[Federal Register Volume 75, Number 22 (Wednesday, February 3, 2010)]
[Rules and Regulations]
[Pages 5491-5495]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-2200]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Office of the Secretary
6 CFR Part 5
[Docket No. DHS-2009-0052]
Privacy Act of 1974: Implementation of Exemptions; Department of
Homeland Security/U.S. Customs and Border Protection--007 Border
Crossing Information System of Records
AGENCY: Privacy Office, DHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security is issuing a final rule to
amend its regulations to exempt portions of a Department of Homeland
Security/U.S. Customs and Border Protection system of records entitled
the, ``Department of Homeland Security/U.S. Customs and Border
Protection--007 Border Crossing Information System of Records.''
Specifically, the Department exempts portions of the Department of
Homeland Security/U.S. Customs and Border
[[Page 5492]]
Protection--007 Border Crossing Information System of Records from
provisions of the Privacy Act because of criminal, civil, and
administrative enforcement requirements.
DATES: Effective Date: This final rule is effective February 3, 2010.
FOR FURTHER INFORMATION CONTACT: For general questions please contact:
Laurence E. Castelli (202-325-0280), Privacy Officer, U.S. Customs and
Border Protection, Office of International Trade, Mint Annex, 799 Ninth
Street, NW., Washington, DC 20001-4501. For privacy issues please
contact: Mary Ellen Callahan (703-235-0780), Chief Privacy Officer,
Privacy Office, U.S. Department of Homeland Security, Washington, DC
20528.
SUPPLEMENTARY INFORMATION:
Background
The Department of Homeland Security (DHS) published a notice of
proposed rulemaking in the Federal Register, 73 FR 43374, July 25,
2008, proposing to exempt portions of a system of records from
provisions of the Privacy Act because of criminal, civil, and
administrative enforcement requirements. The system of records is the
DHS/U.S. Customs and Border Protection (CBP)--007 Border Crossing
Information system. The DHS/CBP--007 Border Crossing Information system
of records notice was published concurrently in the Federal Register,
73 FR 43457, July 25, 2008, and comments were invited on both the
notice of proposed rulemaking and system of records notice. Comments
were received on the notice of proposed rulemaking and system of
records notice.
Public Comments
Forty-eight comments were received on the system of records notice
(SORN). Of those forty-eight comments, three comments were submitted in
duplicate, one comment was submitted in triplicate, and one comment was
submitted in quintuplicate. Accordingly, after accounting for the
repetitive submissions, thirty-nine original comments were received on
the system of records notice. Additionally, the same commenter posted
comments twice on the notice of proposed rulemaking (NPRM) however, it
was only one comment. Therefore only one original comment was received
on the NPRM. The thirty-nine comments received on the SORN focused
primarily on opposition either to the entire DHS/CBP--007 Border
Crossing Information system of records or to specific aspects of the
system including opposition to the proposed length of time the records
would be maintained and several of the routine uses listed for the
system. Several comments stated opposition to the system because they
alleged that the system was unconstitutional. The one comment on the
NPRM was against the proposed Privacy Act exemptions because the
commenter believed that not all records within DHS/CBP--007 Border
Crossing Information system of records are law enforcement data and
exempting the DHS/CBP--007 Border Crossing Information system of
records information from the Privacy Act would make it extremely
difficult to contest and/or fix errors in the data, a right which is
provided for in the Privacy Act. DHS notes that several comments
submitted in conjunction with the SORN expressed disagreement with DHS'
use of the Privacy Act exemptions. However, the comments were not
submitted in response to the NPRM. The following is a synopsis of the
comments received and DHS' response.
General Comments
Comment: No records should be maintained on law abiding U.S.
citizens. Lawful border crossing of U.S. citizens should not be
tracked. The focus should be on illegal entrants and non-U.S. citizens.
Response: Throughout its 219 year history, and beginning with
actions by the First Congress of the United States, CBP and its
principal legacy components, the Immigration and Naturalization Service
(INS) and the U.S. Customs Service, have possessed the authority to
stop and search all persons, conveyances, and cargo attempting to cross
the U.S. border. The DHS/CBP--007 Border Crossing Information system of
records is a tool that is by utilized CBP in performance of its mission
at U.S. borders. The responsibility of CBP at the U.S. borders
encompasses all persons crossing the borders, including U.S. citizens.
Furthermore, as explained in the DHS/CBP--007 Border Crossing
Information system of records, the system does not represent a new or
expanded collection of information by CBP. Rather, CBP is providing
increased information regarding the agency's historical practices.
Comment: This system should be classified. The collected
information should only be used for National Security purposes.
Response: The DHS/CBP--007 Border Crossing Information system of
records was published as part of DHS's ongoing effort to increase
transparency regarding the collection of information at the Department.
Accordingly, if the system were classified, the public would generally
not have access to information in the system either under the Privacy
Act or the Freedom of Information Act.
Moreover, in CBP's judgment the system's level of classification is
commensurate with the type of information maintained in the system and
the agency has put in place adequate measures to ensure the integrity
of the system.
Comment: The system should not be exempted from the Freedom of
Information Act.
Response: The system is not exempted from the Freedom of
Information Act. The Privacy Act by its terms at 5 U.S.C. 552a(b)(2)
specifically provides for access to information in a system of records,
including exempt systems of records, through a request made under the
Freedom of Information Act. In response to a Freedom of Information Act
request, and in accordance with that statute, the government may exempt
certain portions of responsive records from disclosure when providing
an individual with information about him or herself.
Comment: Criminal penalties for misuse of data must be specified
with no exceptions for government employees.
Response: The Privacy Act authorizes criminal penalties for misuse
of data maintained in a system covered by the Privacy Act. 5 U.S.C.
552a(i). There are no exceptions for criminal conduct committed by
government employees. Additionally, CBP identifies misuse of
information in its information systems as a specific violation
applicable to all CBP employees. Employees may be dismissed from CBP
for mishandling or misusing information maintained in CBP's systems and
may be subject to criminal or civil penalties.
Comment: The system should have an audit trail and information
should only be accessed if there is need to know.
Response: This system has a clear audit trail of who has accessed
the system and who has accessed what records, so that if there are
concerns about an individual's use of the system it can be tracked.
CBP's Office of Internal Affairs regularly reviews the use of the
system to ensure it is being used properly. CBP recognizes the need to
prevent misuse of any information it collects. Therefore, CBP has
implemented several internal controls to mitigate threats to the
integrity of its systems. Access to CBP's systems is governed by a
strict policy that implements rights and responsibilities to
information. This means that only CBP employees with a need to know
have access to information that falls
[[Page 5493]]
within the performance of official duties. Furthermore, CBP requires
that all employees participate in regular privacy awareness training to
receive automated systems access and requires that employees
periodically re-attend such training to continue their access. CBP also
identifies misuse of information in information systems as a specific
violation applicable to all CBP employees. Employees may be dismissed
from CBP for mishandling or misusing information maintained in CBP's
systems and may be subject to criminal or civil penalties.
Comment: DHS should have an updated System of Records Notice for
TECS.
Response: A new system of records notice for TECS was published in
December 2008. DHS/CBP--011 TECS (73 FR 77778, December 19, 2008).
Comment: The system security for the DHS/CBP--007 Border Crossing
Information system of records data has not been adequately addressed.
Response: Multiple security measures are in place for data
collected in DHS systems. CBP uses routers, firewall and intrusion
detection systems to prevent unauthorized access to its systems. Any
information stored via backup tape is protected through strict physical
safeguards and other technical safeguards to ensure it cannot be
inappropriately accessed.
Access and Redress Comments
Comment: Exempting information within the DHS/CBP--007 Border
Crossing Information system of records from certain provisions of the
Privacy Act will make it extremely difficult, if not impossible, for
individuals to fix errors that show up in the database.
Response: CBP respectfully disagrees. CBP has not proposed
exempting access to the DHS/CBP--007 Border Crossing Information system
of records by individuals who have a system record that pertains to
them. To the contrary, the DHS/CBP--007 Border Crossing Information
system of records delineated procedures for contesting system records.
The relevant section of the SORN states: ``Requests to amend a record
must be in writing and should be addressed to the CBP Customer Service
Center (Rosslyn, VA), 1300 Pennsylvania Avenue, NW., Washington, DC
20229; Telephone (877) 227-5511; or through the ``Questions'' tab at
http://www.cbp.gov.xp.cgov/travel/customerservice.'' Requests should
conform with the requirements of 6 CFR Part 5, Subpart B, which
provides the rules for requesting access to Privacy Act records
maintained by DHS and can be found at http://www.dhs.gov/foia. The
envelope and letter should be clearly marked ``Privacy Act Access
Request.'' The request should include a general description of the
records sought and must include the requester's full name, current
address, and date and place of birth. The request must be signed and
either notarized or submitted under penalty of perjury.
If individuals are uncertain what agency handles the information,
they may seek redress through the DHS Traveler Redress Program (DHS
TRIP) (72 FR 2294, January 18, 2007). DHS TRIP is a single point of
contact for individuals who have inquiries or seek resolution regarding
difficulties they experienced during their travel screening at
transportation hubs, such as airports, seaports and train stations or
at U.S. land borders. Through DHS TRIP, a traveler can request
correction of erroneously stored data in other DHS databases through
one application. Redress requests should be sent to: DHS Traveler
Redress Inquiry Program, 601 South 12th Street, TSA-901, Arlington, VA
22202-4220 or online at http://www.dhs.gov/trip.
Retention Period Comments
Comment: The retention period is too long for records about people
that have committed no crime.
Response: The fifteen-year and seventy-five year retention periods
proposed for the DHS/CBP--007 Border Crossing Information system of
records were determined in order to allow CBP to effectively pursue its
law enforcement mission while addressing privacy concerns. The fifteen-
year retention period will allow CBP to access the data when needed for
a law enforcement purpose yet permit the removal of the data in a time
period significantly shorter than other systems. The seventy-five year
period for non-immigrant aliens will allow for proper administration of
certain immigration benefits as well as other law enforcement purposes.
Furthermore, it should be noted, that while the DHS/CBP--007 Border
Crossing Information system of records information is maintained for a
number of years, any access to the information will always require a
``need to know'' by any person accessing the information. Access by
persons without a proper ``need to know'' may result in criminal
penalties and/or disciplinary actions.
Routine Uses
Comment: Under the listed Routine Uses, potential interested
parties with whom the DHS/CBP--007 Border Crossing Information system
of records information may be shared, such as press, foreign
governments, State, prospective employers, students, contractors, etc.,
is too broad and not consistent with the reason for collecting the
information.
Response: CBP, and its predecessor agencies, INS and the U.S.
Customs Service, have signed Memoranda of Understandings (MOUs) or
entered into agreements with a wide variety of Federal, State, and
local agencies with an interest in maintaining border security and law
enforcement; similar arrangements are in place with other nations in
the form of Customs Mutual Assistance Agreements (CMAAs) and other
information-sharing agreements and arrangements. The terms of these
arrangements specify the necessity of sharing information and highlight
the fact that the types of information sharing described in the SORN
are neither unique nor a new practice for border authorities.
Additionally, all MOUs and other arrangements for the sharing of
information contain specific provisions relating to the
responsibilities of the receiving party to keep the information
confidential, protected, and secure. DHS does not share PII with
domestic or foreign governments or multilateral organizations which DHS
is not confident will protect the privacy interests of the data
subject.
The routine uses identified are consistent with CBP's role as a law
enforcement agency that enforces over 400 statutes on behalf of more
than 40 agencies in the Federal Government. DHS is charged in its
authorizing statute, specifically section 892 of the Homeland Security
Act of 2002, to facilitate the sharing of terrorist information across
the government. In addition, The Intelligence Reform and Terrorism
Prevention Act of 2004 required the President to establish an
Information Sharing Environment ``that facilitates the sharing of
terrorism information.'' Following this enactment, on October 25, 2005,
the President issued Executive Order 13388, directing that DHS and
other agencies ``promptly give access to * * * terrorism information to
the head of each other agency that has counterterrorism functions'' and
establishing a mechanism for implementing the Information Sharing
Environment.
In addition, routine use O. permits CBP to share information with
the press where such a release would inform the public about the
performance of CBP's border security mission, such as the release of
information pertaining to an arrest of a person attempting to enter the
United States with bomb making materials in the trunk of his/her car.
[[Page 5494]]
Such uses are consistent with CBP's and DHS's overall law enforcement
mission and serve to inform the public of how that mission is being
accomplished. The particular routine use includes protections to
balance the privacy interests of the person, whose information may be
disclosed, with the public's right to know how the government is
accomplishing its mission; this is the traditional balance that has
always been struck between privacy and the public's right ``to know
what its government is up to.''
Comment: The listed Routine Use for sharing for civil cases is not
consistent with the mission against terrorism.
Response: The priority mission of CBP is to prevent terrorist and
terrorists' weapons from entering the United States while facilitating
legitimate travel and trade. In performance of its duties at the
border, CBP, as a law enforcement agency, enforces over 400 statutes on
behalf of more than 40 agencies in the Federal government. As such, the
enforcement is not always criminal in nature and the sharing of DHS/
CBP--007 Border Crossing Information system of records information in
certain civil matters is understandable and consistent with CBP overall
mission. Again, the DHS/CBP--007 Border Crossing Information system of
records does not represent a new collection of information, and the
routine use for civil purposes is consistent with CBP's historical
treatment of this information.
Comment: Routine Uses are vague, overbroad and in some instances
unnecessary.
Response: CBP is a law enforcement agency that enforces over 400
statutes on behalf of more than 40 agencies in the Federal government.
In addition, CBP and its predecessor agencies, the INS and U.S. Customs
Service, have signed MOUs or similar agreements with a wide variety of
Federal, State and local agencies with border security and law
enforcement interests and have similar accords with other nations in
the form of CMAAs and other information sharing agreements or
arrangements. The DHS/CBP--007 Border Crossing Information system of
records Routine Uses are established to facilitate the sharing of
specific information in furtherance of these shared law enforcement
missions. The Routine Uses set forth at great length in the DHS/CBP--
007 Border Crossing Information system of records also provides notice
and transparency to the public as to nature and extent of the sharing
of system data while containing appropriate parameters to limit the
sharing to discrete purposes.
Privacy Act Statutory Comments
Comment: The system is not consistent with DHS principles of
minimization and the Fair Information Practice Principles, specifically
the length of retention, and as such should be amended to comply with
these standards.
Response: CBP collects the minimum amount of information to
properly record the border crossing event of an individual and
facilitate CBP's border security, law enforcement and counterterrorism
functions. Additionally, as discussed, the length of retention for
information stored in the system was established to allow CBP to
effectively pursue its border security, law enforcement and
counterterrorism missions, while addressing privacy concerns.
Legal or Constitutional Comments
Comment: The system is unconstitutional. No records should be
maintained in the system without probable cause that something is
illegal nor should any records be shared without probable cause.
Response: As the U.S. Supreme Court has stated, ``[i]t is axiomatic
that the United States, as sovereign, has the inherent authority to
protect, and a paramount interest in protecting, its territorial
integrity.'' United States v. Flores-Montano, 541 U.S. 149, 153 (2004).
Indeed, ``the Government's interest in preventing the entry of unwanted
persons and effects is at its zenith at the international border.'' Id.
at 152. For this reason, the U.S. Supreme Court has held that stops and
examinations are reasonable in the absence of a warrant or probable
cause when they are conducted at the U.S. border, see Carroll v. United
States, 267 U.S. 132, 153-54 (1925), and the ``functional equivalent of
the border,'' such as international airports, see United States v.
Irving, 432 F.3d 401, 414 (2nd Cir. 2005).
Under the border search exception, routine stops and examinations
conducted at the border are reasonable for Fourth Amendment purposes
``simply by virtue of the fact that they occur at the border,'' and may
be conducted without any individualized suspicion. United States v.
Ramsey, 431 U.S. 606, 616 (1977). In addition, the Congress has
specifically authorized CBP to collect the information maintained in
the system. (see, e.g., 49 U.S.C. 44909 for information collected
through the DHS/CBP--005 Advance Passenger Information system of
records (73 FR 68435, November 18, 2008)).
Comment: The system is prohibited by the Privacy Act because it
involves the collection and retention of records pertaining to
activities protected by the First Amendment (i.e., ``right of
assembly'').
Response: The broad authority of CBP to conduct activities relating
to the entry or exit of persons or things into or out of the United
States is codified at title 19 of the United States Code (U.S.C.), in
sections 482, 1461, 1496, 1499, and 1581-83, and title 8, U.S.C. 1357.
The system is a decision-support tool used by CBP officers to execute
this lawful border enforcement authority and does not violate the right
of citizens to assemble.
Privacy Act Exemptions Comments
Comment: There is no good reason for exempting a system of this
type from the Privacy Act. All people for whom the government holds
records ought to have the ability to review, amend, or correct
information maintained by the government.
Response: The suggested exemptions from the Privacy Act listed in
the DHS/CBP--007 Border Crossing Information NPRM (73 FR 43374, June
25, 2008) were selected to allow maximum transparency of data collected
in the system while simultaneously allowing CBP to perform its border
enforcement mission. For example, if the system did not have the
proposed exemption from subsection (c)(3) of the Privacy Act, (5 U.S.C.
552a (c)(3)), the fact that certain DHS/CBP--007 Border Crossing
Information system of records information was shared with a law
enforcement agency could disclose to the subject of an investigation
the existence of such an investigation, and reveal investigative
interest on the part of DHS as well as the recipient agency. Disclosure
of the accounting could possibly allow the suspect individual to impede
the investigation and present a serious concern to successful law
enforcement efforts and possibly compromise national security.
Public Recommendations
The submitted public comments offered numerous suggestions
concerning DHS/CBP--007 Border Crossing Information system of records.
Those suggestions ranged from cancellation of the system in its
entirety, to proposed modifications to the system to enable it to meet
concerns raised in the comments. Some of the suggested modifications
included the following:
Records not be shared without probable cause support by a
court order (already in Privacy Act);
Penalties for misuse of data (already exist);
This system should be classified;
[[Page 5495]]
Retention of records should only be in cases were there is
a reasonable suspicion of criminal or terrorist activity;
The retention period should be shortened;
Records should only be maintained on non-U.S. Citizens;
and
Records should only be shared pursuant to a court order.
Responses to all these recommendations have been provided elsewhere
within this document.
Upon careful review of the submitted public comments, having taken
into consideration public comments resulting from this NPRM and SORN,
as well as the Department's position on these public comments, DHS has
determined that for the reasons stated, it is important that the
exemptions remain in place. DHS will implement the rulemaking as
proposed.
List of Subjects in 6 CFR Part 5
Freedom of information; Privacy.
0
For the reasons stated in the preamble, DHS amends Chapter I of Title
6, Code of Federal Regulations, as follows:
PART 5--DISCLOSURE OF RECORDS AND INFORMATION
0
1. The authority citation for Part 5 continues to read as follows:
Authority: Pub. L. 107-296, 116 Stat. 2135, 6 U.S.C. 101 et
seq.; 5 U.S.C. 301. Subpart A also issued under 5 U.S.C. 552.
Subpart B also issued under 5 U.S.C. 552a.
0
2. Add at the end of Appendix C to Part 5, Exemption of Record Systems
under the Privacy Act, the following new paragraph ``46'':
Appendix C to Part 5--DHS Systems of Records Exempt From the Privacy
Act
* * * * *
46. The DHS/CBP--007 Border Crossing Information system of
records will maintain border crossing information on travelers who
are admitted or paroled into the United States. This information
includes: certain biographical information; a photograph (if
available); certain itinerary information provided by air and sea
carriers and any other forms of passenger transportation, including
rail, which is or may subsequently be mandated, or is or may be
provided on a voluntary basis; and the time and location of the
border crossing. This system may contain records or information
pertaining to the accounting of disclosures made from DHS/CBP--007
Border Crossing Information system of records to agencies (Federal,
State, Local, Tribal, Foreign, or International), in accordance with
the published routine uses. For the accounting of these disclosures
only, the Secretary of Homeland Security has exempted this system
from the following provisions of the Privacy Act, subject to the
limitations set forth in 5 U.S.C. 552(c)(3); (e)(8); and (g)
pursuant to 5 U.S.C. 552a(j)(2). Additionally, for the accounting of
these disclosures only, the Secretary of Homeland Security has
exempted this system from the following provisions of the Privacy
Act, subject to the limitations set forth in 5 U.S.C. 552(c)(3);
(e)(8); and (g) pursuant to 5 U.S.C. 552a(k)(2). Further, no
exemption shall be asserted with respect to biographical or travel
information submitted by, and collected from, a person's travel
documents or submitted from a government computer system to support
or to validate those travel documents. After conferring with the
appropriate component or agency, DHS may waive applicable exemptions
in appropriate circumstances and where it would not appear to
interfere with or adversely affect the law enforcement purposes of
the systems from which the information is recompiled or in which it
is contained. Exemptions from the above particular subsections are
justified, on a case-by-case basis to be determined at the time a
request is made, when information in this system or records is
recompiled or is created from information contained in other systems
of records subject to exemptions for the following reasons:
(a) From subsection (c)(3) (Accounting for Disclosures) because
making available to a record subject to the accounting of
disclosures from records concerning him or her would specifically
reveal any investigative interest in the individual. Revealing this
information could reasonably be expect to compromise ongoing efforts
to investigate a violation of U.S. law, including investigations of
a known or suspected terrorist or criminal, or other person of
interest, by notifying the record subject that he or she is under
investigation. This information could also permit the record's
subject to take measures to impede the investigation, e.g., destroy
evidence, intimidate potential witnesses, or flee the area to avoid
or impede the investigation.
(b) From subsection (e)(8) (Notice to Individuals) because to
require individual notice of disclosure of information due to
compulsory legal process would pose an impossible administrative
burden on DHS and other agencies and could alert the subjects of
counterterrorism or law enforcement investigations to the fact of
those investigations when not previously known.
(c) From subsection (g) (Civil Remedies) to the extent that the
system is exempt from other specific subsections of the Privacy Act.
Dated: January 21, 2010.
Mary Ellen Callahan,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2010-2200 Filed 2-2-10; 8:45 am]
BILLING CODE 9110-06-P