WASHINGTON — If you think the Department of Homeland Security has violated your privacy, you can file a complaint. But be aware: Filing a privacy complaint requires that you submit your personal information to one more government system of records, where the data will remain on file for up to seven years.
In the post-Sept. 11 world, the federal government underwent a major overhaul of its national security apparatus, perhaps most visibly manifest in the creation of the Department of Homeland Security. With broad new powers in the areas of surveillance and data acquisition, DHS included a Privacy Office in order to “protect the privacy of all individuals.”
In addition to providing expertise on privacy law and input on privacy concerns across the federal bureaucracy, the office fields privacy complaints and works to address concerns brought by citizens, organizations or members of Congress on behalf of constituents. It is also responsible for conducting privacy impact assessments, mandatory reviews of any IT system deemed to have implications for individuals’ personal privacy.
Last fall, DHS launched the Complaint Tracking System, aimed at increasing efficiency in addressing privacy complaints. In doing so, it also set up one more repository of personally identifiable information of American citizens. Ironically, DHS was compelled to issue a privacy impact assessment for its privacy complaint tracker.
The purpose of the database is relatively benign; the hope is that the system will allow the Privacy Office to respond to complaints more quickly and thoroughly. Deputy Chief Privacy Officer John Kropf said CTS has “absolutely” done that. Kropf said prior to CTS’s implementation, the Privacy Office operated a paper system, keeping complainants’ records in file cabinets.
“We have really grown in our ability to do more public outreach and the public has become more aware of our mission and what we do, so CTS was intended to bring us into maturity and become more efficient in handling those requests,” he said.
In most instances, submission of a complaint commits the individual’s data to seven years in the CTS database. The retention does raise questions when examined under the dictates of the “Fair Information Practice Principles,” eight privacy tenets set out in the Privacy Act of 1974. Regarding data minimization, the principle to be observed is to “only collect PII (personally identifiable information) that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).”
While it makes sense that collection of personal data might be necessary to facilitate timely correspondence, questions remain concerning the seven-year retention of that information.
“The longer you maintain stores of data, the greater the risk of that information getting into the wrong hands,” said David Sobel, senior counsel of the Electronic Frontier Foundation, a privacy advocacy group.
Following passage of the Implementing Recommendations of the 9/11 Commission Act of 2007, the Privacy Office was required to report “periodically” on complaints received and their management. The CTS was created in part to assist in fulfilling these reporting requirements.
Based on these quarterly reports, it is difficult to say yet whether the CTS is bringing greater efficiency in resolving complainants’ issues; in the first quarter under the new system, the Privacy Office received only 68 complaints, significantly fewer than the average of 294 complaints per quarter over the year prior to CTS’s implementation.
As it attempts to fulfill its mandate to “protect the privacy of all individuals,” the DHS Privacy Office “runs against the grain of the culture” of the majority of the department, according to Sobel.
“There’s sort of an inevitable conflict there,” he said. “And unfortunately, I think the bulk of the agency tends to be behind those interests that support the greatest amount of information collection possible, and any individual or entity who argues for restricting the collections of information is fighting an uphill battle.”
Kropf said the DHS Privacy Office has help in pursuing privacy protections for Americans.
“Part of what we have done over the years is built relationships with other privacy officers in other departments,” he said. “There are other privacy officials embedded within those departments that know how to get things done and know how to help us resolve issues.”
