[Federal Register Volume 69, Number 11 (Friday, January 16, 2004)]
[Notices]
[Pages 2608-2615]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-1016]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY


Privacy Impact Assessment and Privacy Policy; US-VISIT Program

AGENCY: Department of Homeland Security.

ACTION: Notice; Privacy Impact Assessment and Privacy Policy.

-----------------------------------------------------------------------

SUMMARY: On January 5, 2004, the Department of Homeland Security 
(Department) promulgated an interim rule implementing the first phase 
of the United States Visitor and Immigrant Status Indicator Technology 
Program (US-VISIT, Increment 1) in accordance with several 
Congressional mandates requiring that the Department create an 
integrated, automated entry exit system that records the arrival and 
departure of aliens and that verifies, through the comparison of 
biometric identifiers, the identities of aliens and the authentication 
of their travel documents. In connection with this program, and in 
accordance with Section 208 of the E-Government Act of 2002, which 
requires federal agencies to conduct a privacy impact assessment (PIA) 
when they use information technology to collect new information, the 
Department of Homeland Security conducted a Privacy Impact Assessment 
of US-VISIT, which was published on January 4, 2004, at http://www.dhs.gov/privacy. Because Section 208 of the E-Government Act of 
2002 requires federal agencies to make PIAs publicly available through 
their Web sites, publication in the Federal Register, or other means, 
attached as appendices to this notice are the Department's Executive 
Summary of the PIA, the PIA, and the Privacy Policy for the US-VISIT 
Program, Increment 1.

ADDRESSES: Written comments about the US-VISIT Program, Increment 1 
Privacy Impact Assessment and Privacy Policy may be submitted to 
Privacy Office, Attn.: US-VISIT PIA, U.S. Department of Homeland 
Security, Washington, DC 20528, fax (202) 298-5201, or email 
[email protected]. If submitting comments by email, please include the 
words ``US-VISIT PIA'' in the subject line.

FOR FURTHER INFORMATION CONTACT: Steve Yonkers, Privacy Officer, US-
VISIT, Border and Transportation Security, U.S. Department of Homeland 
Security, Washington, DC 20528, telephone (202) 298-5200, fax (202) 
298-5201.

SUPPLEMENTARY INFORMATION:


[[Page 2609]]


    Note: The following appendices will not appear in the Code of 
Federal Regulations.

Appendix A--US-VISIT Program, Increment 1 Privacy Impact Assessment 
Executive Summary
Appendix B--US-VISIT Program, Increment 1 Privacy Impact Assessment
Appendix C--US-VISIT Program Privacy Policy

    Dated: January 12, 2004.
Nuala O'Connor Kelly,
Chief Privacy Officer.

US-VISIT Program, Increment 1

Privacy Impact Assessment

Executive Summary

December 18, 2003

    Contact Point: Steve Yonkers, US-VISIT Privacy Officer, 
Department of Homeland Security, (202) 298-5200.
    Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, 
Department of Homeland Security, (202) 772-9848.

US-VISIT Program, Increment 1

Privacy Impact Assessment

Executive Summary

Overview

    US-VISIT, the United States Visitor and Immigrant Status 
Indicator Technology, is a legislatively-mandated DHS program that 
is designed to:
    [sbull] Enhance the security of American citizens, permanent 
residents, and visitors.
    [sbull] Expedite legitimate travel and trade.
    [sbull] Ensure the integrity of the immigration system.
    [sbull] Safeguard the personal privacy of visitors.
    When fully implemented, US-VISIT will provide a dynamic, 
interoperable system involving numerous stakeholders across the 
government. Increment 1, as the name suggests, is the first step in 
the implementation process. Increment 1 proposes to integrate and 
modify the capabilities of several information systems in order to 
accomplish the mission of US-VISIT.
    This Privacy Impact Assessment (PIA) focuses on Increment 1 of 
this entry exit system.

What Information Is Collected

    The US-VISIT program will collect and retain biographic, travel, 
and biometric information (i.e., photograph and fingerprints) 
pertaining to visitors.
    Individuals covered by Increment 1 (``covered individuals'') are 
nonimmigrant visa holders traveling through air and sea ports.\1\ 
The DHS regulations and related Federal Register notice for US-VISIT 
Increment 1 will fully detail coverage of the program.
---------------------------------------------------------------------------

    \1\ Nonimmigrant visa entrants comprise a small percentage of 
the 330 million non-citizens admitted annually through ports of 
entry. Establishing US-VISIT incrementally with this population will 
allow DHS to test implementation of the system and to make revisions 
as needed for future increments.
---------------------------------------------------------------------------

Why the Information Is Being Collected and Intended Use of the 
Information

    In accordance with Congressional mandates for an entry exit 
system, information is collected from and used to verify the 
identity of covered individuals who enter or leave the United 
States. This enables U.S. authorities to enhance the security of the 
United States by more effectively identifying covered individuals 
who are:
    [sbull] Known to pose a threat or are suspected of posing a 
threat to the security of the United States;
    [sbull] Known to have violated the terms of their admission to 
the United States; or
    [sbull] Wanted for commission of a criminal act in the United 
States or elsewhere.

Information Access and Sharing

    Information collected and retained by US-VISIT will be accessed 
by employees of DHS components--Customs and Border Protection, 
Immigration and Customs Enforcement, Citizenship and Immigration 
Services, and the Transportation Security Administration--and by 
consular officers of the Department of State. Strict security 
controls will be put in place to ensure that only those personnel 
with a need for the information in the performance of their official 
duties will be able to access information in the system.
    If necessary, the information that is collected will be shared 
with other law enforcement agencies at the federal, state, local, 
foreign, or tribal level, who are lawfully engaged in collecting law 
enforcement intelligence information and who need access to the 
information in order to carry out their law enforcement duties.

Consent Mechanisms

    The admission into the United States of an individual subject to 
US-VISIT requirements will be contingent upon submission of the 
information required by US-VISIT, including biometric identifiers. A 
covered individual who declines to provide biometrics is 
inadmissible to the United States, unless a discretionary waiver is 
granted under section 212(d)(3) of the Immigration and Nationality 
Act. Such an individual may withdraw his or her application for 
admission, or be subject to removal proceedings.

Security

    Information accessible to US-VISIT will be protected through 
multi-layer security mechanisms that are physical, technical, 
administrative and environmental and that are in compliance with the 
DHS IT Security Program Handbook and DHS Baseline Security 
Requirements for Automated Information Systems. These security 
mechanisms provide access control to sensitive data, physical access 
control to DHS facilities, confidentiality of communications, 
authentication of sending parties, and careful screening to ensure 
that all personnel with access to data are screened through 
background investigations commensurate with the level of access 
required to perform their duties.

System of Records

    A system of records notice (SORN)--normally required under the 
Privacy Act--is not necessary for US-VISIT because no new system is 
being developed for Increment 1. However, the ADIS and IDENT SORNs 
have been revised to reflect US-VISIT usage.
    Although US-VISIT derives its capability from the integration 
and modification of existing systems, it nevertheless represents a 
new business process that involves new uses of existing data and the 
collection of new data items. As a result, there is a potential for 
new privacy risks, which are addressed in the PIA.

Privacy Controls

    US-VISIT collects, integrates, and shares personal information 
of covered individuals. Covered individuals must consent to the 
collection, use, and disclosure of this personal information if they 
wish to enter or leave the U.S.
    To address the privacy concerns associated with the program, US-
VISIT will implement comprehensive privacy controls, which will be 
modified and updated as the system is revised and expanded. These 
controls consist of:
    [sbull] Public education through transparency of the program, 
including development and publication of a Privacy Policy that will 
be disseminated prior to the time information is collected from 
potential visitors;\2\
---------------------------------------------------------------------------

    \2\ A copy of the Privacy Policy is appended to the full report.
---------------------------------------------------------------------------

    [sbull] Establishment of privacy sensitivity awareness programs 
for US-VISIT operators\3\;
---------------------------------------------------------------------------

    \3\ The legacy systems on which Increment 1 is built included 
privacy sensitivity training requirements. This training will be 
made mandatory for US-VISIT operators.
---------------------------------------------------------------------------

    [sbull] Establishment of a Privacy Officer for US-VISIT and 
implementation of an accountability program for those responsible 
for compliance with the US-VISIT Privacy Policy;
    [sbull] Periodic strategic reviews of US-VISIT data to ascertain 
that the collection is limited to that which is necessary for US-
VISIT stated purposes;
    [sbull] Usage agreements between US-VISIT and other agencies 
authorized to have access to US-VISIT data;
    [sbull] To the extent permitted by law, regulations, or policy, 
establishment of opportunity for covered individuals to have access 
to their information and/or allow them to challenge its 
completeness;
    [sbull] Maintenance of security safeguards (physical, electronic 
and procedural) consistent with federal law and policy to limit 
access to personal information only to those with appropriate 
rights, and to protect information from unauthorized disclosure, 
modification, misuse, and disposal, whether intentional or 
unintentional; and
    [sbull] Establishment of administrative controls to prevent 
improper actions due to data inconsistencies from multiple 
information sources.

Contact Point and Reviewing Official

    Contact Point: Steve Yonkers, US-VISIT Privacy Officer, (202) 
298-5200.

[[Page 2610]]

    Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, 
DHS, (202) 772-9848.

Comments

    We welcome your comments on this privacy impact assessment. 
Please write to: Privacy Office, Attn.: US-VISIT PIA, U.S. 
Department Of Homeland Security, Washington, DC 20528, or email 
[email protected]. Please include US-VISIT PIA in the subject line of 
the email.

US-VISIT Program, Increment 1

Privacy Impact Assessment

December 18, 2003

    Contact Point: Steve Yonkers, US-VISIT Privacy Officer, 
Department of Homeland Security, (202) 298-5200.
    Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, 
Department of Homeland Security, (202) 772-9848.

US-VISIT Program, Increment 1

Privacy Impact Assessment

1. Introduction

    Congress has directed the Executive Branch to establish an 
integrated entry and exit data system to accomplish the following 
goals\1\:
---------------------------------------------------------------------------

    \1\ Congress enacted several statutory provisions concerning an 
entry exit program, including provisions in: The Immigration and 
Naturalization Service Data Management Improvement Act of 2000 
(DMIA) Public Law 106-215; The Visa Waiver Permanent Program Act of 
2000 (VWPPA); Public Law 106-396; The U.S.A. PATRIOT Act, Public Law 
107-56; and The Enhanced Border Security and Visa Entry Reform Act 
(``Border Security Act''), Public Law 107-173.
---------------------------------------------------------------------------

    1. Record the entry into and exit out of the United States of 
covered individuals;
    2. Verify the identity of covered individuals; and
    3. Confirm compliance by visitors with the terms of their 
admission into the United States.
    The Department of Homeland Security (DHS) proposes to comply 
with this congressional mandate by establishing the United States 
Visitor and Immigration Status Indicator Technology (US-VISIT) 
program. The first phase of US-VISIT, referred to as Increment 1, 
will capture entry and exit information about non-immigrant visitors 
whose records are not subject to the Privacy Act. Rather than 
establishing a new information system, DHS will integrate and 
enhance the capabilities of existing systems to capture this data. 
In an effort to make the program transparent, as well as to address 
any privacy concerns that may arise as a result of the program, 
DHS's Chief Privacy Officer has directed that this PIA be performed 
in accordance with the guidance issued by OMB on September 26, 2003. 
As US-VISIT is further developed and deployed, this PIA will be 
updated to reflect future increments.

2. System Overview

[sbull] What Information Is To Be Collected

    Individuals subject to the data collection requirements and 
processes of Increment 1 of the US-VISIT program (``covered 
individuals'') are nonimmigrant visa holders traveling through air 
and sea ports. The DHS regulations and related Federal Register 
notice for US-VISIT Increment 1 will fully detail coverage of the 
program.
    The information to be collected from these individuals includes 
complete name, date of birth, gender, country of citizenship, 
passport number and country of issuance, country of residence, 
travel document type (e.g., visa), number, date and country of 
issuance, complete U.S. address, arrival and departure information, 
and for the first time, a photograph, and fingerprints. US-VISIT 
will capture and store this information from existing systems that 
already record it or are being modified to allow for its collection.

[sbull] Why the Information is Being Collected

    In numerous statutes, Congress has indicated that an entry exit 
program must be put in place to verify the identity of covered 
individuals who enter or leave the United States. In keeping with 
this expression of congressional intent and in furtherance of the 
mission of the Department of Homeland Security, the purposes of US-
VISIT are to identify individuals who may pose a threat to the 
security of the United States, who may have violated the terms of 
their admission to the United States, or who may be wanted for the 
commission of a crime in the U.S. or elsewhere, while at the same 
time facilitating legitimate travel.

[sbull] What Opportunities Individuals Will Have To Decline To 
Provide Information or To Consent to Particular Uses of the 
Information and How Individuals Grant Consent

    The admission into the United States of an individual subject to 
US-VISIT requirements will be contingent upon submission of the 
information required by US-VISIT, including biometric identifiers. A 
covered individual who declines to provide biometrics is 
inadmissible to the United States, unless a discretionary waiver is 
granted under section 212(d)(3) of the Immigration and Nationality 
Act. Such an individual may withdraw his or her application for 
admission, or be subject to removal proceedings. US-VISIT has its 
own privacy officer, however, to ensure that the privacy of all 
visitors is respected and to respond to individual concerns which 
may be raised about the collection of the required information. 
Further, the DHS Chief Privacy Officer will exercise comprehensive 
oversight of all phases of the program to ensure that privacy 
concerns are respected throughout implementation. The DHS Chief 
Privacy Officer will also serve as the review authority for all 
individual complaints and concerns about the program.

3. Increment 1 System Architecture

    US-VISIT Increment 1 will accomplish its goals primarily through 
the integration and modification of the capabilities of three 
existing systems:
    1. The Arrival and Departure Information System (ADIS).
    2. The Passenger Processing Component of the Treasury 
Enforcement Communications System (TECS)\2\
---------------------------------------------------------------------------

    \2\ As indicated in the US-VISIT Increment 1 Functional 
Requirements Document (FRD), the Passenger Processing Component of 
TECS consists of two systems, where ``system'' is used in the sense 
of the E-Government Act, title 44, Chapter 35, section 3502 of U.S. 
Code; i.e., ``a discrete set of information resources organized for 
the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.'' The two systems, and 
the process relevant to US-VISIT Increment 1 that they support, are 
(1) Interagency Border Inspection System (IBIS), supporting the 
lookout process and providing interfaces with the Interpol and 
National Crime Information Center (NCIC) databases; and (2) Advance 
Passenger Information System (APIS), supporting the entry process by 
receiving airline passenger manifest information.
---------------------------------------------------------------------------

    3. Automated Biometric Identification System (IDENT).
    US-VISIT Increment 1 will also involve modification and 
extension of client software on Port of Entry (POE) workstations and 
the development of departure kiosks.
    The changes to these systems include:
    1. Modifications of TECS to give immigration inspectors the 
ability to display non-immigrant-visa (NIV) data.
    2. Modifications to the ADIS database to accommodate additional 
data fields, to interface with other systems, and to generate 
various types of reports based on the stored data.
    3. Modifications to the IDENT database to capture biometrics at 
the primary port of entry (POE) and to facilitate identity 
verification.
     4. Establishment of interfaces to facilitate the transfer of 
biometric information from IDENT to ADIS and from ADIS to TECS.
    5. Establishment of other interfaces to facilitate transfer of 
changes in the status of individuals from two other data bases--the 
Student and Exchange Visitor Information System (SEVIS) and the 
Computer Linked Application Information Management System (CLAIMS 3) 
to ADIS.

BILLING CODE 4410-10-P

[[Page 2611]]

[GRAPHIC] [TIFF OMITTED] TN16JA04.000

BILLING CODE 4410-10-C

[sbull] Intended Use of the Information

    DHS intends to use the information collected and maintained by 
US-VISIT Increment 1 to carry out its national security, law 
enforcement, immigration control, and other functions. Through the 
enhancement and integration of existing database systems, DHS will 
be able to ensure the entry of legitimate visitors, identify, 
investigate, apprehend and/or remove aliens unlawfully entering or 
present in the United States beyond the lawful limitations of their 
visit, and prevent the entry of inadmissible aliens. US-VISIT thus 
will enable DHS to protect U.S. borders and national security by 
maintaining improved immigration control.

[[Page 2612]]

US-VISIT will also help prevent aliens from obtaining benefits to 
which they are not entitled.

4. Maintenance and Administrative Controls on Access to the Data

[sbull] With Whom the Information Will Be Shared

    The personal information collected and maintained by US-VISIT 
Increment 1 will be accessed principally by employees of DHS 
components--Customs and Border Protection, Immigration and Customs 
Enforcement, Citizenship and Immigration Services, and the 
Transportation Security Administration--and by consular officers of 
the Department of State. Additionally, the information may be shared 
with other law enforcement agencies at the federal, state, local, 
foreign, or tribal level, who, in accordance with their 
responsibilities, are lawfully engaged in collecting law enforcement 
intelligence information (whether civil or criminal) and/or 
investigating, prosecuting, enforcing, or implementing civil and/or 
criminal laws, related rules, regulations, or orders. The system of 
records notices for the existing systems on which US-VISIT draws 
provide notice as to the conditions of disclosure and routine uses 
for the information collected by US-VISIT, provided that any 
disclosure is compatible with the purpose for which the information 
was collected.
    US-VISIT transactions will have a unique identifier to 
differentiate them from other IDENT transactions. This will allow 
for improved oversight and audit capabilities to ensure that the 
data are being handled consistent with all applicable federal laws 
and regulations regarding privacy and data integrity.

[sbull] How the Information Will Be Secured

    The US-VISIT program will secure information and the systems on 
which that information resides, by complying with the requirements 
of the DHS IT Security Program Handbook. This handbook establishes a 
comprehensive program, consistent with federal law and policy, to 
provide complete information security, including directives on roles 
and responsibilities, management policies, operational policies, and 
application rules, which will be applied to component systems, 
communications between component systems, and at interfaces between 
component systems and external systems.
    One aspect of the DHS comprehensive program to provide 
information security involves the establishment of rules of behavior 
for each major application, including US-VISIT. These rules of 
behavior require users to be adequately trained regarding the 
security of their systems. These rules also require a periodic 
assessment of technical, administrative and managerial controls to 
enhance data integrity and accountability. System users must sign 
statements acknowledging that they have been trained and understand 
the security aspects of their systems. In addition, the rules of 
behavior already in effect for each of the component systems on 
which US-VISIT draws will be applied to the program, adding an 
additional layer of security protection.
    The table below provides detail on the various measures employed 
to address potential security threats to US-VISIT Increment 1.

                                Security Threats and Mitigation Methods Detailed
----------------------------------------------------------------------------------------------------------------
                                       Architectural
         Nature of threat                placement            Safeguard                    Mechanism
----------------------------------------------------------------------------------------------------------------
Intentional physical threats from  ADIS................  Physical protection  The ADIS database and application
 unauthorized external entities.                                               is maintained at a Department of
                                                                               Justice Data Center. Physical
                                                                               controls of that facility (e.g.,
                                                                               guards, locks) apply and prevent
                                                                               entree by unauthorized entities.
Intentional physical threats from  Passenger Processing  Physical protection  The Passenger Processing Component
 unauthorized external entities.    Component of TECS.                         of TECS is maintained on a
                                                                               mainframe by CBP. Physical
                                                                               controls of the TECS facility
                                                                               (e.g., guards, locks) apply and
                                                                               prevent entree by unauthorized
                                                                               entities.
Intentional physical threats from  IDENT...............  Physical protection  IDENT is maintained on an IBM
 external enemies.                                                             cluster. Physical controls of the
                                                                               facility (e.g., guards, locks)
                                                                               apply and prevent entree by
                                                                               unauthorized entities.
Intentional physical threats from  POE Workstation.....  Physical protection  Physical controls will be specific
 external entities.                                                            to each POE.
Intentional and unintentional      System-wide.........  Technical            User identifier and password,
 electronic threats from                                  protection:          managed by the Password Issuance
 authorized (internal and                                 Identification and   Control System (PICS).
 external) entities.                                      authentication
                                                          (I&A).
----------------------------------------------------------------------------------------------------------------

5. Information Life Cycle and Privacy Impacts

    The following analysis is structured according to the 
information life cycle. For each life-cycle stage--collection, use 
and disclosure, processing, and retention and destruction--key 
issues are assessed, privacy risks identified, and mitigation 
measures discussed. Risks are related to fair information 
principles--notice/awareness, choice/consent, access/participation, 
integrity/security, and enforcement/redress--that form the basis of 
many statutes and codes.

[sbull] Collection

    US-VISIT Increment 1 collects only the personal information 
necessary for its purposes. While Increment 1 does not constitute a 
new system of records, it does expand the types of data held in its 
component systems to include biometric identifiers. By definition 
this creates a general privacy risk. This risk is mitigated, 
however, by establishment of a privacy policy supported and enforced 
by a comprehensive privacy program. This program includes a separate 
Privacy Officer for US-VISIT, mandatory privacy training for system 
operators, and appropriate safeguards for data handling.

[sbull] Use and Disclosure

    The IDENT and TECS systems collect data that are used for 
purposes other than US-VISIT. As a result, data collected for US-
VISIT through these systems may become available for another 
functionality embodied in these component systems. This presents a 
potential notice risk: will the data be used for a purpose 
consistent with US-VISIT? This risk is mitigated in several ways. 
First, US-VISIT isolates US-VISIT data from non US-VISIT data on 
component systems, and users will be subject to specific privacy and 
security training for this data. Second, the IDENT and TECS systems 
already have their own published SORNS, which explain the uses to 
which the data they collect will be put, for US-VISIT as well as 
non-US-VISIT purposes. This, too, mitigates the notice risk. Third, 
Memoranda of Understanding and of Agreement are being negotiated 
with third parties (including other agencies) that will address 
protection and use of US-VISIT data, again to mitigate this notice 
risk.

[sbull] Processing

    Data exchange, which will take place over an encrypted network 
between US-VISIT Increment 1 component systems and/or applications 
is limited, and confined only to those that are functionally 
necessary. Although much of the personal information going into ADIS 
from SEVIS and CLAIMS 3 is duplicative of data entering ADIS from 
TECS, this duplication is to ensure that changes in status received 
from SEVIS or CLAIMS 3 are associated with the correct

[[Page 2613]]

individual, even in cases of data element mismatches (i.e., 
differing values for the same data element received from different 
sources). This mitigates the data integrity risk. A failure to match 
generates an exception report that prompts action to resolve the 
issue. This also mitigates integrity risk by guarding against 
incorrect enforcement actions resulting from lost immigration status 
changes. (The data flows from SEVIS and CLAIMS 3 principally support 
changes in status.)
    On the other hand, if a match is made, but there are some data 
element mismatches, no report is generated identifying the relevant 
records and data elements (one or more of which must have inaccurate 
or improper values) and no corrective action is taken. This is due 
to the resources that would be required to investigate all such 
events. This integrity risk again creates a possibility of incorrect 
enforcement actions if the match was made in error as a result of 
the data element mismatches. However, this aspect of the integrity 
risk is mitigated by subjecting all status changes that would result 
in enforcement actions to manual analysis and verification. A 
quality assurance process will also be used to identify any problem 
trends in the matching process.

[sbull] Retention and Destruction

    The policies of individual component systems, as stated in their 
SORNs, govern the retention of personal information collected by US-
VISIT. Because the component systems were created at different times 
for different purposes, there are inconsistencies across the SORNs 
with respect to data retention policies. There is also some 
duplication in the types of data collected by each system. These 
inconsistencies and duplication result in some heightened degree of 
risk with respect to integrity/security of the data, and to access 
and redress principles, because personal information could persist 
on one or more component systems beyond its period of use or 
disappear from one or more component systems while still in use. 
These risks are mitigated, however, by having a Privacy Officer for 
US-VISIT to handle specific issues that may arise, by providing 
review of the Privacy Officer's decision by the DHS Chief Privacy 
Officer, and, to the extent permitted by existing law, regulations, 
and policy, by allowing covered individuals access to their 
information and permitting them to challenge its completeness. 
Additionally, as an overarching mechanism to ensure appropriate 
privacy protections, US-VISIT operators will conduct periodic 
strategic reviews of the data to ensure that what is collected is 
limited to that which is necessary for US-VISIT purposes,
    US-VISIT Increment 1 will store fingerprint images, both in the 
IDENT database and transiently on the some POE workstations and 
departure kiosks. These images are, of course, sensitive, and their 
storage could present a security as well as a privacy risk. Because 
retention of fingerprint images is functionally necessary so that 
manual comparison of fingerprints can be performed to verify 
biometric watch list matches, appropriate mitigation strategies will 
be utilized, including encryption on the departure kiosks and 
physical and logical access controls on the POE workstations and on 
the IDENT system.
    The chart below shows, in tabular form, the privacy risks 
associated with US-VISIT, Increment One, and the mitigation efforts 
that will address these risks.

                                 Privacy Threats and Mitigation Methods Detailed
----------------------------------------------------------------------------------------------------------------
                                                                          Type of measures to counter/mitigate
       Type of threat                   Description of threat                            threat
----------------------------------------------------------------------------------------------------------------
Unintentional threats from    Unintentional threats include flaws in    These threats are addressed by (a)
 insiders \3\.                 privacy policy definitiion; mistakes in   developing a privacy policy consistent
                               information system design, development,   with Fair Information Practices, laws,
                               integration, configuration, and           regulations, and OMB guidance; (b)
                               operation; and errors made by             defining appropriate functional and
                               custodians (i.e., personnel of            interface requirements; developing,
                               organizations with custody of the         integrating, and configuring the system
                               information). These threats can be        in accordance with those requirements
                               physical (e.g., leaving documents in      and best security practices; and
                               plain view) or electronic in nature.      testing and validating the system
                               These threats can result in insiders      against those requirements; and (c)
                               being granted access to information for   providing clear operating instructions
                               which they are not authorized or non      and training to users and system
                               consistent with their responsibilities.   administrators.
Intentional threat from       Threat actions can be characterized as    These threats are addressed by a
 insiders.                     improper use of authorized capabilities   combination of technical safeguards
                               (e.g., browsing, removing information     (e.g., access control, auditing, and
                               from trash) and circumvention of          anomaly detection) and administrative
                               controls to take unauthorized actions     safeguards (e.g., procedures,
                               (e.g., removing data from a workstation   training).
                               that has been not been shut off).
Intentional and               Intentional: Threat actions can be        These threats are addressed by technical
 unintentional threats from    characterized as improper use of          safeguards (in particular, boundary
 authorized external           authorized capabilities (e.g., misuse     controls such as firewalls) and
 entities \4\.                 of information provided by US-VISIT)      administrative safeguards in the form
                               and circumvention of controls to take     of routine use agreements which require
                               unauthorized actions (e.g.,               external entities (a) to conform with
                               unauthorized access to systems)..         the rules of behavior and (b) to
                              Unintentional: Flaws in privacy policy     provide safeguards consistent with, or
                               definition; mistakes in information       more stringent than, those of the
                               system design, development,               system or program.
                               integration, configuration, and
                               operation; and errors made by
                               custodians.
Intentional threats from      Threat actions can be characterized by    These threats are addressed by physical
 external unauthorized         mechanism: physical attack (e.g., theft   safeguards, boundary controls at
 entities.                     of equipment), electronic attack (e.g.,   external interfaces, technical
                               hacking, interception of                  safeguards (e.g., identification and
                               commuications), and personnel attack      authentication, encrypted
                               (e.g., social engineering)..              communications), and clear operating
                                                                         instructions and training for users and
                                                                         system administrators.
----------------------------------------------------------------------------------------------------------------
\3\ Here, the term ``insider'' is intended to include individuals acting under the authority of the system owner
  or program manager. These include users, system administrators, maintenance personnel, and others authorized
  for physical access to system components.
\4\ These include individuals and systems which are not under the authority of the system owner or program
  manager, but are authorized to receive information from, provide information to, or interface electronically
  with the system.

6. Summary and Conclusions

    Legislation both before and after the events of September 11, 
2001 led to the development of the US-VISIT Program. The program is 
based on Congressional concerns with visa overstays, the number of 
illegal foreign nationals in the country, and overall border 
security issues. Requirements for the program, including the 
implementation of an integrated and interoperable border and 
immigration management system, are embedded in various provisions of 
The Immigration and Naturalization Service Data Management 
Improvement Act of 2000 (DMIA) Pub. L. 106-215; The Visa Waiver 
Permanent Program Act of 2000 (VWPPA); Pub. L. 106-396; The U.S.A. 
PATRIOT Act, Pub. L. 107-56; and The Enhanced Border

[[Page 2614]]

Security and Visa Entry Reform Act (``Border Security Act''), Pub. 
L. 107-173. As a result, many of the characteristics of US-VISIT 
were pre-determined. These characteristics include:
    [sbull] Use of a National Institute of Standards and Technology 
(NIST) biometric standard for identifying foreign nationals;
    [sbull] Use of biometric identifiers in travel and entry 
documents issued to foreign nationals, including the ability to read 
such documents at U.S. ports of entry;
    [sbull] Integration of arrival/departure data on foreign 
nationals, including commercial carrier passenger manifests; and
    [sbull] Integration with other law enforcement and security 
systems.
    These and other requirements substantially constrained the high-
level design choices available to the US-VISIT Program. A major 
choice for the program concerned whether to develop an entirely or 
largely new system or to build upon existing systems. Given the 
legislatively imposed deadline of December 31, 2003 for establishing 
an initial operating capability, along with the various integration 
requirements, the program opted to leverage existing systems--IDENT, 
ADIS, and the Passenger Processing Component of TECS.
    As a result of this choice for Increment 1, DHS has determined 
that a new information system would not be created. Nevertheless, in 
order to effectively and accurately assess the privacy risks of US-
VISIT, and because the program represents a new business process, 
this Privacy Impact Assessment was performed. In the process of 
conducting this PIA, DHS identified the need to (1) update the SORNs 
of the ADIS and IDENT systems to accurately reflect US-VISIT 
requirements and usage, which has been accomplished, and (2) examine 
the privacy and security aspects of the existing SORNs and implement 
any additional necessary strategies to ensure the privacy and 
security of US-VISIT data.
    Based on this analysis, it can be concluded that:
    [sbull] Most of the high-level design choices for US-VISIT 
Increment 1 were statutorily pre-determined;
    [sbull] US-VISIT Increment 1 creates a pool of individuals whose 
personal information is at risk; but
    [sbull] US-VISIT Increment 1 mitigates specific privacy risks; 
and
    [sbull] US-VISIT, through its own Privacy Officer and in 
collaboration with the DHS Chief Privacy Officer, will continue to 
track, assess, and address privacy issues throughout the life of the 
US-VISIT program and update this PIA to reflect additional 
increments of the program.

Contact Point and Reviewing Official

    Contact Point: Steve Yonkers, US-VISIT Privacy Officer, (202) 
298-5200.
    Reviewing Official: Nuala O'Connor Kelly, Chief Privacy Officer, 
DHS, (202) 772-9848.

Comments

    We welcome your comments on this privacy impact assessment. 
Please write to: Privacy Office, Attn.: US-VISIT PIA, U.S. 
Department Of Homeland Security, Washington, DC 20528, or email 
[email protected]. Please include US-VISIT PIA in the subject line of 
the email.

US-VISIT Program

Privacy Policy

November 2003

What Is the Purpose of the US-VISIT Program?

    The United States Visitor Immigrant Status Indicator Technology 
(US-VISIT) is a United States Department of Homeland Security (DHS) 
program that enhances the country's entry and exit system. It 
enables the United States to record the entry into and exit out of 
the United States of foreign nationals requiring a visa to travel to 
the U.S., creates a secure travel record, and confirms their 
compliance with the terms of their admission.
    The US-VISIT program's goals are to:
    a. Enhance the security of American citizens, permanent 
residents, and visitors.
    b. Facilitate legitimate travel and trade.
    c. Ensure the integrity of the immigration system.
    d. Safeguard the personal privacy of visitors.
    The US-VISIT initiative involves collecting biographic and 
travel information and biometric identifiers (fingerprints and a 
digital photograph) from covered individuals to assist border 
officers in making admissibility decisions. The identity of covered 
individuals will be verified upon their arrival and departure.

Who Is Affected by the Program?

    Individuals subject to the requirements and processes of the US-
VISIT program (``covered individuals'') are those who are not U.S. 
citizens at the time of entry or exit or are U.S. citizens who have 
not identified themselves as such at the time of entry or exit. Non-
U.S. citizens who later become U.S. citizens will no longer be 
covered by US-VISIT, but the information about them collected by US-
VISIT while they were non-citizens will be retained, as will 
information collected about citizens who did not identify themselves 
as such.

What Information Is Collected?

    The US-VISIT program collects biographic, travel, travel 
document, and biometric information (photographs and fingerprints) 
pertaining to covered individuals. No personally identifiable 
information is collected other than that which is necessary and 
relevant for the purposes of the US-VISIT program.

How Is the Information Used?

    The information that US-VISIT collects is used to verify the 
identity of covered individuals when entering or leaving the U.S. 
This enables U.S. authorities to more effectively identify covered 
individuals that:
    [sbull] Are known to pose a threat or are suspected of posing a 
threat to the security of the United States;
    [sbull] Have violated the terms of their admission to the United 
States; or
    [sbull] Are wanted for commission of a criminal act in the 
United States or elsewhere.
    Personal information collected by US-VISIT will be used only for 
the purposes for which it was collected, unless other uses are 
specifically authorized or mandated by law.

Who Will Have Access to the Information?

    Personal information collected by US-VISIT will be principally 
accessed by Customs and Border Protection, Immigration and Customs 
Enforcement, Citizenship and Immigration Services, and 
Transportation Security Officers of the Department of Homeland 
Security and Consular Officers of the Department of State. Others to 
whom this information may be made available include appropriate 
federal, state, local, or foreign government agencies when needed by 
these organizations to carry out their law enforcement 
responsibilities.

How Will the Information Be Protected?

    Personal information will be kept secure and confidential and 
will not be discussed with, nor disclosed to, any person within or 
outside the US-VISIT program other than as authorized by law and in 
the performance of official duties. Careful safeguards, including 
appropriate security controls, will ensure that the data is not used 
or accessed improperly. In addition, the DHS Chief Privacy Officer 
will review pertinent aspects of the program to ensure that proper 
safeguards are in place. Roles and responsibilities of DHS 
employees, system owners and managers, and third parties who manage 
or access information in the US-VISIT program include:

1. DHS Employees

    As users of US-VISIT systems and records, DHS employees shall:
    [sbull] Access records containing personal information only when 
the information is needed to carry out their official duties.
    [sbull] Disclose personal information only for legitimate 
business purposes and in accordance with applicable laws, 
regulations, and US-VISIT policies and procedures.

2. US-VISIT System Owners/Managers

    System Owners/Managers shall:
    [sbull] Follow applicable laws, regulations, and US-VISIT 
program and DHS policies and procedures in the development, 
implementation, and operation of information systems under their 
control.
    [sbull] Conduct a risk assessment to identify privacy risks and 
determine the appropriate security controls to protect against the 
risk.
    [sbull] Ensure that only personal information that is necessary 
and relevant for legally mandated or authorized purposes is 
collected.
    [sbull] Ensure that all business processes that contain personal 
information have an approved Privacy Impact Assessment. Privacy 
Impact Assessments will meet appropriate OMB and DHS guidance and 
will be updated as the system progresses through its development 
stages.
    [sbull] Ensure that all personal information is protected and 
disposed of in accordance with applicable laws, regulations, and US-
VISIT program and DHS policies and procedures.
    [sbull] Use personal information collected only for the purposes 
for which it was collected, unless other purposes are explicitly 
mandated or authorized by law.
    [sbull] Establish and maintain appropriate administrative, 
technical, and physical security safeguards to protect personal 
information.

[[Page 2615]]

3. Third Parties

    Third parties shall:
    [sbull] Follow the same privacy protection guidance as DHS 
employees.

How Long Is Information Retained?

    Personal information collected by US-VISIT will be retained and 
destroyed in accordance with applicable legal and regulatory 
requirements.

Who To Contact for More Information About the US-VISIT Program

    Individuals whose personal information is collected and used by 
the US-VISIT program may, to the extent permitted by law, examine 
their information and request correction of inaccuracies. 
Individuals who believe US-VISIT holds inaccurate information about 
them, or who have questions or concerns relating to personal 
information and US-VISIT, should contact the Privacy Officer, US-
VISIT Program, Department of Homeland Security, Washington, DC 
20528. Further information on the US-VISIT program is also available 
at http://www.dhs.gov/us-visit.

[FR Doc. 04-1016 Filed 1-15-04; 8:45 am]
BILLING CODE 4410-10-P