the Director of National
  Intelligence (ODNI) began development of federal
  agency requirements for the Information Sharing
  Environment (ISE)
• The ISE was established to develop policy for the
  sharing of terrorism-related information in a
  manner consistent with national security and with
  applicable legal standards relating to privacy
  and civil liberties
• The ISE Privacy Guidelines, including many of the
  concepts presented in Globals privacy guide,
  were developed for federal agencies to follow
  when developing a privacy and civil liberties
  policy

16
Privacy Technical Assistance

• Fusion center privacy template The joint DHS/DOJ
  Fusion Technical Assistance Program and Services,
  with input from the ISE Privacy Guidelines
  Committee (PGC) State, Local, and Tribal (SLT)
  Working Group, the ISE PGC Training and Outreach
  Working Group, and Global, developed a training
  workbook for fusion centers to follow when
  drafting their privacy and civil liberties
  policies Fusion Center Privacy Policy
  Development Privacy, Civil Rights, and Civil
  Liberties Policy Template
• Fusion Centers have received technical assistance
  and have drafted or are currently drafting their
  privacy and civil liberties policies

17
Privacy Technical Assistance

• Three pilot states were selected to receive
  privacy technical assistance
• Arizonacurrently receiving TA
• TexasTA currently scheduled
• North DakotaTA scheduled to follow Texas
• Based on the success of the training workbook,
  Fusion Center Privacy Policy Development
  Privacy, Civil Rights, and Civil Liberties Policy
  Template, DOJ and Global have drafted a
  state-focused version that is currently being
  vetted and revised

18
Key Privacy and Civil Liberties Initiatives

• The SEARCH Group is has developed a model privacy
  impact assessment template, Guide to Conducting
  Privacy Impact Assessments for State and Local
  Information Sharing Initiatives, that is
  currently undergoing a vetting process in the
  field prior to release
• A privacy impact assessment is a series of
  questions that evaluate the processes through
  which personally identifiable information is
  collected, stored, protected, shared, and managed
  by an electronic information system or online
  collection application

19
Key Privacy and Civil Liberties Initiatives

• DOJs Privacy Office, DHSs Privacy Office, and
  DHSs Office of Civil Rights and Liberties are
  combining efforts with GPIQWG to deliver a suite
  of products and services (to be Web accessible at
  www.it.ojp.gov) to benefit fusion centers, as
  well as state, local, and tribal entities
• Privacy 101 trainingthe Privacy TA Providers, in
  partnership with DHS, are currently outlining
  content areas for the development of interactive
  privacy training. This will be provided to
  fusion centers and state agencies for use in
  training personnel on the importance of privacy
  and the provisions contained within an agency
  privacy policy

20
Privacy and Civil Liberties TemplatesWhy Were
Templates Developed?

• Provide an organized approach to the critical
  issues
• Make explicit the rules governing the collection
  and use of information
• Clarify when and how information will be shared
  or distributed
• Articulate the expectations regarding conduct of
  agency personnel

21
Privacy and Civil Liberties Policy Process

• A step-by-step guide on team effort to develop
  and articulate a privacy and civil liberties
  policy

22
Ten Steps to a Privacy and Civil Liberties Policy

• DOJs Global Privacy and Information Quality
  Working Group has recently completed an executive
  primer, Ten Steps to a Privacy and Civil
  Liberties Policy, that breaks down the privacy
  and civil liberties policy development process
  into ten readily understood steps
• This document can be used both as a companion to
  GPIQWGs Privacy and Civil Liberties Policy
  Development Guide and Implementation Templates
  and also as an overview that can be generalized
  to any privacy and civil liberties policy
  development process
• Ten Steps to a Privacy and Civil Liberties Policy
  was approved at the April 2008 Global Advisory
  Committee (GAC) meeting and published thereafter
  for the field

23
Ten Steps to a Privacy and Civil Liberties Policy

• Identify necessary resources to develop and
  implement a privacy and civil liberties policy
• Identify stakeholders

24
Ten Steps to a Privacy and Civil Liberties Policy

• Develop guidance statements
• Develop a project charter

25
Ten Steps to a Privacy and Civil Liberties Policy

• Perform necessary analyses
• Information flow
• Legal analyses
• Gaps
• Draft the policy

26
Ten Steps to a Privacy and Civil Liberties Policy

• Vet the policy during development
• Formal adoption of the policy
• Rollout necessary outreach and training
• Ensure Accountability

27
28 CFR part 23

• Implementing standards for operating federal
  funded multijurisdictional criminal intelligence
  systems
• Developed to protect the constutional and privacy
  rights of individuals

28
28 CFR part 23

• Provides guidance in five primary areas
• Submission and entry of criminal intelligence
  information
• Security
• Inquiry
• Dissemination
• Review and purge

29
28 CFR Part 23

• An intelligence system shall only collect
  information on an individual if there is
  reasonable suspicion that the individual is
  involved in criminal conduct or activity and the
  information is relevant to that criminal conduct
  or activity. (28 CFR 23.20(a))
• Information in intelligence system may only be
  disseminated where there is a need to know and a
  right to know the information in the performance
  of a law enforcement activity. (28 CFR 23.20(e))

30
Transparency and Accountability

• Existence of privacy and civil rights policy
• Policy available for inspection
• Enforcement mechanisms

31
Privacy and Civil Liberties PolicyResources

• Places to find assistance
• Global Initiativegenerally
• http//www.it.ojp.gov/index.jsp
• Global Privacy and Information Quality Work Group
• http//www.it.ojp.gov/topic.jsp?topic_id55
• Privacy Policy and Civil Liberties Policy
  Development Guide and Implementation Templates
• http//it.ojp.gov/privacy206/ or
• https//it.ojp.gov/documents/Privacy_Guide_Final.p
  df

32
Privacy and Civil Rights PoliciesResources

• Other sources of information
• U.S. Department of Homeland Security Privacy
  Office
• http//www.dhs.gov/xinfoshare/publications/editori
  al_0514.shtm
• U.S. Department of Justice Privacy and Civil
  Liberties Office
• http//www.usdoj.gov/pclo/
• Information Sharing Environment Privacy
  Guidelines
• http//www.ise.gov

33

• Discussion