[Federal Register Volume 73, Number 144 (Friday, July 25, 2008)]
[Notices]
[Pages 43462-43465]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-17126]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[Docket Number: DHS-2007-0016]


Privacy Act of 1974; U.S. Customs and Border Protection--Non-
Federal Entity Data System, Systems of Records

AGENCY: Privacy Office; Department of Homeland Security.

ACTION: Notice of Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, U.S. Customs and 
Border Protection, Department of Homeland Security proposes to add the 
following system of records to its inventory of records systems, the 
Non-Federal Entity Data System. Certain States, Native American Tribes, 
Canadian Provinces and Territories, and other non-Federal Governmental 
Authorities may make available travel documents, such as Enhanced 
Driver's Licenses (EDLs), that may be deemed by the Secretary of DHS as 
denoting identity and citizenship for purposes of the Western 
Hemisphere Travel Initiative (WHTI), upon implementation, as mandated 
by the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. 
L. 108-458, 118 Stat. 3638 (2004). It is anticipated that all such 
documents will utilize facilitative technology such as Radio Frequency 
Identification (RFID), and contain a Machine Readable Zone (MRZ) using 
Optical Character Recognition (OCR) technology. In certain instances, 
other non-federal and foreign government authorities may provide to CBP 
biographical information and photographs that have been voluntarily 
submitted to the issuing entity by individuals choosing to apply for 
such travel documents, with the understanding that this information 
will be provided to DHS and CBP. DHS will use this information to 
facilitate the validation of travel documents when an individual 
crosses the border.

DATES: Comments must be provided by August 25, 2008. The new system of 
records will be effective August 25, 2008.

ADDRESSES: You may submit comments, identified by docket number DHS-
2008-0016 by one of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Fax: 1-866-466-5370.
     Mail: Hugo Teufel III, Chief Privacy Officer, Privacy 
Office, Department of Homeland Security, Washington, DC 20528.
     Instructions: All submissions received must include the 
agency name and docket number for this rulemaking. All comments 
received will be posted without change to http://www.regulations.gov, 
including any personal information provided.
     Docket: For access to the docket to read background 
documents or comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For general questions please contact: 
Laurence E. Castelli (202-572-8790), Chief, Privacy Act Policy and 
Procedures Branch, U.S. Customs and Border Protection, Office of 
International Trade, Regulations & Rulings, Mint Annex, 1300 
Pennsylvania Ave., NW., Washington, DC 20229. For privacy issues 
contact: Hugo Teufel III (703-235-0780), Chief Privacy Officer, Privacy 
Office, U.S. Department of Homeland Security, Washington, DC 20528.

SUPPLEMENTARY INFORMATION: 

I. Background

    The priority mission of U.S. Customs and Border Protection (CBP) is 
to prevent terrorists and terrorist weapons from entering the country 
while facilitating legitimate travel and trade. In response to this 
mission, Congressionally mandated, and as part of its efforts to secure 
the border, CBP and the Department of Homeland Security (DHS) plan to 
implement the Western Hemisphere Travel Initiative (WHTI), which 
eliminates a historical exemption that allowed certain travelers, 
notably U.S. and Canadian citizens, to enter the United States from 
within the Western Hemisphere without presenting a valid passport or 
other approved travel document. In advance of full WHTI implementation, 
DHS is working to close existing security gaps at the earliest possible 
opportunity, such as the implementation of new procedures for U.S. and 
Canadian citizens entering the U.S. that became effective January 31, 
2008, and to prepare new secure travel document requirements that are 
expected to go into effect upon full WHTI implementation on June 1, 
2009.
    To facilitate border crossing for their citizens, certain states, 
Native American tribes, Canadian provinces and territories and other 
non-federal governmental authorities may make available to CBP 
biographical information and photographs associated with travel 
documents, such as Enhanced Driver's Licenses (EDLs). EDLs utilize 
facilitative technology such as RFID and contain a Machine Readable 
Zone (MRZ) using Optical Character Recognition (OCR) technology; they 
denote both identity and citizenship for border-crossing purposes. In 
certain instances, non-federal governmental authorities are choosing to 
provide to CBP biographical information and photographs that applicants 
for EDLs or similar travel documents have provided voluntarily to the 
issuing entity, with the understanding that such information will be 
stored by CBP for purposes of facilitating the document holder's 
crossing of the border. When a traveler presents such a document for 
purposes of entering the United States, CBP may validate this document 
and the information provided by the traveler, against the information 
provided to CBP by the issuing authority. Therefore, in accordance with 
the Privacy Act of

[[Page 43463]]

1974, the Department of Homeland Security, U.S. Customs and Border 
Protection, proposes to add the following system of records to its 
inventory of records systems, the Non-Federal Entity Data System 
(NEDS).

II. Current Process for Border Crossing

    Upon arrival, all individuals crossing the border are required to 
submit to inspection and be cleared for admission by CBP. As part of 
this clearance process, each traveler entering the United States must 
first establish his or her identity, nationality/citizenship, and 
admissibility to the satisfaction of a CBP officer. Additionally, CBP 
records the fact that the individual has been admitted or paroled into 
the United States. This record is maintained in a newly created Privacy 
Act System of Records, Border Crossing Information (BCI), which is 
being concurrently published in today's Federal Register. DHS has 
determined that certain border crossing travel documents enabled with 
RFID, MRZ and OCR technology will be accepted as proof of identity and 
citizenship and, further, may be accepted as WHTI-compliant travel 
documents upon implementation of WHTI.
    The purpose of the Non-Federal Entity Data System (NEDS) is to have 
available to the CBP officer at the border the data related to certain 
border crossing travel documents. This will enable the CBP officer to 
quickly access the traveler's biographic information and photograph, 
when the traveler presents his or her border crossing travel document, 
to validate the authenticity of the travel document. Certain non-
federal governmental authorities will choose to provide CBP with a copy 
of information derived from their EDL (or other traveler document) 
database, that denotes identity and citizenship, and can be used by CBP 
to validate the travel document. The datasets from each issuing 
authority will be kept separately such that information from one 
issuing authority is not commingled with another's information.
    CBP may electronically validate the following information, where 
available, and record this information as part of the traveler's border 
crossing record: Full name (first, middle, and last), date of birth, 
gender, travel document type (e.g., EDL) and number or identifier, 
expiration date, issuing country or jurisdiction, country of 
citizenship, and photograph (when available). Where the issuing entity 
provides CBP with an advance copy of information from their travel 
document database, that data will be maintained in NEDS.
    Upon arrival at the border, a person presenting proof of identity 
or citizenship issued by a non-federal governmental authority will have 
the identifier associated with her or his border crossing travel 
document read by the appropriate technology, such as an RFID reader, or 
the document information will be read using the MRZ or will be entered 
manually by the CBP officer. The identifier associated with this travel 
document will be transmitted through secure CBP computer networks to 
NEDS, where the unique number will be associated with the respective 
biographic information and photograph held in that system. The 
associated biographic information and photograph is then transmitted 
back through secure CBP computer networks to the port of entry and 
inspection terminal where the border crossing travel document was first 
read for confirmation that the document is a valid document and belongs 
to the person presenting the document to the CBP officer.
    In cases where a traveler presents a federally issued travel 
document, such as a Visa, Passport or Passport card, or Border Crossing 
Card (BCC) issued by Department of State, or an I-551 Permanent 
Resident Card issued by U.S. Citizenship and Immigration Services 
(USCIS), DHS will validate the travel document through the use of 
systems or databases other than NEDS. NEDS is only employed when the 
travel document is issued by a non-federal government authority and 
that authority has provided CBP with advance information for purposes 
of validating such documents at the time of a U.S. border crossing. The 
data housed in NEDS is then used to populate biographical data fields 
contained in two other CBP systems, BCI (to record the entry of a 
traveler into the United States) and, where applicable, the Treasury 
Enforcement Communications System (TECS) (in the event some enforcement 
action is taken with regard to that traveler).
    The traveler information held in NEDS is used by CBP to facilitate 
implementation of its mandates pursuant to the Enhanced Border Security 
and Visa Reform Act of 2002, Aviation and Transportation Security Act 
of 2001, the Intelligence Reform and Terrorism Prevention Act of 2004, 
the Tariff Act of 1930, as amended (19 U.S.C. 66, 1433, 1459, 1624, and 
2071), and the Immigration and Nationality Act, as amended (8 U.S.C. 
1185).
    The information held within NEDS will be maintained and used in 
accordance with the individual memorandum of understanding/agreement 
with each issuing authority.

III. Privacy Act

    The Privacy Act embodies fair information principles in a statutory 
framework governing the means by which the United States Government 
collects, maintains, uses and disseminates personally identifiable 
information. The Privacy Act applies to information that is maintained 
in a ``system of records.'' A ``system of records'' is a group of any 
records under the control of an agency from which information is 
retrieved by the name of the individual or by some identifying number, 
symbol, or other identifying particular assigned to the individual. In 
the Privacy Act, an individual is defined to encompass United States 
citizens and lawful permanent residents. DHS extends administrative 
Privacy Act protections to all persons, whether they are U.S. citizens, 
lawful permanent residents, or non-immigrant aliens. The Non-Federal 
Entity Data System involves the collection of information that will be 
maintained in a system of records.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the type and character of each system 
of records that the agency maintains, and the routine uses that are 
applicable to each system to make agency recordkeeping practices 
transparent, to notify individuals regarding the uses to which 
personally identifiable information is put, and to assist the 
individual to more easily find such files within the agency.
    In consideration of privacy, CBP has limited the sharing of NEDS 
data to the statutory disclosures permitted under 5 U.S.C. 552a(b) of 
the Privacy Act, and has chosen not to publish any routine uses 
pursuant to 5 U.S.C. 552a(b)(3). This provides an individual possessing 
an approved travel document, such as EDL, whose data is shared with CBP 
prior to crossing the border with a similar level of privacy as the 
individual whose data is shared at the time of crossing with CBP.
    DHS is hereby publishing a description of the Non-Federal Entity 
Data System, system of records. In accordance with 5 U.S.C. 552a(r), a 
report concerning this record system has been sent to the Office of 
Management and Budget and to the Congress.
DHS/CBP-008

SYSTEM NAME:
    Non-Federal Entity Data System (NEDS).

SYSTEM LOCATION:
    These datasets are located at the U.S. Customs and Border 
Protection (CBP)

[[Page 43464]]

National Data Center. Computer terminals receiving the data are located 
at customhouses, border ports of entry, airport inspection facilities 
under the jurisdiction of the Department of Homeland Security and other 
locations at which DHS authorized personnel may be posted to facilitate 
DHS's mission. Terminals may also be located at appropriate facilities 
for other participating government agencies, which have obtained system 
access pursuant to a Memorandum of Understanding.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by NEDS consist of persons, including U.S. 
Citizens and Canadian Citizens who have been issued Enhanced Driver's 
Licenses (EDL) or certain other travel documents by participating 
authorities, such as certain States, Native American Tribes, and 
Canadian Provinces and Territories, where the issuing authority has 
chosen to provide CBP with advance information from their databases 
regarding the EDL or other travel document. Individuals holding travel 
documents issued by authorities that do not provide CBP with a copy of 
this information (or only provide CBP with real-time access to 
document-specific information in their databases at the time such 
document is presented for border crossing purposes) are not covered by 
NEDS, as the information underlying their travel document has not been 
provided in advance to CBP.

CATEGORIES OF RECORDS IN THE SYSTEM:
    NEDS will contain the following information, to the extent provided 
to CBP by the participating document-issuing authority:
     Full Name (first, middle, and last)
     Date of birth
     Gender
     Citizenship
     Digital Image (Photograph)
     Travel document type, e.g. Enhanced Driver's License (EDL)
     Issuing jurisdiction
     Expiration date
     Optical character read (OCR) identifier
     RFID tag number(s)

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The legal authority for NEDS is the Enhanced Border Security and 
Visa Reform Act of 2002, Pub. L. 107-173, 116 Stat. 543 (2002), 
Aviation and Transportation Security Act of 2001, Pub. L. 107-71, 115 
Stat. 597 (2001), Intelligence Reform and Terrorism Prevention Act of 
2004, Pub. L. 108-458, 118 Stat. 3638 (2004), The Immigration and 
Nationality Act, 8 U.S.C. 1185 and 1354, and The Tariff Act of 1930, as 
amended, 19 U.S.C. 66, 1433, 1459, 1624 and 2071, as well as the 
memoranda of understanding/agreement entered into with participating 
issuing authorities who are providing the data with which NEDS is 
populated.

PURPOSE:
    CBP collects this information to expedite CBP processing upon an 
individual's arrival in and, in certain instances, prior to the 
individual's departure from the United States. This information will 
allow CBP, upon presentation of the travel document at the border, to 
electronically verify identity and citizenship, determine admissibility 
and perform law enforcement queries to identify security risks to the 
United States. This information is maintained in accordance with this 
system of records notice and applicable memoranda of understanding/
agreement with the issuing authorities.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The use of this information is limited, principally to the 
verification of travel document information used to denote identity and 
citizenship so as to determine admissibility to the United States. To 
the extent data derived from NEDS is subsequently transferred to other 
systems of record (e.g., upon presentment of a travel document in 
conjunction with a border crossing), that data may be used in a manner 
consistent with the system of records notice published for the 
receiving system of records.
    In consideration of privacy, CBP has limited the sharing of NEDS 
data to the statutory disclosures permitted under 5 U.S.C. 552a(b) of 
the Privacy Act, and has chosen not to publish routine uses pursuant to 
5 U.S.C. 522a(b)(3). This provides an individual possessing an approved 
travel document, such as EDL, whose data is shared with CBP prior to 
crossing the border with a similar level of privacy protection as the 
individual whose data is shared with CBP at the time of such crossing.

Disclosure to consumer reporting agencies:
    None.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    The data is stored electronically at the CBP Data Center for 
current data and offsite at an alternative data storage facility for 
historical logs and system backups.

RETRIEVABILITY:
    The data is retrievable by name, optical character recognition 
identifier, RFID tag number, or personal identifier from an electronic 
set of data.

SAFEGUARDS:
    All NEDS records are protected from unauthorized access through 
appropriate administrative, physical, and technical safeguards. These 
safeguards include all of the following: Restricting access to those 
with a ``need to know''; using locks, alarm devices, and passwords; 
compartmentalizing databases; auditing software; and encrypting data 
communications.
    NEDS information is secured in full compliance with the 
requirements of the DHS IT Security Program Handbook. This handbook 
establishes a comprehensive program, consistent with federal law and 
policy, to provide complete information security, including directives 
on roles and responsibilities, management policies, operational 
policies, and application rules, which will be applied to component 
systems, communications between component systems, and at interfaces 
between component systems and external systems.
    One aspect of the DHS comprehensive program to provide information 
security involves the establishment of rules of behavior for each major 
application, including NEDS. These rules of behavior require users to 
be adequately trained regarding the security of their systems. These 
rules also require a periodic assessment of technical, administrative 
and managerial controls to enhance data integrity and accountability. 
System users must sign statements acknowledging that they have been 
trained and understand the security aspects of their systems. System 
users must also complete annual privacy awareness training to maintain 
current access.
    NEDS transactions are tracked and can be monitored. This allows for 
oversight and audit capabilities to ensure that the data is being 
handled consistent with all applicable federal laws and regulations 
regarding privacy and data integrity. Data exchange, which will take 
place over an encrypted network between CBP and other DHS components 
that may be authorized to have access to NEDS data, is limited and 
confined only to those entities that have a need for the data in the 
performance of official duties.

[[Page 43465]]

RETENTION AND DISPOSAL:
    NEDS data is subject to a retention requirement. The information 
collected and maintained in NEDS is used for border crossing purposes 
and is retained in NEDS for the duration of the validity of the travel 
document, that is from the date of issuance by the issuing authority 
until the date of expiration on the document, or, to the extent more 
restrictive, in accordance with the terms of any memorandum of 
understanding/agreement between CBP and the issuing authority. 
Information contained in NEDS will be retained and updated as 
information is provided by the issuing authority, so as to ensure 
timeliness, relevancy, accuracy, and completeness.

SYSTEM MANAGER(S) AND ADDRESS:
    Director, Office of Automated Systems, U.S. Customs and Border 
Protection Headquarters, 1300 Pennsylvania Avenue, NW., Washington, DC 
20229.

NOTIFICATION PROCEDURES:
    DHS allows persons (including foreign nationals) to seek 
administrative access under the Privacy Act to information maintained 
in NEDS. To determine whether NEDS contains records relating to you, 
write to the CBP Customer Service Center (Rosslyn VA), 1300 
Pennsylvania Avenue, NW., Washington, DC 20229; Telephone (877) 227-
5511; or through the ``Questions'' tab at http://www.cbp.gov.xp.cgov/travel/customerservice.

RECORD ACCESS PROCEDURES:
    Requests for notification or access must be in writing and should 
be addressed to the CBP Customer Service Center (Rosslyn, VA), 1300 
Pennsylvania Avenue, NW., Washington, DC 20229; Telephone (877) 227-
5511; or through the ``Questions'' tab at http://www.cbp.gov.xp.cgov/travel/customerservice. Requests should conform to the requirements of 
6 CFR part 5, Subpart B, which provides the rules for requesting access 
to Privacy Act records maintained by DHS and can be found at http://www.dhs.gov. The envelope and letter should be clearly marked ``Privacy 
Act Access Request.'' The request should include a general description 
of the records sought and must include the requester's full name, 
current address, and date and place of birth. The request must be 
signed and either notarized or submitted under penalty of perjury.
    While DHS provides this mechanism for seeking notification and 
access to such information, requesters are encouraged in the first 
instance to contact the authority which issued the travel document to 
request access to this information, as DHS may nonetheless be required 
to coordinate any release with such authorities.

CONTESTING RECORD PROCEDURES:
    Requests to amend records must be in writing and should be 
addressed to the CBP Customer Service Center (Rosslyn, VA), 1300 
Pennsylvania Avenue, NW., Washington, DC 20229; Telephone (877) 227-
5511; or through the ``Questions'' tab at http://www.cbp.gov.xp.cgov/travel/customerservice. Requests should conform to the requirements of 
6 CFR part 5, subpart B, which provides the rules for requesting access 
to Privacy Act records maintained by DHS and can be found at http://www.dhs.gov/foia. The envelope and letter should be clearly marked 
``Privacy Act Access Request.'' The request should include a general 
description of the records sought and must include the requester's full 
name, current address, and date and place of birth. The request must be 
signed and either notarized or submitted under penalty of perjury.
    If individuals are uncertain what agency handles the information, 
they may seek redress through the DHS Traveler Redress Program 
(``TRIP'') (See 72 FR 2294, dated January 18, 2007). TRIP is a single 
point of contact for individuals who have inquiries or seek resolution 
regarding difficulties they experienced during their travel screening 
at transportation hubs--such as, airports, seaports and train stations 
or at U.S. land borders. Through TRIP, a traveler can request 
correction of erroneous information stored in other DHS databases 
through one application. Redress requests should be sent to: DHS 
Traveler Redress Inquiry Program (TRIP), 601 South 12th Street, TSA-
901, Arlington, VA 22202-4220 or online at http://www.dhs.gov/trip.
    Additionally, while DHS provides this mechanism for contesting 
records, requesters are encouraged in the first instance to contact the 
authority which issued the travel document to request access to this 
information, as DHS may nonetheless be required to coordinate any 
requests with such authorities.

RECORD SOURCE CATEGORIES:
    The system contains certain data received on individuals who have 
chosen to obtain a travel document that is designated by the Secretary 
of Homeland Security as denoting identity and citizenship for purposes 
of entering the United States and has been issued by an authority which 
has provided CBP with advance information from its relevant travel 
document database.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.

    Dated: July 18, 2008.
Hugo Teufel III,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. E8-17126 Filed 7-24-08; 8:45 am]
BILLING CODE 4410-10-P