[Federal Register Volume 69, Number 185 (Friday, September 24, 2004)]
[Notices]
[Pages 57352-57355]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-21477]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

[Docket No. TSA-2004-19160]


Privacy Impact Assessment; Secure Flight Test Phase

AGENCY: Transportation Security Administration (TSA), Department of 
Homeland Security (DHS).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This notice sets forth the Transportation Security 
Administration's (TSA) Privacy Impact Assessment (PIA) prepared for the 
testing phase of the Secure Flight program. After a lengthy review of 
the initial plans for a successor system to Computer Assisted Passenger 
Prescreening System (CAPPS), and consistent with a recommendation of 
the National Commission on Terrorist Attacks upon the United States (9/
11 Commission), the Department of Homeland Security is moving forward 
with a next generation system of domestic passenger prescreening, 
called ``Secure Flight'', which will prescreen airline passengers using 
information maintained by the Federal Government about individuals 
known or suspected to be engaged in terrorist activity and certain 
other information related to passengers' itineraries-specifically, 
passenger name record (PNR) data. On a limited basis, TSA will also 
test the use of commercial data to identify instances in which 
passengers' identifying passenger information is inaccurate or 
incorrect.
    Elsewhere in this edition of the Federal Register, TSA is 
publishing

[[Page 57353]]

notice of a new system of records under the Privacy Act, known as 
``Secure Flight Test Records,'' which TSA will use for records related 
to the testing of the program. Also in this edition of the Federal 
Register, TSA is publishing a notice announcing its request for 
approval by the Office of Management and Budget of TSA's collection of 
a limited set of historical PNR from domestic airlines for purposes of 
testing the Secure Flight program.

DATES: This notice is effective September 24, 2004.

FOR FURTHER INFORMATION CONTACT: Lisa S. Dean, Privacy Officer, (TSA-9) 
Transportation Security Administration, Arlington, VA 22202; Nuala 
O'Connor Kelly, Chief Privacy Officer, U.S. Department of Homeland 
Security, Washington, DC 20528.

SUPPLEMENTARY INFORMATION:

Availability of Notice

    You can get an electronic copy using the Internet by--
    (1) Searching the Department of Transportation's electronic Docket 
Management System (DMS) Web page (http://dms.dot.gov/search);
    (2) Accessing the Government Printing Office's Web page at http://www.access.gpo.gov/su_docs/aces/aces140.html; or
    (3) Visiting TSA's Law and Policy Web page at http://www.tsa.dot.gov/public/index.jsp.
    In addition, copies are available by writing or calling the 
individual in the For Further Information Contact section. Make sure to 
identify the docket number of this notice.

Secure Flight--Test Phase Privacy Impact Assessment

I. Introduction

    Pursuant to the authority granted it by the Aviation and 
Transportation Security Act of 2001 (ATSA), TSA has developed a new 
program for screening domestic airline passengers in order to enhance 
the security and safety of domestic airline travel. Under this new 
program, Secure Flight, TSA will compare PNR information against 
expanded and consolidated watch lists held in the Terrorist Screening 
Database (TSDB) maintained by the Terrorist Screening Center (TSC) \1\ 
to identify known or suspected terrorists who would use the airways to 
inflict catastrophic damage on the United States. TSA plans to test the 
efficacy of the Secure Flight program after issuing an order to 
domestic air carriers to compel the collection of historic passenger 
name record (PNR) information for testing purposes. TSA will also 
conduct a separate test to determine if commercial data is effective in 
identifying passenger information that is incorrect or inaccurate. TSA 
does not assume that the result of comparison of passenger information 
to commercial data is determinative of information accuracy or the 
intent of the person who provided the passenger information.
---------------------------------------------------------------------------

    \1\ The Terrorist Screening Center (TSC), established in 
December 2003, maintains a consolidated, comprehensive watch list of 
known or suspected terrorists. This database can be used by 
government agencies in screening processes to identify individuals 
known to pose or are suspected of posing a risk to the security of 
the United States.
---------------------------------------------------------------------------

    Earlier this year, the Department of Homeland Security ordered a 
thorough review of the next generation passenger prescreening program 
under development by TSA. That review, which reflected helpful input to 
DHS from Congress, the public, privacy and civil liberties groups, 
airline passengers and the airline industry, and our international 
partners, has now been completed. Based on the results, TSA has 
developed a new program, Secure Flight, described above, which it 
intends to test prior to actual implementation. The new program will 
allow DHS to add a critical piece to its layered strategy for securing 
the nation's commercial air transportation system and is consistent 
with the 9/11 Commission recommendation: (1) That the Federal 
Government take over the responsibility for checking airline 
passengers' names against expanded ``no-fly'' and ``automatic 
selectee'' lists (this function is currently performed by individual 
airlines); and (2) that air carriers be required to supply data to test 
and implement this new system. Because existing watch lists that are 
being consolidated and expanded in the TSC will be used to test the 
prescreening of airline passengers by TSA using the TSDB, the E-
Government Act of 2002 requires that a Privacy Impact Assessment (PIA) 
be conducted. That assessment follows. After the test has been 
concluded and the results analyzed, TSA will update the PIA as 
necessary prior to actual implementation of the Secure Flight program.

System Overview

     What information is to be collected and used for this 
passenger pre-screening system?
    The information to be collected will be used for a test of the 
Secure Flight program to ensure its accuracy, efficacy and reliability. 
In order to conduct the test, TSA will require domestic air carriers to 
submit historic PNR about individuals who have completed domestic 
flight segments during the month of June, 2004. PNR varies according to 
airline, but includes the following information fields which TSA will 
need for testing purposes: full name, contact phone number, mailing 
address and travel itinerary limited to domestic flight segments that 
were completed prior to June 30, 2004. Upon completion of testing and 
before implementation of the Secure Flight program, TSA will publish an 
amended Privacy Impact Assessment and Privacy Act Notice reflecting 
changes to the program based on knowledge gained from testing as well 
as constructive feedback from the public.
     Why is the information being collected and who will be 
affected by the collection of the data?
    TSA is collecting information to test the Secure Flight program, 
the purpose of which is to enhance the security of domestic air travel 
by identifying only those passengers who warrant further scrutiny. The 
PNR to be collected will be compared with data maintained in the TSDB 
regarding individuals known or reasonably suspected to be or have been 
engaged in conduct constituting, in preparation for, in aid of, or 
related to terrorism. Individuals subject to the data collection 
requirements and processes of Secure Flight are persons who traveled 
within the United States during June 2004, the pre-selected 30-day 
period.
    This same historic PNR data also will be used to conduct a limited 
test to determine if the use of commercial data is effective in 
identifying passengers' information that is incorrect or inaccurate. 
This test will involve commercial data aggregators who currently 
provide services to the banking, home mortgage and credit industries. 
Testing will be governed by strict privacy and data security 
protections. TSA will not store the commercially available data that 
would be accessed by commercial data aggregators. TSA will use this 
test of commercial data to determine whether such use: (1) Could 
accurately identify passenger information that is incorrect or 
inaccurate; (2) would not result in inappropriate differences in 
treatment of any protected category of persons; (3) could be governed 
by data security safeguards and privacy protections that are 
sufficiently robust to ensure that commercial entities or other 
unauthorized entities do not gain access to passenger personal 
information, or to ensure that the federal government does not gain 
access inappropriately to certain types of personally sensitive data 
held by commercial entities.

[[Page 57354]]

    TSA will defer any decision on how commercial data might be used in 
its prescreening programs, as Secure Flight, until the completion of 
the test period, assessment of the test results and publication of a 
subsequent System of Records Notice under the Privacy Act announcing 
the intended use of such commercial data.
     What notice or opportunities for consent are provided to 
individuals regarding the information that is collected and shared?
    The Privacy Act System of Records Notice being published at this 
time--as well as this Privacy Impact Assessment--provide notice that 
TSA intends to collect historic PNR to test the Secure Flight program. 
Because the test phase will rely on historical PNR from the month of 
June 2004 for flights that were completed by the end of that month, the 
notice given by this Privacy Impact Assessment and the publication of a 
Privacy Act System of Records Notice for these records does not afford 
the opportunity for a passenger to provide consent in advance of this 
collection. Nevertheless, airline passengers are aware that by engaging 
in air travel they have consented to certain screening protocols since 
passenger prescreening is already in place. Additionally, Secure Flight 
has now been the subject of numerous media reports that convey 
additional notice, including information that appears on the TSA Web 
site at http://www.tsa.gov/public/.
    The information to be collected will be shared with TSA employees 
and contractors who have a ``need to know'' in order to conduct the 
required test comparisons. All TSA contractors involved in the testing 
of Secure Flight are contractually and legally obligated to comply with 
the Privacy Act in their handling, use and dissemination of personal 
information in the same manner as TSA employees.
    If a comparison using the test data indicates that an individual is 
suspected of terrorism, TSA will refer the information to appropriate 
law enforcement personnel for further action. Referrals will only 
occur, however, in this limited circumstance because the basic purpose 
of this information collection is to test the Secure Flight program.
     What security protocols are in place to protect the 
information?
    Information in TSA's record systems is safeguarded in accordance 
with the Federal Information Security Management Act of 2002 (Pub. L. 
107-347), which established government-wide computer security and 
training standards for all persons associated with the management and 
operation of Federal computer systems. The systems on which the tests 
will be conducted have been assessed for security risks, have 
implemented security policies and plans consistent with statutory, 
regulatory and internal DHS guidance, and are certified and accredited.
    TSA will maintain the data to be collected for this test in a 
secure facility on electronic media and in hard copy format. The 
information will be protected in accordance with rules and policies 
established by both TSA and DHS for automated systems and for hard copy 
storage, including password protection and secure file cabinets. 
Moreover, access will be strictly controlled; only TSA employees and 
contractors with proper security credentials and passwords will have 
permission to use this information to conduct the required tests. 
Additionally, a real time audit function will be part of this record 
system to track who accesses the information, and any infractions of 
information security rules will be dealt with severely. All TSA and 
assigned contractor staff receive DHS-mandated privacy training on the 
use and disclosure of personal data. The procedures and policies that 
are in place are intended to ensure that no unauthorized access to 
records occurs and that operational safeguards are firmly in place to 
prevent system abuses.
     Does this program create a new system of records under the 
Privacy Act.
    Yes. The Secure Flight Test Records system of records, DHS/TSA 017, 
is being published concurrently in today's Federal Register.
     What is the intended use of the information?
    The information collected by TSA will be used solely for the 
purpose of testing the Secure Flight program and will be maintained in 
a Privacy Act system of records in accordance with the published system 
of records notice for DHS/TSA 017.
     Will the information be retained and, if so, for what 
period of time?
    TSA will retain these records for a sufficient period of time to 
conduct and review the Secure Flight test and in the event where a 
request for redress must be resolved. TSA does not yet have a record 
retention schedule approved by the National Archives and Records 
Administration (NARA) for records pertaining to this program and must 
retain these records until such schedule is approved. TSA is in the 
process of developing a records retention schedule that will dictate 
the retention period for these records and allow TSA to dispose of them 
within an appropriate timeframe.
     How will the passenger be able to seek redress?
    During the test phase individuals may request access to information 
about themselves contained in the PNR subject to Secure Flight test 
phase by sending a written request to TSA. To the greatest extent 
possible and consistent with national security and homeland security 
requirements, access will be granted. If an individual wishes to 
contest or amend the records received in this manner, he or she may do 
so by sending that request to TSA. The request should conform to DHS 
requirements for contesting or amending Privacy Act records, and should 
be sent TSA Privacy Officer, Transportation Security Administration 
(TSA-9), 601 South 12th Street, Arlington, VA 22202. Before 
implementing a final program, however, TSA will create a robust redress 
mechanism to resolve disputes concerning the Secure Flight program.
     What databases will the names be run against?
    TSA will run the names against the TSDB, which is a consolidated, 
comprehensive watch list of known or suspected terrorists. This 
database can be used by government agencies in screening processes to 
identify individuals known to pose or are suspected of posing a risk to 
the security of the United States. This consolidated database contains 
information contributed by the Departments of Homeland Security, 
Justice, and State and by the intelligence community. Because 
information related to terrorists is consolidated in the TSDB, TSA 
believes that the TSDB provides the most effective and secure system 
against which to run airline passenger names for purposes of 
identifying whether or not they are known or reasonably suspected to be 
engaged in terrorism or terrorist activity.
     Privacy Effects and Mitigation Measures.
    The decision to initiate Secure Flight follows completion of a 
thorough review of the TSA's next generation passenger prescreening 
program, and is consistent with recommendations of the National 
Commission on Terrorist Attacks Upon the United States (9/11 
Commission) that ``improved use of `no-fly' and `automatic selectee' 
lists should not be delayed while the argument about a successor to 
CAPPS continues.'' Moreover, by focusing solely on potential terrorism 
and not other law enforcement purposes, Secure Flight addresses 
concerns raised by privacy groups and others about the potential for 
``mission creep'' by TSA.

[[Page 57355]]

    TSA appreciates the privacy risk inherent in any airline 
prescreening program in which passenger name record information is 
provided to the Federal Government for use in conducting the 
prescreening. However, TSA also recognizes that the risk is necessary 
for ensuring the security of our air transportation system. TSA 
believes it has taken action to mitigate any privacy risk by designing 
its next generation passenger prescreening program to accommodate 
concerns expressed by privacy advocates, foreign counterparts and 
others.
    First, under the Secure Flight testing phase, TSA will not require 
air carriers to collect any additional information from their 
passengers than is already collected by such carriers and maintained in 
passenger name records. Testing of the Secure Flight program will 
compare only existing PNR record information against names in the TSDB 
in order to determine how effectively existing PNR information can be 
compared against such names, how many instances of false positive 
matches occur, and what, if any additional limited data, would be most 
effective in reducing the number of such false positive hits. TSA 
envisions that carriers may be required to collect full passenger name 
and possibly one other element of information under a fully implemented 
operational Secure Flight program. However, TSA will not make such 
determination until the initial test phase results can be assessed and 
an additional Privacy Impact Assessment is published.
    Second, the Secure Flight program will permit TSA to take on sole 
responsibility for conducting passenger name comparisons against a 
consolidated TSDB watch list, rather than continuing to require 
multiple individual air carriers to conduct such comparisons. TSA will 
be able to apply improved prescreening procedures, including more 
consistent analytical procedures, for identifying actual name matches 
and for resolving false positive name matches prior to a passengers' 
arrival at an airport, than can currently be applied by the individual 
air carriers that currently administer the watch list comparisons. TSA 
expects that the number of individuals currently subjected to automatic 
secondary screening will be reduced under an implemented Secure Flight 
program.
    Third, Secure Flight will mitigate impact on personal privacy 
because of its limited purpose and anticipated limited retention 
period. Secure Flight will focus screening efforts only on identifying 
individuals known or reasonably suspected to be terrorists or engaged 
in terrorist activity, rather than on other law enforcement purposes. 
In addition, Secure Flight will only be applied to passengers on U.S. 
domestic flights. Passengers on international flights will continue to 
be prescreened using APIS (Advanced Passenger Information System data--
information from the machine readable portion of an individual's 
passport) provided to U.S. Customs and Border Protection for this 
purpose. Passengers on international flights will not be subject to 
duplicative information provision requirements or overlapping screening 
procedures. TSA also anticipates that passenger information will be 
held for a relatively limited amount of time after completion of a 
passenger's itinerary. TSA's prescreening efforts will be as narrow as 
reasonable to accommodate privacy concerns, including access to redress 
mechanisms, but as robust as necessary to accomplish its security 
mission.
    TSA believes that the Secure Flight program will represent a vast 
improvement in security by permitting TSA to identify individuals known 
or reasonably suspected to be engaged in terrorism or terrorism related 
activity. However, because Secure Flight may be rendered less effective 
if passenger-provided information is not accurate or correct, TSA does 
seek to identify the most appropriate means to identify when passenger 
information is incorrect or inaccurate. For this reason, TSA will use 
PNR information obtained for testing of the Secure Flight program to 
conduct a separate test of the use of commercial data to identify such 
inaccurate or incorrect passenger information. TSA recognizes that this 
may raise privacy and civil liberties concerns. TSA's testing of 
commercial data use will therefore involve the following:
    (a) TSA will only test the use of commercial data
    (b) TSA does not assume that the result of comparison of passenger 
information to commercial data is determinative of information accuracy 
or the intent of the person who provided the passenger information.
    (c) Such testing of commercial data will be governed by stringent 
data security and privacy protections, including contractual 
prohibitions on commercial entities' maintenance or use of airline-
provided PNR information for any purposes other than testing under TSA 
parameters; strict firewalls between the government and commercial data 
providers; real-time auditing procedures to determine when data within 
the Secure Flights system has been accessed and by whom; strict rules 
prohibiting the accessing or use of commercially held personal data by 
TSA;
    (d) Assessment of test results prior to any operational use of 
commercial data in TSA programs and determination that its use is 
effective in identifying incorrect or inaccurate information does not 
result in disparate treatment of any class of individuals, and that 
data security protections and privacy protections are robust and 
effective.
    TSA also recognizes that there is a privacy risk inherent in the 
design of any new system which could result from design mistakes. By 
testing the proposed Secure Flight program, TSA will have the 
opportunity to correct any privacy-related design mistakes before the 
program becomes fully operational, ensuring a better program. TSA is 
purposely testing the Secure Flight system, in fact, and will be 
carefully scrutinizing the performance of the system during the test 
phase--and conducting further analysis upon completion--to determine 
the effectiveness of Secure Flight both for passenger prescreening as 
well as for protecting the privacy of the data on which the program is 
based. By layering on top of the program design strict rules for 
oversight and training of personnel handling the data as well as strong 
system auditing to detect potential abuse and a carefully planned and 
executed redress process, TSA intends to make sure that privacy is an 
integral part of this overall effort. TSA's efforts will not only be 
thoroughly examined internally, including review by the TSA Privacy 
Officer, but also will be reviewed by the DHS Chief Privacy Officer 
before a final program is designed. In this process, TSA will carefully 
review constructive feedback it receives from the public on this 
important program.

    Issued in Arlington, VA, on September 21, 2004.
Lisa S. Dean,
Privacy Officer.
[FR Doc. 04-21477 Filed 9-21-04; 12:58 pm]
BILLING CODE 4910-62-P