[Federal Register Volume 87, Number 132 (Tuesday, July 12, 2022)]
[Notices]
[Pages 41338-41343]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-14789]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. DHS-2022-USCBP-2022-0007]


Privacy Act of 1974; System of Records

AGENCY: U.S. Customs and Border Protection, Department of Homeland 
Security.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Department of 
Homeland Security (DHS) proposes to modify and reissue a current DHS 
system of records titled, ``DHS/U.S. Customs and Border Protection 
(CBP)-009 Electronic System for Travel Authorization System of 
Records.'' The Electronic System for Travel Authorization (ESTA) system 
is a web-based system used to determine the eligibility of 
international travelers to travel to the United States under the Visa 
Waiver Program (VWP).\1\ DHS/CBP is updating this system of records to 
(1) reflect the expansion of the categories of records to include the 
collection of photographs, (2) clarify the retention schedule, and (3) 
remove references to the I-94W, ``Nonimmigrant Visa Waiver Arrival/
Departure Record''. The exemptions for the existing system of records 
notice will continue to be applicable for this updated system of 
records notice. This modified system of records notice will be included 
in the DHS's inventory of record systems.
---------------------------------------------------------------------------

    \1\ The Visa Waiver Program (VWP), administered by DHS in 
consultation with the State Department, permits citizens of 40 
countries to travel to the United States for business or tourism for 
stays of up to 90 days without a visa. In return, those 40 countries 
must permit U.S. citizens and nationals to travel to their countries 
for a similar length of time without a visa for business or tourism 
purposes.

DATES: Submit comments on or before August 11, 2022. This modified 
system will be effective upon publication. New or modified routine uses 
---------------------------------------------------------------------------
will be effective August 11, 2022.

ADDRESSES: You may submit comments, identified by docket number USCBP-
2022-0007 by one of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Fax: 202-343-4010.
     Mail: Lynn Parker Dupree, Chief Privacy Officer, Privacy 
Office, Department of Homeland Security, Washington, DC 20528-0655.
    Instructions: All submissions received must include the agency name 
and docket number USCBP-2022-0007. All comments received will be posted 
without change to http://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For general questions, please contact: 
Debra L. Danisek, (202) 344-1610, [email protected], CBP Privacy 
Officer, Privacy and Diversity Office, 1300 Pennsylvania Avenue NW, 
Washington, DC 20229. For privacy questions, please contact: Lynn 
Parker Dupree, (202) 343-1717, [email protected], Chief Privacy 
Officer, Privacy Office, Department of Homeland Security, Washington, 
DC 20528-0655.

SUPPLEMENTARY INFORMATION:

I. Background

    In accordance with the Privacy Act of 1974, the Department of 
Homeland Security (DHS) proposes to update and reissue a current 
Department of Homeland Security system of records titled, ``DHS/United 
States Customs and

[[Page 41339]]

Border Protection (CBP)-009 Electronic System for Travel Authorization 
(ESTA) System of Records.'' On August 3, 2007, the President signed 
into law the Implementing Recommendations of the 9/11 Commission Act of 
2007 (9/11 Act).\2\ Section 711 of the 9/11 Act required that the 
Secretary of Homeland Security, in consultation with the Secretary of 
State, develop and implement a fully automated electronic travel 
authorization system to collect biographical and other information as 
the Secretary determines necessary to evaluate, in advance of travel, 
the eligibility of the applicant to travel to the United States under 
the Visa Waiver Program (VWP), and whether such travel poses a law 
enforcement or security risk.\3\ Prior to implementing the Electronic 
System for Travel Authorization (ESTA), international travelers from 
VWP countries were not evaluated, in advance of travel, for eligibility 
to travel to the United States under the VWP.
---------------------------------------------------------------------------

    \2\ See Public Law 110-53.
    \3\ See 8 U.S.C. 1187(h)(3)(A).
---------------------------------------------------------------------------

    DHS/CBP created the ESTA system to collect information from 
individuals intending to travel under the VWP, as well as 
representatives who submit information on behalf of the applicant. The 
ESTA application requests the intended traveler's name, country of 
birth and citizenship, date of birth, gender, travel document 
information, contact information (e.g., phone, email address), 
voluntary submission of social media information, family information, 
employment information, and destination address, as well as responses 
to questions related to an applicant's eligibility to travel under the 
VWP.
    Upon submission, DHS/CBP vets the application against selected 
security and law enforcement databases as well as publicly available 
sources, such as social media. The results of this vetting help to 
inform DHS/CBP's assessment of whether the traveler poses a law 
enforcement or security risk and whether the application should be 
approved. ESTA authorizations can take up to 72 hours to be complete. 
However, DHS/CBP is generally able to approve/deny an ESTA 
authorization within a much shorter time frame. If the ESTA application 
is denied, the applicant is not eligible to travel to the United States 
under the VWP.\4\ If the application is approved, the approval 
establishes that the applicant is eligible to travel to the United 
States under the VWP but does not guarantee that he or she is 
admissible to the United States. Upon arrival to a United States port 
of entry, the VWP traveler will be subject to an inspection by a CBP 
officer who may determine that the traveler is inadmissible under 
section 212 of the Immigration and Nationality Act (INA) and deny entry 
under the VWP. ESTA travel authorizations are generally valid for two 
years from the date of authorization, or until the VWP traveler's 
passport expires, whichever comes first. An ESTA approval provides 
authorization for the traveler to travel to the United States for 
multiple trips over a period of two years, generally eliminating the 
need for a traveler to reapply during the validity period unless the 
traveler fails to meet the requirements of the VWP, or the ESTA 
approval is revoked.
---------------------------------------------------------------------------

    \4\ Applicants denied a travel authorization to the United 
States via ESTA may still apply for a nonimmigrant visa from the 
U.S. Department of State at a U.S. Embassy or Consulate.
---------------------------------------------------------------------------

    DHS/CBP is publishing this modified system of records to make 
changes for transparency.
    DHS/CBP is expanding the category of records to include 
photographs. As part of the ESTA application process, DHS/CBP collects 
applicant photographs, which may include both the passport photograph 
and/or a ``selfie,'' if submitting the ESTA application via the mobile 
application. As described above, the ESTA application requires several 
key pieces of biographic information, which can be found on the 
passport biographic data page (e.g., name, date and place of birth, 
country of citizenship). Applicants and representatives capture \5\ or 
upload \6\ a picture of the passport biographic data page to include 
the photograph or retrieve \7\ the photograph from the passports eChip 
into the application. Applicants (or their representative) submit the 
passport photograph for identity verification and vetting purposes. 
DHS/CBP stores the image of the passport biographic data page for 
identity verification and reconciliation purposes. Photographs 
retrieved using the passport eChip are compared against a separate 
``selfie'' that is required for mobile application submissions. The 
``selfie'' undergoes a ``liveness'' test to determine that it is a real 
person--not a picture of a person.\8\ Using CBP's Traveler Verification 
System (TVS) facial matching algorithms, CBP compares the ``selfie'' 
with the passport photograph to conduct a 1-to-1 match to confirm 
whether the identities in the two photographs match.\9\ Photographs, 
regardless of submission method, are stored in the ESTA system 
consistent with the ESTA retention schedule.
---------------------------------------------------------------------------

    \5\ To capture a photograph of the passport's biographic data 
page, the applicant or representative must use a device with a 
camera, such as an Android or an iOS device.
    \6\ If a camera is not detected on the device, the applicant or 
representative has the option to upload a pre-scanned image in .gif, 
.png, .jpg, or .jpeg file format.
    \7\ If the applicant submits the application through a mobile 
device, he or she can place the mobile device near the passport's 
eChip to enable the Near Field Communication (NFC). NFC is used for 
contactless exchange of data over short distances. Two NFC-capable 
devices are connected via a point-to-point contact over a short 
distance. This connection can be used to exchange data between 
devices.
    \8\ Liveness detection relies on algorithms to analyze facial 
images to determine whether the image is of a live human being or of 
a reproduction of that person (e.g., a photograph of the person).
    \9\ CBP's TVS is an accredited information technology system 
consisting of a group of similar systems and subsystems that support 
the core functioning and transmission of data between CBP 
applications and partner interfaces. Since early 2017, CBP has used 
the TVS as its backend matching service for all biometric entry and 
exit operations that use facial recognition, regardless of air, 
land, or sea. See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS 
AND BORDER PROTECTION, PRIVACY IMPACT ASSESSMENT FOR THE DHS/CBP/
PIA-056 TRAVELER VERIFICATION SERVICE, available at https://www.dhs.gov/privacydocuments-us-customs-and-border-protection.
---------------------------------------------------------------------------

    DHS/CBP is also updating this notice to clarify the retention 
schedule for the data. The overall retention does not change, but DHS/
CBP is more clearly documenting that these records are retained for 15 
years.
    Finally, DHS/CBP is also removing references to the I-94W, 
``Nonimmigrant Visa Waiver Arrival/Departure Record,'' since the I-94W 
is not processed in ESTA. The I-94W is separately covered under the 
DHS/CBP-016 Nonimmigrant Information System, 80 FR 13398 (March 13, 
2015).
    Consistent with DHS's information sharing mission, information 
stored in the DHS/CBP-009 ESTA system of records may be shared with 
other DHS Components that have a need to know the information to carry 
out their national security, law enforcement, immigration, 
intelligence, or other homeland security functions. In addition, DHS/
CBP may share information with appropriate federal, state, local, 
tribal, territorial, foreign, or international government agencies 
consistent with the routine uses set forth in this system of records 
notice.
    This modified system will be included in DHS's inventory of record 
systems.

II. Privacy Act

    The Privacy Act embodies fair information practice principles in a 
statutory framework governing the means by which Federal Government 
agencies collect, maintain, use, and disseminate individuals' records. 
The

[[Page 41340]]

Privacy Act applies to information that is maintained in a ``system of 
records.'' A ``system of records'' is a group of any records under the 
control of an agency from which information is retrieved by the name of 
an individual or by some identifying number, symbol, or other 
identifying particular assigned to the individual. In the Privacy Act, 
an individual is defined to encompass U.S. citizens and lawful 
permanent residents. Additionally, the Judicial Redress Act (JRA) 
provides covered persons with a statutory right to make requests for 
access and amendment to covered records, as defined by the JRA, along 
with judicial review for denials of such requests. In addition, the JRA 
prohibits disclosures of covered records, except as otherwise permitted 
by the Privacy Act.
    Below is the description of the DHS/CBP-009 Electronic System for 
Travel Authorization System of Records.
    In accordance with 5 U.S.C. 552a(r), DHS has provided a report of 
this system of records to the Office of Management and Budget and to 
Congress.

SYSTEM NAME AND NUMBER:
    Department of Homeland Security (DHS)/U.S. Customs and Border 
Protection (CBP)-009 Electronic System for Travel Authorization (ESTA) 
System of Records.

SECURITY CLASSIFICATION:
    Unclassified and classified. The data may be retained on classified 
networks, but this does not change the nature and character of the data 
until it is combined with classified information.

SYSTEM LOCATION:
    Records are maintained at the DHS/CBP Headquarters in Washington, 
DC, and field offices. Records are replicated from the operational 
system and maintained on the DHS unclassified and classified networks 
to allow for analysis and vetting consistent with the stated uses, 
purposes, and routine uses published in this notice.

SYSTEM MANAGER(S):
    Director, ESTA Program Management Office, [email protected], U.S. 
Customs and Border Protection Headquarters, 1300 Pennsylvania Avenue 
NW, Washington, DC 20229.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title IV of the Homeland Security Act of 2002, 6 U.S.C. 201 et 
seq., the Immigration and Naturalization Act, as amended, including 8 
U.S.C. 1187(a)(11) and (h)(3), and implementing regulations contained 
in 8 CFR part 217; the Travel Promotion Act of 2009, Public Law 111-
145, 22 U.S.C. 2131.

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to collect and maintain a record of 
applicants who want to travel to the United States under the VWP, and 
to determine whether applicants are eligible to travel to and enter the 
United States under the VWP. The information provided through ESTA, 
including information about other persons included on the ESTA 
application, is vetted against various security and law enforcement 
databases to identify those applicants who pose a security risk to the 
United States and to inform CBP's decision to approve or deny the 
applicant's ESTA application.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system include (1) 
individuals who wish to travel to the United States under the VWP and 
apply for an ESTA travel authorization and (2) persons, including U.S. 
citizens and lawful permanent residents, whose information is provided 
by the applicant in response to ESTA application questions (e.g., point 
of contact).

CATEGORIES OF RECORDS IN THE SYSTEM:
    An ESTA application includes:
     Full name (first, middle, and last);
     Other names or aliases, if available;
     Date of birth;
     Country of birth;
     Gender;
     Email address;
     Visa numbers, Laissez-Passer numbers, or Identity card 
numbers;
     Social media identifiers, such as username(s) and 
platforms used;
     Publicly available information from social media websites 
or platforms;
     Telephone number (home, mobile, work, other);
     Home address (address, apartment number, city, state/
region);
     internet protocol (IP) address;
     ESTA application number;
     Global Entry Program Number;
     Country of residence;
     Passport information;
     Department of Treasury Pay.gov payment tracking number 
information;
     Countries of citizenship and nationality;
     National identification number, if available;
     Address while visiting the United States;
     Emergency point of contact information;
     U.S. Point of Contact information;
     Parents' names;
     Current and previous employer information; and,
     Photograph(s).
    The categories of records in ESTA also include responses to 
questions related to the following:
    [cir] History of mental or physical disorders, drug abuse or 
addiction,\10\ and current communicable diseases,\11\ fevers, and 
respiratory illnesses;
---------------------------------------------------------------------------

    \10\ Immigration and Nationality Act (INA) 212(a)(1)(A). 
Pursuant to INA 212(a), aliens may be inadmissible to the United 
States if they have a physical or mental disorder and behavior 
associated with the disorder that may pose, or has posed, a threat 
to the property, safety, or welfare of the alien or others, or (ii) 
to have had a physical or mental disorder and a history of behavior 
associated with the disorder, which behavior has posed a threat to 
the property, safety, or welfare of the alien or others and which 
behavior is likely to recur or to lead to other harmful behavior, or 
are determined (in accordance with regulations prescribed by the 
Secretary of Health and Human Services) to be a drug abuser or 
addict.
    \11\ Consistent with 42 CFR 34.2, DHS/CBP revised the ESTA 
application to reflect the current quarantinable, communicable 
diseases specified by any Presidential Executive Order under Section 
361(b) of the Public Health Service (PHS) Act (42 U.S.C. 264). 
Executive Order 13295 of April 4, 2003, as amended by Executive 
Order 13375 of April 1, 2005, and Executive Order 13674 of July 31, 
2014, contains the most recent list of quarantinable, communicable 
diseases. COVID-19 is a quarantinable disease as it falls within the 
scope of ``severe acute respiratory syndromes'' which are designated 
as quarantinable pursuant to Executive Order 13674. As such, COVID-
19 was added to the list of diseases an individual must attest to 
not having to be eligible to travel to the United States.
---------------------------------------------------------------------------

    [cir] Past arrests, criminal convictions, or illegal drug 
violations;
    [cir] Previous engagement in terrorist activities, espionage, 
sabotage, or genocide;
    [cir] History of fraud or misrepresentation;
    [cir] Previous unauthorized employment in the United States;
    [cir] Past denial of visa, or refusal or withdrawal of application 
for admission at a U.S. port of entry;
    [cir] Previous overstay of authorized admission period in the 
United States;
    [cir] Travel history and information relating to prior travel to or 
presence in Iraq or Syria, a country designated as a state sponsor of 
terrorism, or another country or area of concern; \12\ and,
---------------------------------------------------------------------------

    \12\ INA 212(a)(12); 8 U.S.C. 1187(a)(12).
---------------------------------------------------------------------------

    [cir] Citizenship and nationality information, with additional 
detail required for nationals of certain identified countries of 
concern.

RECORD SOURCE CATEGORIES:
    DHS/CBP obtains records from applicants or representatives (e.g., 
friend, relative, travel industry professional), through the online 
ESTA application available at https://esta.cbp.dhs.gov/esta/or a mobile 
application. As part of the vetting

[[Page 41341]]

process, DHS/CBP may also use information obtained from publicly 
available sources, including social media, and law enforcement and 
national security records from appropriate federal, state, local, 
international, tribal, or foreign governmental agencies or multilateral 
governmental organizations to assist in determining ESTA eligibility. 
This information is stored separate from information collected as part 
of the ESTA application.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:

    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DHS as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To the Department of Justice (DOJ), including the U.S. Attorneys 
Offices, or other federal agency conducting litigation or proceedings 
before any court, adjudicative, or administrative body, when it is 
relevant or necessary to the litigation and one of the following is a 
party to the litigation or has an interest in such litigation:
    1. DHS or any component thereof;
    2. Any employee or former employee of DHS in his/her official 
capacity;
    3. Any employee or former employee of DHS in his/her individual 
capacity, only when DOJ or DHS has agreed to represent the employee; or
    4. The United States or any agency thereof.
    B. To a congressional office from the record of an individual in 
response to an inquiry from that congressional office made at the 
request of the individual to whom the record pertains.
    C. To the National Archives and Records Administration (NARA) or 
General Services Administration pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906.
    D. To an agency or organization for the purpose of performing audit 
or oversight operations as authorized by law, but only such information 
as is necessary and relevant to such audit or oversight function.
    E. To appropriate agencies, entities, and persons when (1) DHS 
suspects or has confirmed that there has been a breach of the system of 
records; (2) DHS has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, DHS (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with DHS's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    F. To another federal agency or federal entity, when DHS determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    G. To an appropriate federal, state, tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where CBP believes the 
information would assist enforcement of applicable civil or criminal 
laws and such disclosure is proper and consistent with the official 
duties of the person making the disclosure.
    H. To contractors and their agents, grantees, experts, consultants, 
and others performing or working on a contract, service, grant, 
cooperative agreement, or other assignment for DHS, when necessary to 
accomplish an agency function related to this system of records. 
Individuals provided information under this routine use are subject to 
the same Privacy Act requirements and limitations on disclosure as are 
applicable to DHS officers and employees.
    I. To appropriate federal, state, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations for 
the purpose of protecting the vital health interests of a data subject 
or other persons (e.g., to assist such agencies or organizations in 
preventing exposure to or transmission of a communicable or 
quarantinable disease or to combat other significant public health 
threats; appropriate notice will be provided of any identified health 
threat or risk).
    J. To appropriate federal, state, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations, with 
the approval of the Chief Privacy Officer, when DHS is aware of a need 
to use relevant data, that relate to the purpose(s) stated in this 
SORN, for purposes of testing new technology.
    K. To third parties during the course of a law enforcement 
investigation to the extent necessary to obtain information pertinent 
to the investigation, provided disclosure is appropriate in the proper 
performance of the official duties of the officer making the 
disclosure.
    L. To a federal, state, tribal, local, international, or foreign 
government agency or entity for the purpose of consulting with that 
agency or entity: (1) to assist in making a determination regarding 
redress for an individual in connection or program; (2) for the purpose 
of verifying the identity of an individual seeking redress in 
connection with the operations of a DHS Component or program; or (3) 
for the purpose of verifying the accuracy of information submitted by 
an individual who has requested such redress on behalf of another 
individual.
    M. To a federal, state, tribal, local, international, or foreign 
government agency or entity in order to provide relevant information 
related to intelligence, counterintelligence, or counterterrorism 
activities authorized by U.S. law, Executive Order, or other applicable 
national security directive.
    N. To the Department of State in the processing of petitions or 
applications for benefits under the Immigration and Nationality Act, 
and all other immigration and nationality laws including treaties and 
reciprocal agreements.
    O. To an organization or individual in either the public or private 
sector, either foreign or domestic, when there is a reason to believe 
that the recipient is or could become the target of a particular 
terrorist activity or conspiracy, to the extent the information is 
relevant to the protection of life or property.
    P. To the carrier transporting an individual to the United States, 
prior to travel, in response to a request from the carrier, to verify 
an individual's travel authorization status.
    Q. To the Department of Treasury's Pay.gov, for payment processing 
and payment reconciliation purposes.
    R. To a court, magistrate, or administrative tribunal in the course 
of presenting evidence, including disclosures to opposing counsel or 
witnesses in the course of civil discovery, litigation, or settlement 
negotiations, or in connection with criminal law proceedings.
    S. To the Department of Treasury's Office of Foreign Assets Control 
(OFAC) for inclusion on the publicly issued List of Specially 
Designated Nationals and Blocked Persons (SDN List) of

[[Page 41342]]

individuals and entities whose property and interests in property are 
blocked or otherwise affected by one or more OFAC economic sanctions 
programs, as well as information identifying certain property of 
individuals and entities subject to OFAC economic sanctions programs.
    T. To the news media and the public, with the approval of the Chief 
Privacy Officer in consultation with counsel, when there exists a 
legitimate public interest in the disclosure of the information, when 
disclosure is necessary to preserve confidence in the integrity of DHS, 
or when disclosure is necessary to demonstrate the accountability of 
DHS's officers, employees, or individuals covered by the system, except 
to the extent the Chief Privacy Officer determines that release of the 
specific information in the context of a particular case would 
constitute a clearly unwarranted invasion of personal privacy.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    DHS/CBP stores records in this system electronically or on paper in 
secure facilities in a locked drawer behind a locked door. The records 
may be stored on magnetic disc, tape, and digital media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    DHS/CBP may retrieve records by any of the data elements supplied 
by the applicant or representative.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The retention of ESTA records is covered by National Archives and 
Records Administration DAA-0568-2019-0006. Application information 
submitted to ESTA, including the photographs, is retained for 15 years. 
DHS/CBP ingests ESTA application data into other DHS/CBP systems for 
vetting purposes and is stored in accordance with those system's 
respective retention periods. For example, ESTA information is ingested 
into the Automated Targeting System (ATS) and is retained for 15 years 
and is also ingested into TECS where it is retained for 75 years, 
consistent with those systems' retention schedules. These retention 
periods are based on DHS/CBP's historical encounters with suspected 
terrorists and other criminals, as well as the broader expertise of the 
law enforcement and intelligence communities. It is well known, for 
example, that potential terrorists may make multiple visits to the 
United States in advance of performing an attack. It is over the course 
of time and multiple visits that a potential risk becomes clear. Travel 
records, including historical records, are essential in assisting DHS/
CBP officers with their risk-based assessment of travel indicators and 
identifying potential links between known and previously unidentified 
terrorist facilitators. Analyzing the records for these purposes allows 
DHS/CBP to continue to effectively identify suspect travel patterns and 
irregularities. If the record is linked to active law enforcement 
lookout records, DHS/CBP matches to enforcement activities, and/or 
investigations or cases (i.e., specific and credible threats; flights, 
travelers, and routes of concern; or other defined sets of 
circumstances), the record will remain accessible for the life of the 
law enforcement matter to support that activity and other enforcement 
activities that may become related.
    Payment information is not stored in ESTA but is forwarded to 
Pay.gov and stored in DHS/CBP's financial processing system, Credit/
Debit Card Data system, pursuant to the DHS/CBP-003 Credit/Debit Card 
Data System of Records Notice, 76 FR 67755 (November 2, 2011). When a 
VWP traveler's ESTA data is used for purposes of processing his or her 
application for admission to the United States, the ESTA data will be 
used to create a corresponding admission record in the DHS/CBP-016 Non-
Immigrant Information System (NIIS), 80 FR 13398 (March 13, 2015). This 
corresponding admission record will be retained in accordance with the 
NIIS retention schedule, which is 75 years.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    DHS/CBP safeguards records in this system according to applicable 
rules and policies, including all applicable DHS automated systems 
security and access policies. DHS/CBP has imposed strict controls to 
minimize the risk of compromising the information that is being stored. 
Access to the computer system containing the records in this system is 
limited to those individuals who have a need to know the information 
for the performance of their official duties and who have appropriate 
clearances or permissions.

RECORD ACCESS PROCEDURES:
    Applicants may access their ESTA information to view and amend 
their applications by providing their ESTA number, birth date, and 
passport number. Once they have provided their ESTA number, birth date, 
and passport number, applicants may view their ESTA status (authorized 
to travel, not authorized to travel, pending) and submit limited 
updates to their travel itinerary information. If an applicant does not 
know his or her application number, he or she can provide his or her 
name, passport number, date of birth, and passport issuing country to 
retrieve his or her application number.
    In addition, ESTA applicants and other individuals whose 
information is included on ESTA applications may submit requests and 
receive information maintained in this system as it relates to data 
submitted by or on behalf of a person who travels to the United States 
and crosses the border, as well as, for ESTA applicants, the resulting 
determination (authorized to travel, pending, or not authorized to 
travel). However, the Secretary of Homeland Security has exempted 
portions of this system from certain provisions of the Privacy Act 
related to providing the accounting of disclosures to individuals 
because it is a law enforcement system. DHS/CBP will, however, consider 
individual requests to determine whether information may be released. 
In processing requests for access to information in this system, DHS/
CBP will review the records in the operational system and coordinate 
with DHS to ensure that records that were replicated on the 
unclassified and classified networks, are reviewed, and based on this 
notice provide appropriate access to the information.
    Individuals seeking access to and notification of any record 
contained in this system of records, or seeking to contest its content, 
may submit a request in writing to the Chief Privacy Officer and 
Headquarters Freedom of Information Act (FOIA) Officer whose contact 
information can be found at http://www.dhs.gov/foia under ``Contact 
Information.'' If an individual believes more than one component 
maintains Privacy Act records concerning him or her, the individual may 
submit the request to the Chief Privacy Officer and Chief Freedom of 
Information Act Officer, Department of Homeland Security, Washington, 
DC 20528-0655, or electronically at https://www.dhs.gov/freedom-information-act-foia. Even if neither the Privacy Act nor the Judicial 
Redress Act provide a right of access, certain records about you may be 
available under the Freedom of Information Act.
    When an individual is seeking records about himself or herself from 
this system of records or any other Departmental system of records, the 
individual's request must conform with the Privacy Act regulations set 
forth in 6 CFR part 5. The individual must first verify his/her 
identity, meaning that the

[[Page 41343]]

individual must provide his/her full name, current address, and date 
and place of birth. The individual must sign the request, and the 
individual's signature must either be notarized or submitted under 28 
U.S.C. 1746, a law that permits statements to be made under penalty of 
perjury as a substitute for notarization. An individual may obtain more 
information about this process at http://www.dhs.gov/foia or 1-866-431-
0486. In addition, the individual should:
     Explain why he or she believes the Department would have 
information being requested;
     Identify which component(s) of the Department he or she 
believes may have the information;
     Specify when the individual believes the records would 
have been created; and
     Provide any other information that will help the FOIA 
staff determine which DHS component agency may have responsive records.
    If the request is seeking records pertaining to another living 
individual, the request must include an authorization from the 
individual whose record is being requested, authorizing the release to 
the requester.
    Without the above information, the component(s) may not be able to 
conduct an effective search, and the individual's request may be denied 
due to lack of specificity or lack of compliance with applicable 
regulations.

CONTESTING RECORD PROCEDURES:
    See ``Record Access Procedures'' above.

NOTIFICATION PROCEDURES:
    See ``Record Access Procedures'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    Pursuant to 6 CFR part 5, Appendix C, when this system receives a 
record from another system exempted in that source system under 5 
U.S.C. 552a(j) or (k), DHS will claim the same exemptions for those 
records that are claimed for the original primary systems of records 
from which they originated and claims any additional exemptions set 
forth here. For instance, as part of the vetting process, this system 
may incorporate records from CBP's ATS, and all of the exemptions for 
CBP's Automated Targeting System SORN, described and referenced herein, 
carry forward and will be claimed by DHS/CBP. As such, law enforcement 
and other derogatory information covered in this system are exempt from 
5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), 
(3), (4)(G) through (I), (e)(5), and (8); (f); and (g) of the Privacy 
Act pursuant to 5 U.S.C. 552a(j)(2). Additionally, the Secretary of 
Homeland Security has exempted this system from the following 
provisions of the Privacy Act, pursuant to 5 U.S.C. 552a(k)(1) and 
(k)(2): 5 U.S.C. 552a(c)(3); (d)(1), (d)(2), (d)(3), and (d)(4); 
(e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I); and (f).
    DHS/CBP is not taking any exemption from subsection (d) with 
respect to information maintained in the system as it relates to data 
submitted by or on behalf of a person, as part of the application 
process, who travels to visit the United States and crosses the border, 
nor shall an exemption be asserted with respect to the resulting 
determination (authorized to travel, pending, or not authorized to 
travel). However, pursuant to 5 U.S.C. 552a(j)(2), DHS/CBP plans to 
exempt such information in this system from sections (c)(3), (e)(8), 
and (g) of the Privacy Act of 1974, as amended, as is necessary and 
appropriate to protect this information. Further, DHS will claim 
exemption from section (c)(3) of the Privacy Act of 1974, as amended, 
pursuant to 5 U.S.C. 552a(k)(2) as is necessary and appropriate to 
protect this information. CBP will not disclose the fact that a law 
enforcement or intelligence agency has sought particular records 
because it may affect ongoing law enforcement activities.

HISTORY:
    84 FR 30746 (June 27, 2019); 81 FR 60713 (September 2, 2016); 81 FR 
39680 (June 17, 2016); 81 FR 8979 (February 23, 2016); 79 FR 65414 
(November 4, 2014); 77 FR 44642 (July 30, 2012); 76 FR 67751 (November 
2, 2011); 73 FR 32720 (June 10, 2008).
* * * * *

Lynn P. Dupree,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2022-14789 Filed 7-11-22; 8:45 am]
BILLING CODE 9111-14-P