State and Local Fusion Center Training Part 1

1
1
2
State and Local Fusion Center Training
Part 1

• The Privacy Office
• www.dhs.gov/privacy
• Ken Hunt
• Rebecca Richards
• Toby Levin (Training)

• The Office for Civil Rights and Civil Liberties
• www.dhs.gov/CivilLibertiesInstitute

2
3
Two Offices

• The Privacy Office
• First statutorily created Privacy Office in the
  Federal government Section 222 of the Homeland
  Security Act
• Responsible for privacy policy across the
  Department
• Hugo Teufel III, Privacy Officer
• Office located in Virginia
• Q

• Office for Civil Rights and Civil Liberties
  (CRCL)
• Responsible for advising on civil rights and
  civil liberties policy within DHS
• Responsible for ensuring compliance with civil
  liberties protections of persons affected by DHS
  programs and activities
• Daniel Sutherland, Officer for Civil Rights and
  Civil Liberties
• Offices located in Washington, DC

3
4
In the News Privacy, civil rights, civil
liberties and SLFCs
4
5
How Our Offices Support Fusion Centers

• Privacy Office
• Conducting a Privacy Impact Assessment on Fusion
  Centers
• Available for requests for guidance on privacy
  issues from Fusion Centers and their Federal
  partners

• CRCL
• Has conducted a soon-to-be-released Civil
  Liberties Impact Assessment
• Responds to informal requests for guidance on
  CRCL issues from SLFC and their Federal partners
• CRCL leads domestic Federal government engagement
  with American Arab, Muslim, Sikh communities and
  supports SLFCs in pursuing similar engagement
  activities
• Available to receive and investigate complaints
  related to Fusion Centers from those alleging
  that their civil rights and civil liberties have
  been compromised Q

5
6
How Our Offices Support Fusion Centers

• Both the Privacy Office and CRCL
• Actively participate in the Information Sharing
  Privacy Guidelines Committee and
• Have been tasked by Congress with providing
  training on privacy, civil rights and civil
  liberties to Fusion Center staff

6
7
Goals for Today's Session

• To increase awareness among DHS staff deployed to
  the SLFCs of the
• privacy, civil rights and civil liberties
  protections required by law ,
• the polices and procedures to ensure that
  protection, and
• the resources we can offer to assist SLFC in
  these areas.
• To jointly plan the development of a toolkit
  and future training for all staff at SLFC on
  these issues.
• 
  Q

7
8
8
9
Why Privacy Matters its the Law

• The Privacy Act
• Applies to all Federal Agencies
• Code of Fair Information Practices (FIP)
• Governs personally identifiable information (PII)
• Requires system of records notices (SORNs)
• Civil and criminal penalties for misuse of PII.
• Privacy Impact Assessments mandated for all
  Federal Agencies where new collections OR new
  technologies applied to PII
• E-Government Act of 2002

9
10
Why Privacy Matters Public Support

• Question For the Record
• What checks are in place at fusion centers that
  might help them avoid becoming mini spy
  agencies?
• CRS Report
• Privacy issues a potential risk to the program.

10
11
TSAs Secure Flight Program

• Purpose to prevent known terrorists from
  boarding aircraft or gaining access to
  sterile areas of an airport.
• Privacy issues not addressed AND
• withheld by Congress
• None of the funds provided by this or previous
  appropriations acts may be obligated for
  deployment or implementation of the Secure
  Flight Program, until the Government
  Accountability Office has reported to Congress
  that there are no specific privacy concerns with
  the technological architecture of the system.
  DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS
  ACT, 2005 - PUBLIC LAW 108334

11
12
A Possible Future We Cannot Allow !!!
None of the funds provided by this or
previous appropriations Acts may be obligated for
personnel deployment to or information sharing
with State and Local Fusion Centers until the
Government Accountability Office has reported to
Congress that the Centers have addressed
privacy. DEPARTMENT OF HOMELAND SECURITY
APPROPRIATIONS ACT, 2009
12
13
or Worse

• Outright Cancellation MATRIX pilot program
  involved information sharing agreement between
  states Privacy concerns eroded public
  confidence.
• Litigation CRS Report without federal
  oversight, litigation is likely to serve as the
  only significant oversight mechanism.

13
14
Personally Identifiable Information(PII)

• Personally identifiable information is
• Q

14
15
PII

• Any information that permits the identity of
  an individual
• to be directly or indirectly
  inferred,
• including any other information which
  is
• linked or
• linkable
• to an individual.
• regardless of whether the individual is a U.S.
  Citizen, Legal Permanent Resident, alien or a
  visitor to the U.S.

16
8 Fair Information Practice Principles (FIPPs)
rooted in the tenets of the Privacy Act

• Transparency
• Purpose Specification
• Use Limitation Data Minimization

Data Quality Accountability
Individual Participation Security Safeguards
16
17
Transparency

• No Secret Systems.
• Notice to the public on the collection, use,
  dissemination, and maintenance of PII.
• DHS satisfies this principle with System of
  Record Notices and Privacy Impact Assessments.
• Published at www.dhs.gov/privacy.

17
18
Purpose Specification

• DHS must specifically articulate
• the authority which permits the collection of PII
  and
• the purpose for which the PII is intended to be
  used.

18
19
Use Limitation

• Use only for the purpose specified in the
  SORN.
• Share outside the Department only for a purpose
  compatible with the purpose for which the PII was
  collected.

19
20
Data Minimization

• Collection DHS should collect PII only if it
  is
• directly relevant and
• necessary to accomplish the stated purpose.
• Retention Dispose of PII following the DHS
  records disposition schedules (as approved by
  NARA).

20
21
Data Quality Integrity

• Data must be
• accurate,
• relevant,
• timely and
• complete
• for each use.

21
22
Individual Participation

• Obligated to involve the individual in the use
  of PII through
• Consent direct collection. Examples
• Mechanism for appropriate access, correction, and
  redress.

22
23
Security

• Protect against
• loss,
• unauthorized access or use,
• destruction, modification, or
• inappropriate or unintended disclosure.

23
24
Accountability and Auditing

• DHS is accountable for complying with the FIPPs.
• Provide training.
• Audit to demonstrate compliance.

24
25
2 questions summarize it all!

• 1 Should this information be collected?
• 2 Should this information be shared?

26
Top 5 Privacy Rules

• 1 Collect and use PII only for IA approved
  purposes.
• 2 Understand which SORN covers the information
  you want to share.
• 3 Share PII only if the SORN authorizes it.
• 4 Minimize the PII when sharing.
• 5 Document with whom and why PII was shared.
• Call Ole Broughton or Tim Bailey if you have a
  question.

26
27
2 questions summarize it all!

• 1 Should this information be collected?
• 2 Should this information be shared?

28
Collection First Ask

• Identify which IA functional responsibilities
  your collection falls under
• Terrorism or Terrorist Related Activity
• NOTE If intelligence information does not fall
  under terrorism or terrorist-related activity,
  must consult with Tim Bailey for guidance before
  undertaking any collection activity.
• 2. Other Threats to the Homeland
• 3. Support to a Component of DHS
• 4. Support to or Activities Directed by the
  Secretary
• 5. Directed by Statute or Presidential Directive

28
29
Collection Then Ask

• Do you anticipate collecting information
  associated with the First Amendment (such as an
  individuals race, religion, speech, and/or the
  groups he/she associates with) in order to draft
  this product? ____Yes ____No
• If YES, is it part of any ongoing authorized law
  enforcement investigation or lawful national
  security intelligence investigation? ____Yes
  ____No
• If NO, the information may NOT be collected.

29
30
2 questions summarize it all!

• 1 Should this information be collected?
• 2 Should this information be shared?
• Q

31
Privacy Checklist for Sharing

• _____1. Ask why specifically the PII is needed.
• _____2. Look at the context of the request.
• ? Is it related to the DHS
  IA mission?
• _____3. Share information only if there is an
  approved Privacy Act routine use.
• _____4. If sharing information directly out of a
  non IA system, identify which
  SORN covers the PII being requested.
• _____5. Check with the Watch at the NOC if
  uncertain.
• _____6. If you are asked for information related
  to a name check, ask the NOC to process the
  request.
• _____7. Document why and with whom the PII is
  shared.

31
32
Sharing Privacy Act authorized sharing for IA
systems

• Generally Applicable
  HSOC Routine Uses (RU)
• Violation of the Law
• If the record, (on its face or in
  conjunction with other info),
• indicates a violation (or potential
  violation) of any law,
• the record may be disclosed to the entity
  charged with investigating, prosecuting and/or
  enforcing such law or contract.

32
33
Sharing Privacy Act authorized sharing for
IA systems

• Generally Applicable HSOC
  Routine Use (RU)
• B. Serves Security Interest
• Record disclosure is OK if it will promote,
  assist, or otherwise serve homeland or national
  security interests
• May be disclosed to
• Federal, State, local, joint or tribal
  agencies
• foreign, international or other public agency
  or organization, or
• to any person or entity in either the public
  or private sector,
  (domestic or foreign)

33
34
Sharing Privacy Act authorized sharing for
IA systems

• If sharing meets either of these routine uses,
• document in the comments section of IA 24
  Hour Log
• ? Name of the agency with which the information
  is being shared.
• ? Justification for sharing the information.
• ? What information was shared.

34
35
Sharing Privacy Act authorized sharing for non
IA systems

• Applicable CBP TECS Routine Use
• If agency is aware of a violation of the law
  (potential, civil or criminal)
• You may disclose pertinent information to
  appropriate Federal, State, local or foreign
  agencies responsible for investigating or
  prosecuting the violations of, or for enforcing
  or implementing, a statute, rule, regulation,
  order, or license.
• Q

35
36
Sharing Privacy Act authorized sharing for non
IA systems

• If sharing meets this routine use,
• Fill out the CBP Form 191 that comes up in TECS
  when you are ready to share information.

36
37
Other Important Reminders

• Safeguard PII
• ? Secure transfer
• ? Extracts and mobile devices pose risks
• ? Hard copies also pose risks
• Report Privacy Incidents to your Program Manager.
• SLFCs must also comply with State privacy laws,
  which may be stricter, and State open access laws.

37
38
When You Have a Privacy Question,

• Contact
• Your IA counsel XXXX
• Your Intelligence Oversight Officer XXXXXXX
• Your Component Privacy Point of Contact XXXX
• The DHS Privacy Office
• Ken Hunt
• Becky Richards
• Toby Levin

38
39
39
40
Summary of CRCL Mission

• Helping DHS respect civil rights and civil
  liberties while we protect the homeland and our
  way of life.
• The Intelligence Reform and Terrorism Prevention
  Act of 2004 added this language to the DHS
  mission (codifying existing DHS policy)
• to ensure that civil rights and civil liberties
  of persons are not diminished by efforts,
  activities and programs aimed at securing the
  homeland.

8
41
Understanding the Terms Civil Rights and Civil
Liberties

• Quick Summary
• Civil rights generally involves affirmative
  government action to protect against infringement
• Civil liberties involves restrictions on
  government to protect individual liberties

41
42
Your Mission and CRCL Issues

• How does the CRCL mission relate to your role?
• Q

42
43
Red Flags 1 What are the primary CRCL concerns
related to the open flow of information?

• Information about activities that are protected,
• such as protest or criticisms of the government,
• boycott of products,
• exercise of religious freedom,
• freedom of assembly, etc.
• Capture of video feeds that are retained and used
  to identify people
• Extending the mission of a particular partner
  agency without assuring proper authorities,
  procedures and protections

43
44
Red Flags 2 What are the primary CRCL concerns
related to the open flow of information?

• Information Sharing can have downstream
  consequences
• Use of materially inaccurate or misleading
  information
• Search and seizure issue (4th Amendment)
• Due process issues (5th and 14th
  Amendment)
• Capture or sharing demographics that could be
  used to target or watch a class of people in a
  community
• Need for redress sufficient?
  Q

44
45
Suspicious Activity Reporting

• This man is the subject of one of your centers
  suspicious activity reports.
• Describe him.

45
46
Red Flags 3What are the primary CRCL concerns
related to the open flow of information?

• Collection/retention of information or
  descriptions of individuals perpetuating or
  relying on racial or ethnic stereotypes
• Requests to vet private sector personnel who are
  involved in critical infrastructure
• Tension between federal and state law and
  practice on what information should be public
  FOIA, Sunshine laws (EPIC and VA Fusion Center)
• Data tracking and criminal record expungement
  Q

46
47
Integrating Civil Liberties _at_ Your SLFC 5 Best
Practices (KATEI)
1. Know your operating statutes and authorities.
2. Adopt a civil rights and civil liberties
policy. 3. Train Fusion Center staff and
partners on privacy, civil rights and civil
liberties standards and best practices. 4.
Encourage engagement with the public, media, and
outside groups to provide a level of
transparency. 5. Identify a coordinator to
address privacy, civil rights and civil liberties
issues.
47
48
Community Engagement Best Practices

• Engage with the public, media, and outside groups
  to provide a level of transparency.
• Common Question Should we engage community
  groups, advocacy groups and others that are
  curious / critical of the fusion centers? Q
• General approach CRCL encourages meeting with
  community and advocacy groups
• SLFC Director determines appropriate level of
  engagement, transparency
• Meetings, some degree of transparency and
  explanation can build bridges
• You dont have to agree with the groups, and
  their criticism may be helpful
• DHS HQ Elements and the Secretary meet with
  similar groups.

48
49
Integrating Civil Liberties Potential SLFC
Engagement Activities

• Q
• Leverage the CRCL Training Awareness Materials
• Develop an Incident Management plan CRCL can
  offer technical assistance
• Hold Community Forums Outreach Through
  Community Media
• Treat Seriously Complaints and Suggestions
  Regarding DHS Activities
• Read the CRCL terminology paper
• Engagement a good practice for working with any
  community of concern

49
50
50