[Federal Register Volume 78, Number 164 (Friday, August 23, 2013)]
[Notices]
[Pages 52553-52556]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-20635]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[Docket No. DHS-2013-0058]


Privacy Act of 1974; Department of Homeland Security/ALL-035 
Common Entity Index Prototype System of Records

AGENCY: Privacy Office, Department of Homeland Security.

ACTION: Notice of Privacy Act System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Department of 
Homeland Security proposes to establish a new Department of Homeland 
Security system of records titled, ``Department of Homeland Security/
ALL--035 Common Entity Index Prototype System of Records.'' This system 
of records allows the Department of Homeland Security to correlate 
identity data from select component-level systems and organizes key 
identifiers that the Department of Homeland Security has collected 
about that individual. This correlation and consolidation of identity 
data will facilitate DHS's ability to carry out its missions with 
appropriate access control. DHS is building a prototype with an initial 
set of data for testing and evaluation purposes. If the system passes 
the testing and evaluation stage and DHS moves to an operational 
system, either this system will be updated or a new system of records 
notice will be published.

DATES: Submit comments on or before September 23, 2013. This new 
prototype system will be effective September 23, 2013.

ADDRESSES: You may submit comments, identified by docket number DHS-
2013-0058 by one of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Fax: 202-343-4010.
     Mail: Jonathan R. Cantor, Acting Chief Privacy Officer, 
Privacy Office, Department of Homeland Security, Washington, DC 20528.
    Instructions: All submissions received must include the agency name 
and docket number for this rulemaking. All comments received will be 
posted without change to http://www.regulations.gov, including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, please visit http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For questions, please contact: 
Jonathan R. Cantor, (202) 343-1717, Acting Chief Privacy Officer, 
Privacy Office, Department of Homeland Security, Washington, DC 20528.

SUPPLEMENTARY INFORMATION:

I. Background

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the 
Department of Homeland Security (DHS) proposes to establish a new DHS 
system of records titled, ``DHS/ALL--035 Common Entity Index Prototype 
(CEI Prototype).''
    The purpose of this prototype is to determine the feasibility of 
establishing a centralized index of select biographic information that 
will allow DHS to provide a consolidated and correlated record, thereby 
facilitating and improving DHS's ability to carry out its national 
security, homeland security, law enforcement, and benefits missions. 
The ability to perform this task across multiple data sets increases 
the speed and efficiency of this work and contributes to DHS's 
readiness and effectiveness in carrying out its national security, 
homeland security, law enforcement, and benefits missions.
    Since 2007, DHS has operated under the ``One DHS'' policy that was 
implemented to afford DHS personnel timely access to the relevant and 
necessary homeland-security information they need to successfully 
perform their duties. Since this information is subject to privacy, 
civil rights and civil liberties, and other legal protections, DHS 
personnel requesting such information must: (1) Have an authorized 
purpose, authorized mission, and need to know for accessing the 
information in the performance of his or her duties; (2) possess the 
requisite security clearance; and (3) assure adequate safeguarding and 
protection of the information. In the past, however, this access was 
limited, time intensive, and required personnel to log on and query 
separate databases in order to determine the extent of DHS holdings 
pertaining to a particular individual.
    The CEI Prototype will expedite this time-consuming process by 
correlating identity information from select DHS source system data 
sets, resolving differences in the data, and consolidating the data as 
a more comprehensive identity record about an individual, including 
reference to the relevant source system records. The correlations to be 
made will be based on biographic linkages contained within the source 
system data. The CEI Prototype is being tested and evaluated by DHS to 
determine whether it can successfully result in a more authoritative 
and complete biographic picture of the individual about whom 
information is sought. The resulting correlation will be maintained in 
the CEI Prototype system of records.
    The CEI Prototype will correlate biographic data, including full 
name, date of birth, country of birth, government issued document 
number(s), phone number, physical address, and email address when 
available in the source systems. This information will be organized 
into an updated, common record pertaining to a specific individual. The 
CEI Prototype thus provides a consolidated, correlated identity record 
derived from DHS holdings that can then be evaluated for a specific 
purpose or DHS mission activity. The CEI Prototype uses technical 
access controls to provide results to a user's query that are based on 
that user's need to know.
    This approach ensures the appropriate privacy, policy, and 
safeguarding requirements are applied to the new record. The DHS 
Privacy Office, Office for Civil Rights and Civil Liberties, Office of 
the General Counsel, and Office of Policy, in coordination with DHS 
components, will provide policy recommendations and/or oversight of the 
correlation process, and

[[Page 52554]]

evaluate the effectiveness of the prototype.
    Initially, DHS will use certain biographic data elements and 
necessary meta data from the following source data sets to populate the 
CEI Prototype: (1) U.S. Customs and Border Protection (CBP)'s 
Electronic System for Travel Authorization (ESTA), covered by the DHS/
CBP-009--Electronic System for Travel Authorization (ESTA) SORN (July 
30, 2012, 77 FR 44642); (2) U.S. Immigration and Customs Enforcement 
(ICE)'s Student and Exchange Visitor Information System (SEVIS), 
covered by the DHS/ICE-001--Student and Exchange Visitor Information 
System SORN (January 5, 2010, 75 FR 412); and (3) U.S. Transportation 
Security Administration (TSA)'s Alien Flight Student Program (AFS), 
covered by the DHS/TSA-002--Transportation Security Threat Assessment 
System SORN (May 19, 2010, 75 FR 28046). These three data sets were 
identified for the prototype in order to demonstrate how data sets from 
different components can be correlated while maintaining appropriate 
access controls. If additional data sets are added to the CEI 
Prototype, this SORN will be updated. If, based on the results of the 
CEI prototype, DHS creates an operational system, either this SORN will 
be updated or a new SORN will be published.
    For the CEI Prototype, DHS has published limited routine uses but 
none that are intended to allow mission-related sharing for national 
security, homeland security, law enforcement, and benefits purposes. 
Such sharing is not appropriate for a prototype. The information 
contained in the CEI Prototype may be shared from the source system 
pursuant to the appropriate routine uses.

II. Privacy Act

    The Privacy Act embodies fair information practice principles in a 
statutory framework governing the means by which Federal Government 
agencies collect, maintain, use, and disseminate individuals' records. 
The Privacy Act applies to information that is maintained in a ``system 
of records.'' A ``system of records'' is a group of any records under 
the control of an agency from which information is retrieved by the 
name of an individual or by some identifying number, symbol, or other 
unique identifier particular to the individual. In the Privacy Act, an 
individual is defined to encompass U.S. citizens and lawful permanent 
residents. As a matter of policy, DHS extends administrative Privacy 
Act protections to all individuals when systems of records maintain 
information on U.S. citizens, lawful permanent residents, and visitors.
    Below is the description of the DHS/ALL--035 Common Entity Index 
Prototype System of Records.
    In accordance with 5 U.S.C. 552a(r), DHS has provided a report of 
this system of records to the Office of Management and Budget and to 
Congress.
System of Records
    Department of Homeland Security (DHS)/ALL-035.

System name:
    DHS/ALL-035 Common Entity Index Prototype (CEI Prototype).

Security classification:
    Sensitive and unclassified.

System location:
    Records are maintained at the DHS Headquarters in Washington, DC, 
DHS data centers in Stennis, Mississippi, and in locations where DHS 
and its components conduct business.

Categories of individuals covered by the system:
    Categories of individuals covered by this system include:
    (1) foreign nationals who may seek to enter the United States by 
air or sea under the Visa Waiver Program;
    (2) prospective, current, and former non-immigrants to the United 
States on an F-1, M-1, or J-1 class of admission and their dependents 
who have been admitted under an F-2, M-2, or J-2 class of admission 
(collectively, F/M/J non-immigrants);
    (3) a proxy, parent or guardian of an F/M/J nonimmigrant; and
    (4) aliens or other individuals designated by DHS/Transportation 
Security Administration (TSA), including lawful permanent residents 
(LPR), who apply for flight training or recurrent training.
    F nonimmigrants are foreign students pursuing a full course of 
study in a college, university, seminary, conservatory, academic high 
school, private elementary school, other academic institution, or 
language training program in the United States (U.S.) that Student and 
Exchange Visitor Program (SEVP) has certified to enroll foreign 
students. M nonimmigrants are foreign students pursuing a full course 
of study in a vocational or other recognized nonacademic institution 
(e.g., technical school) in the U.S. that SEVP has certified to enroll 
foreign students. J nonimmigrants are foreign nationals selected by a 
sponsor that the Department of State (DOS) has designated to 
participate in an exchange visitor program in the U.S.

Categories of records in the system:
    (1) Correlation created by the Common Entity Index Prototype 
includes
     Identity information;
     Meta Data related to the
    [cir] source system name,
    [cir] system identification number to tie the biographic 
information back to the source system record, and
    [cir] date the record was ingested into the CEI Prototype.
    (2) Source system data elements:
     Full Name;
     Alias(es);
     Gender;
     Date of Birth;
     Country of Birth;
     Country of Citizenship;
     Phone Number;
     Physical Address;
     Email Address;
     Fingerprint Identification Number; and
     Document Type, Number, Date, and Location of Issuance for 
the following types of government issued documents:
    [cir] Passport;
    [cir] Driver's License;
    [cir] Electronic System for Travel Authorization (ESTA);
    [cir] Student and Exchange Visitor Information System (SEVIS) ;
    [cir] Alien Registration; and
    [cir] Visa.

Authority for maintenance of the system:
    Homeland Security Act, 6 U.S.C. 343; Clinger-Cohen Act of 1996, 
Public Law 104-106, codified at 40 U.S.C. 11101, et. seq.

 Purpose(s):
    The purpose of this prototype is to determine the feasibility of 
establishing a centralized index of select biographic information that 
will allow DHS to provide a consolidated and correlated identity, 
thereby facilitating and improving DHS's ability to carry out its 
national security, homeland security, law enforcement, and benefits 
missions.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DHS as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows, except, to the 
extent any of the data contained in the CEI Prototype relates to 
refugees, asylum seekers, and asylees, such information may not be

[[Page 52555]]

disclosed outside DHS as a routine use pursuant to 5 U.S.C. 552a(b)(3), 
but is subject, as a matter of policy, to the confidentiality 
provisions of 8 CFR 208.6.
    A. To the Department of Justice (DOJ), including U.S. Attorney 
Offices, or other federal agencies conducting litigation or in 
proceedings before any court, adjudicative, or administrative body, 
when it is relevant or necessary to the litigation and one of the 
following is a party to the litigation or has an interest in such 
litigation:
    1. DHS or any component thereof;
    2. Any employee or former employee of DHS in his/her official 
capacity;
    3. Any employee or former employee of DHS in his/her individual 
capacity when DOJ or DHS has agreed to represent the employee; or
    4. The United States or any agency thereof.
    B. To a congressional office from the record of an individual in 
response to an inquiry from that congressional office made at the 
request of the individual to whom the record pertains.
    C. To the National Archives and Records Administration (NARA) or 
General Services Administration pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. Sec. Sec.  
2904 and 2906.
    D. To appropriate agencies, entities, and persons when:
    1. DHS suspects or has confirmed that the security or 
confidentiality of information in the system of records has been 
compromised; and
    2. DHS has determined that as a result of the suspected or 
confirmed compromise, there is a risk of identity theft or fraud, harm 
to economic or property interests, harm to an individual, or harm to 
the security or integrity of this system or other systems or programs 
(whether maintained by DHS or another agency or entity) that rely upon 
the compromised information; and
    3. The disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with DHS's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm.
    E. To contractors and their agents, grantees, experts, consultants, 
and others performing or working on a contract, service, grant, 
cooperative agreement, or other assignment for DHS, when necessary to 
accomplish an agency function related to this system of records. 
Individuals provided information under this routine use are subject to 
the same Privacy Act requirements and limitations on disclosure as are 
applicable to DHS officers and employees.

Disclosure to consumer reporting agencies:
    None.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records in this system are stored electronically in secure 
facilities in a locked drawer behind a locked door. The records may be 
stored on magnetic disc, tape, or digital media.

Retrievability:
    Records may be retrieved by name or any other unique identifier 
assigned to the individual.

Safeguards:
    Records in this system are safeguarded in accordance with 
applicable rules and policies, including all applicable DHS automated 
systems security and access policies. Strict controls have been imposed 
to minimize the risk of compromising the information that is being 
stored. Access to the computer system containing the records in this 
system is limited to those individuals who have a need to know the 
information for the performance of their official duties and who have 
appropriate clearances or permissions.

Retention and disposal:
    The CEI Prototype ingests data from source systems, and correlates 
the data into a CEI Prototype identity. Ingested data is retained in 
CEI Prototype for no longer than the record retention requirements of 
the source systems. The CEI Prototype creates a correlated identity 
that is dynamic not static. The ingested data elements that make up 
that identity will be subject to the records retention schedules of the 
source systems from which they came. By design, the deletion or 
correction of these elements at the appropriate time will affect the 
correlated record. For example, if a student updates his/her contact 
information, the correlation will be updated.

System Manager and address:
    Executive Director, DHS Information Sharing Environment Office, 
Department of Homeland Security, Washington, DC 20528.

Notification procedure:
    Individuals seeking notification of and access to any record 
contained in this system of records, or seeking to contest its content, 
may submit a request in writing to the Headquarters FOIA Officer, whose 
contact information can be found on the Department's official Web site 
at http://www.dhs.gov/foia under ``Contacts.'' The individual may 
submit the request to the Chief Privacy Officer and Chief Freedom of 
Information Act Officer, Department of Homeland Security, 245 Murray 
Drive, SW., Building 410, STOP-0655, Washington, DC 20528.
    When seeking records about yourself from this system of records or 
any other Departmental system of records, your request must conform 
with the Privacy Act regulations set forth in 6 CFR part 5. You must 
first verify your identity, meaning that you must provide your full 
name, current address, and date and place of birth. You must sign your 
request, and your signature must either be notarized or submitted under 
28 U.S.C. 1746, a law that permits statements to be made under penalty 
of perjury as a substitute for notarization. While no specific form is 
required, you may obtain forms for this purpose from the Chief Privacy 
Officer and Chief Freedom of Information Act Officer, on the 
Department's official Web site at http://www.dhs.gov/foia or by calling 
toll free 1-866-431-0486. In addition, you should:
     Explain why you believe the Department would have 
information on you; and
     Specify when you believe the records would have been 
created.
    If seeking records pertaining to another living individual, include 
a statement from that individual certifying his/her agreement for you 
to access his/her records.
    Without the above information, DHS may not be able to conduct an 
effective search, and your request may be denied due to lack of 
specificity or lack of compliance with applicable regulations.

Record access procedures:
    See ``Notification procedure'' above.

Contesting record procedures:
    See ``Notification procedure'' above.

Record source categories:
    Initially, DHS will use the following source data sets to populate 
CEI Prototype: (1) CBP's ESTA, covered by the DHS/CBP-009--Electronic 
System for Travel Authorization (ESTA) SORN (July 30, 2012, 77 FR 
44642); (2) ICE's SEVIS, covered by the DHS/ICE-001--Student and 
Exchange Visitor Information System SORN (January 5, 2010, 75 FR 412); 
and (3) TSA's AFS, covered by the DHS/TSA-002--Transportation Security 
Threat Assessment System SORN (May 19,

[[Page 52556]]

2010, 75 FR 28046). If additional data sets are added to CEI Prototype, 
this SORN will be updated. If deployed for operational use, additional 
data sources may be used. DHS will update this SORN or issue a new SORN 
prior to the operational use of the system.

Exemptions claimed for the system:
    The records maintained in the CEI Prototype are the non-exempt 
portions of the records in the source systems because the information 
ingested into the CEI Prototype is the information provided directly by 
the individual for the requested benefit. When a record received from 
another system has been exempted in that source system under
    5 U.S.C. 552a(j)(2) or (k)(1), (k)(2), or (k)(5), DHS will claim 
the same exemptions for those records that are claimed for the original 
primary systems of records from which they originated.

    Dated: August 14, 2013.
Jonathan R. Cantor,
Acting Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2013-20635 Filed 8-22-13; 8:45 am]
BILLING CODE P