[Federal Register Volume 78, Number 164 (Friday, August 23, 2013)] [Notices] [Pages 52553-52556] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2013-20635] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY Office of the Secretary [Docket No. DHS-2013-0058] Privacy Act of 1974; Department of Homeland Security/ALL-035 Common Entity Index Prototype System of Records AGENCY: Privacy Office, Department of Homeland Security. ACTION: Notice of Privacy Act System of Records. ----------------------------------------------------------------------- SUMMARY: In accordance with the Privacy Act of 1974, the Department of Homeland Security proposes to establish a new Department of Homeland Security system of records titled, ``Department of Homeland Security/ ALL--035 Common Entity Index Prototype System of Records.'' This system of records allows the Department of Homeland Security to correlate identity data from select component-level systems and organizes key identifiers that the Department of Homeland Security has collected about that individual. This correlation and consolidation of identity data will facilitate DHS's ability to carry out its missions with appropriate access control. DHS is building a prototype with an initial set of data for testing and evaluation purposes. If the system passes the testing and evaluation stage and DHS moves to an operational system, either this system will be updated or a new system of records notice will be published. DATES: Submit comments on or before September 23, 2013. This new prototype system will be effective September 23, 2013. ADDRESSES: You may submit comments, identified by docket number DHS- 2013-0058 by one of the following methods:Federal e-Rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Fax: 202-343-4010. Mail: Jonathan R. Cantor, Acting Chief Privacy Officer, Privacy Office, Department of Homeland Security, Washington, DC 20528. Instructions: All submissions received must include the agency name and docket number for this rulemaking. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided. Docket: For access to the docket to read background documents or comments received, please visit http://www.regulations.gov. FOR FURTHER INFORMATION CONTACT: For questions, please contact: Jonathan R. Cantor, (202) 343-1717, Acting Chief Privacy Officer, Privacy Office, Department of Homeland Security, Washington, DC 20528. SUPPLEMENTARY INFORMATION: I. Background In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Department of Homeland Security (DHS) proposes to establish a new DHS system of records titled, ``DHS/ALL--035 Common Entity Index Prototype (CEI Prototype).'' The purpose of this prototype is to determine the feasibility of establishing a centralized index of select biographic information that will allow DHS to provide a consolidated and correlated record, thereby facilitating and improving DHS's ability to carry out its national security, homeland security, law enforcement, and benefits missions. The ability to perform this task across multiple data sets increases the speed and efficiency of this work and contributes to DHS's readiness and effectiveness in carrying out its national security, homeland security, law enforcement, and benefits missions. Since 2007, DHS has operated under the ``One DHS'' policy that was implemented to afford DHS personnel timely access to the relevant and necessary homeland-security information they need to successfully perform their duties. Since this information is subject to privacy, civil rights and civil liberties, and other legal protections, DHS personnel requesting such information must: (1) Have an authorized purpose, authorized mission, and need to know for accessing the information in the performance of his or her duties; (2) possess the requisite security clearance; and (3) assure adequate safeguarding and protection of the information. In the past, however, this access was limited, time intensive, and required personnel to log on and query separate databases in order to determine the extent of DHS holdings pertaining to a particular individual. The CEI Prototype will expedite this time-consuming process by correlating identity information from select DHS source system data sets, resolving differences in the data, and consolidating the data as a more comprehensive identity record about an individual, including reference to the relevant source system records. The correlations to be made will be based on biographic linkages contained within the source system data. The CEI Prototype is being tested and evaluated by DHS to determine whether it can successfully result in a more authoritative and complete biographic picture of the individual about whom information is sought. The resulting correlation will be maintained in the CEI Prototype system of records. The CEI Prototype will correlate biographic data, including full name, date of birth, country of birth, government issued document number(s), phone number, physical address, and email address when available in the source systems. This information will be organized into an updated, common record pertaining to a specific individual. The CEI Prototype thus provides a consolidated, correlated identity record derived from DHS holdings that can then be evaluated for a specific purpose or DHS mission activity. The CEI Prototype uses technical access controls to provide results to a user's query that are based on that user's need to know. This approach ensures the appropriate privacy, policy, and safeguarding requirements are applied to the new record. The DHS Privacy Office, Office for Civil Rights and Civil Liberties, Office of the General Counsel, and Office of Policy, in coordination with DHS components, will provide policy recommendations and/or oversight of the correlation process, and [[Page 52554]] evaluate the effectiveness of the prototype. Initially, DHS will use certain biographic data elements and necessary meta data from the following source data sets to populate the CEI Prototype: (1) U.S. Customs and Border Protection (CBP)'s Electronic System for Travel Authorization (ESTA), covered by the DHS/ CBP-009--Electronic System for Travel Authorization (ESTA) SORN (July 30, 2012, 77 FR 44642); (2) U.S. Immigration and Customs Enforcement (ICE)'s Student and Exchange Visitor Information System (SEVIS), covered by the DHS/ICE-001--Student and Exchange Visitor Information System SORN (January 5, 2010, 75 FR 412); and (3) U.S. Transportation Security Administration (TSA)'s Alien Flight Student Program (AFS), covered by the DHS/TSA-002--Transportation Security Threat Assessment System SORN (May 19, 2010, 75 FR 28046). These three data sets were identified for the prototype in order to demonstrate how data sets from different components can be correlated while maintaining appropriate access controls. If additional data sets are added to the CEI Prototype, this SORN will be updated. If, based on the results of the CEI prototype, DHS creates an operational system, either this SORN will be updated or a new SORN will be published. For the CEI Prototype, DHS has published limited routine uses but none that are intended to allow mission-related sharing for national security, homeland security, law enforcement, and benefits purposes. Such sharing is not appropriate for a prototype. The information contained in the CEI Prototype may be shared from the source system pursuant to the appropriate routine uses. II. Privacy Act The Privacy Act embodies fair information practice principles in a statutory framework governing the means by which Federal Government agencies collect, maintain, use, and disseminate individuals' records. The Privacy Act applies to information that is maintained in a ``system of records.'' A ``system of records'' is a group of any records under the control of an agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other unique identifier particular to the individual. In the Privacy Act, an individual is defined to encompass U.S. citizens and lawful permanent residents. As a matter of policy, DHS extends administrative Privacy Act protections to all individuals when systems of records maintain information on U.S. citizens, lawful permanent residents, and visitors. Below is the description of the DHS/ALL--035 Common Entity Index Prototype System of Records. In accordance with 5 U.S.C. 552a(r), DHS has provided a report of this system of records to the Office of Management and Budget and to Congress. System of Records Department of Homeland Security (DHS)/ALL-035. System name: DHS/ALL-035 Common Entity Index Prototype (CEI Prototype). Security classification: Sensitive and unclassified. System location: Records are maintained at the DHS Headquarters in Washington, DC, DHS data centers in Stennis, Mississippi, and in locations where DHS and its components conduct business. Categories of individuals covered by the system: Categories of individuals covered by this system include: (1) foreign nationals who may seek to enter the United States by air or sea under the Visa Waiver Program; (2) prospective, current, and former non-immigrants to the United States on an F-1, M-1, or J-1 class of admission and their dependents who have been admitted under an F-2, M-2, or J-2 class of admission (collectively, F/M/J non-immigrants); (3) a proxy, parent or guardian of an F/M/J nonimmigrant; and (4) aliens or other individuals designated by DHS/Transportation Security Administration (TSA), including lawful permanent residents (LPR), who apply for flight training or recurrent training. F nonimmigrants are foreign students pursuing a full course of study in a college, university, seminary, conservatory, academic high school, private elementary school, other academic institution, or language training program in the United States (U.S.) that Student and Exchange Visitor Program (SEVP) has certified to enroll foreign students. M nonimmigrants are foreign students pursuing a full course of study in a vocational or other recognized nonacademic institution (e.g., technical school) in the U.S. that SEVP has certified to enroll foreign students. J nonimmigrants are foreign nationals selected by a sponsor that the Department of State (DOS) has designated to participate in an exchange visitor program in the U.S. Categories of records in the system: (1) Correlation created by the Common Entity Index Prototype includes Identity information; Meta Data related to the [cir] source system name, [cir] system identification number to tie the biographic information back to the source system record, and [cir] date the record was ingested into the CEI Prototype. (2) Source system data elements: Full Name; Alias(es); Gender; Date of Birth; Country of Birth; Country of Citizenship; Phone Number; Physical Address; Email Address; Fingerprint Identification Number; and Document Type, Number, Date, and Location of Issuance for the following types of government issued documents: [cir] Passport; [cir] Driver's License; [cir] Electronic System for Travel Authorization (ESTA); [cir] Student and Exchange Visitor Information System (SEVIS) ; [cir] Alien Registration; and [cir] Visa. Authority for maintenance of the system: Homeland Security Act, 6 U.S.C. 343; Clinger-Cohen Act of 1996, Public Law 104-106, codified at 40 U.S.C. 11101, et. seq. Purpose(s): The purpose of this prototype is to determine the feasibility of establishing a centralized index of select biographic information that will allow DHS to provide a consolidated and correlated identity, thereby facilitating and improving DHS's ability to carry out its national security, homeland security, law enforcement, and benefits missions. Routine uses of records maintained in the system, including categories of users and the purposes of such uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside DHS as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows, except, to the extent any of the data contained in the CEI Prototype relates to refugees, asylum seekers, and asylees, such information may not be [[Page 52555]] disclosed outside DHS as a routine use pursuant to 5 U.S.C. 552a(b)(3), but is subject, as a matter of policy, to the confidentiality provisions of 8 CFR 208.6. A. To the Department of Justice (DOJ), including U.S. Attorney Offices, or other federal agencies conducting litigation or in proceedings before any court, adjudicative, or administrative body, when it is relevant or necessary to the litigation and one of the following is a party to the litigation or has an interest in such litigation: 1. DHS or any component thereof; 2. Any employee or former employee of DHS in his/her official capacity; 3. Any employee or former employee of DHS in his/her individual capacity when DOJ or DHS has agreed to represent the employee; or 4. The United States or any agency thereof. B. To a congressional office from the record of an individual in response to an inquiry from that congressional office made at the request of the individual to whom the record pertains. C. To the National Archives and Records Administration (NARA) or General Services Administration pursuant to records management inspections being conducted under the authority of 44 U.S.C. Sec. Sec. 2904 and 2906. D. To appropriate agencies, entities, and persons when: 1. DHS suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; and 2. DHS has determined that as a result of the suspected or confirmed compromise, there is a risk of identity theft or fraud, harm to economic or property interests, harm to an individual, or harm to the security or integrity of this system or other systems or programs (whether maintained by DHS or another agency or entity) that rely upon the compromised information; and 3. The disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with DHS's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. E. To contractors and their agents, grantees, experts, consultants, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for DHS, when necessary to accomplish an agency function related to this system of records. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to DHS officers and employees. Disclosure to consumer reporting agencies: None. Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: Storage: Records in this system are stored electronically in secure facilities in a locked drawer behind a locked door. The records may be stored on magnetic disc, tape, or digital media. Retrievability: Records may be retrieved by name or any other unique identifier assigned to the individual. Safeguards: Records in this system are safeguarded in accordance with applicable rules and policies, including all applicable DHS automated systems security and access policies. Strict controls have been imposed to minimize the risk of compromising the information that is being stored. Access to the computer system containing the records in this system is limited to those individuals who have a need to know the information for the performance of their official duties and who have appropriate clearances or permissions. Retention and disposal: The CEI Prototype ingests data from source systems, and correlates the data into a CEI Prototype identity. Ingested data is retained in CEI Prototype for no longer than the record retention requirements of the source systems. The CEI Prototype creates a correlated identity that is dynamic not static. The ingested data elements that make up that identity will be subject to the records retention schedules of the source systems from which they came. By design, the deletion or correction of these elements at the appropriate time will affect the correlated record. For example, if a student updates his/her contact information, the correlation will be updated. System Manager and address: Executive Director, DHS Information Sharing Environment Office, Department of Homeland Security, Washington, DC 20528. Notification procedure: Individuals seeking notification of and access to any record contained in this system of records, or seeking to contest its content, may submit a request in writing to the Headquarters FOIA Officer, whose contact information can be found on the Department's official Web site at http://www.dhs.gov/foia under ``Contacts.'' The individual may submit the request to the Chief Privacy Officer and Chief Freedom of Information Act Officer, Department of Homeland Security, 245 Murray Drive, SW., Building 410, STOP-0655, Washington, DC 20528. When seeking records about yourself from this system of records or any other Departmental system of records, your request must conform with the Privacy Act regulations set forth in 6 CFR part 5. You must first verify your identity, meaning that you must provide your full name, current address, and date and place of birth. You must sign your request, and your signature must either be notarized or submitted under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization. While no specific form is required, you may obtain forms for this purpose from the Chief Privacy Officer and Chief Freedom of Information Act Officer, on the Department's official Web site at http://www.dhs.gov/foia or by calling toll free 1-866-431-0486. In addition, you should: Explain why you believe the Department would have information on you; and Specify when you believe the records would have been created. If seeking records pertaining to another living individual, include a statement from that individual certifying his/her agreement for you to access his/her records. Without the above information, DHS may not be able to conduct an effective search, and your request may be denied due to lack of specificity or lack of compliance with applicable regulations. Record access procedures: See ``Notification procedure'' above. Contesting record procedures: See ``Notification procedure'' above. Record source categories: Initially, DHS will use the following source data sets to populate CEI Prototype: (1) CBP's ESTA, covered by the DHS/CBP-009--Electronic System for Travel Authorization (ESTA) SORN (July 30, 2012, 77 FR 44642); (2) ICE's SEVIS, covered by the DHS/ICE-001--Student and Exchange Visitor Information System SORN (January 5, 2010, 75 FR 412); and (3) TSA's AFS, covered by the DHS/TSA-002--Transportation Security Threat Assessment System SORN (May 19, [[Page 52556]] 2010, 75 FR 28046). If additional data sets are added to CEI Prototype, this SORN will be updated. If deployed for operational use, additional data sources may be used. DHS will update this SORN or issue a new SORN prior to the operational use of the system. Exemptions claimed for the system: The records maintained in the CEI Prototype are the non-exempt portions of the records in the source systems because the information ingested into the CEI Prototype is the information provided directly by the individual for the requested benefit. When a record received from another system has been exempted in that source system under 5 U.S.C. 552a(j)(2) or (k)(1), (k)(2), or (k)(5), DHS will claim the same exemptions for those records that are claimed for the original primary systems of records from which they originated. Dated: August 14, 2013. Jonathan R. Cantor, Acting Chief Privacy Officer, Department of Homeland Security. [FR Doc. 2013-20635 Filed 8-22-13; 8:45 am] BILLING CODE P