AGENCY:

Privacy Office, DHS.

ACTION:

Final rule.

SUMMARY:

The Department of Homeland Security is issuing a final rule to amend its regulations to exempt portions of a newly established system of records titled “Department of Homeland Security Office of Operations Coordination and Planning-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion System of Records” from certain provisions of the Privacy Act. Specifically, the Department exempts portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.

DATES:

Effective Date: This final rule is effective June 7, 2012.

FOR FURTHER INFORMATION CONTACT:

For general questions please contact: Michael Page (202-357-7626), Privacy Point of Contact, Office of Operations Coordination and Planning, Department of Homeland Security, Washington, DC 20528. For privacy issues please contact: Mary Ellen Callahan (703-235-0780), Chief Privacy Officer, Privacy Office, Department of Homeland Security, Washington, DC 20528.

SUPPLEMENTARY INFORMATION:

Background

The Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPS) published a notice of proposed rulemaking (NPRM) in the Federal Register, on November 15, 2010 at 75 FR 69604, proposing to exempt portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements. The system of records is titled, “DHS/OPS-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion System of Records.” The DHS/OPS-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion system of records notice (SORN) was published concurrently in the Federal Register on November 15, 2010 at 75 FR 69689, and comments were invited on both the NPRM and SORN.

Public Comments

DHS/OPS received three comments on the NPRM and three comments on the SORN for a total of six comments.

Comments on the NPRM

DHS/OPS received three comments on the NPRM. The first NPRM comment was from an anonymous individual seeking to state an opinion and requested no specific action or amendment related to the proposed rulemaking. The second NPRM comment was from an anonymous individual supporting the proposed rulemaking. The third NPRM comment was from a public interest organization that filed comments on the NPRM and SORN jointly in a comingled fashion and the comments on the SORN and NPRM are addressed as the second SORN comment below.

Comments on the SORN

DHS/OPS also received three comments on the SORN. The first SORN comment was from a media and academic partnership and included the following points: (1) It is difficult for the public to comment on the merits of the proposed rulemaking because so little information is available on fusion centers; (2) the government has failed to make available information requested under FOIA (an issue unrelated to this proposed rulemaking); (3) the proposed system does not adequately protect the public's privacy; (4) the new system will impose significant costs (an issue unrelated to this proposed rulemaking); (5) there is fusion center mission creep (an issue unrelated to this proposed rulemaking); and (6) there are privacy violations in fusion center guidelines (an issue unrelated to this proposed rulemaking). Many of the points raised by this commenter were unrelated to the proposed rulemaking, but the Department will address the above comments in whole. The commenter states that there is “insufficient public information available on fusion centers for the public to adequately evaluate the effect of the proposed information collection system” and “the expense, mission creep, and privacy effects of the proposed database.” In response to the issues raised by this commenter regarding fusion centers: (1) Information on fusion centers can be found on the Department's Web page at www.dhs.gov and in the DHS/ALL/PIA-011 Department of Homeland Security State, Local, and Regional Fusion Center Initiative Privacy Impact Assessment (PIA), December 11, 2008. This PIA provides a detailed discussion and privacy analysis on fusion centers and is available at www.dhs.gov/​privacy;​; (2) the Department is and will continue to be responsive to FOIA requests. FOIA requests may be sent to the Chief Privacy Officer and Chief Freedom of Information Act Officer, Department of Homeland Security, 245 Murray Drive SW., Building 410, STOP-0655, Washington, DC 20528; and (3) the privacy protections of information collected by fusion centers is covered by privacy policies of the fusion center. This DHS/OPS-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion System of Records is not the system of records exclusively covering information collections by fusion centers. This system of records would only cover information sent to the NOC by fusion centers, as well as other information collections beyond information sent to the NOC by fusion centers. Components of the Department receiving information from fusion centers use their own SORNs on a component-by-component basis and those SORNs can be found at www.dhs.gov/​privacy. Each of the officially-designated and operational fusion centers have privacy policies that have been found by DHS to be “at least Start Printed Page 33606as comprehensive” as the federal guidelines for protecting privacy within the Information Sharing Environment. Many of these policies are published on the National Fusion Center Association's public Web site at http://www.nfcausa.org. With respect to points 4, 5, and 6, above these are not related to this rulemaking. This NPRM and SORN do not seek to establish a new information technology (IT) database or to collect new information; rather this NPRM and SORN provide transparency to OPS practices by pulling together a variety of already existing records for a single purpose under a specific authority. It is also worth clarifying that this NPRM and SORN do not exclusively cover fusion centers for the Department, although the National Operations Center (NOC) may receive information from a fusion center. Such information may be covered by this NPRM and SORN. Neither the NOC nor OPS is a “Fusion Center.” The purpose of this system of records and its authority are mandated by law (6 U.S.C. 321d) to be “the principal operations center for the Department of Homeland Security.” Through the NOC, OPS provides real-time situational awareness and a common operating picture to the Department's leadership and senior management.

The second SORN comment was from a public interest research center that filed comments on the NPRM and SORN jointly in a comingled fashion and both are addressed in this section. The commenter raised concerns about: (1) Unusually broad purpose; (2) unusually broad authority and sharing; (3) contradictory statements about fusion centers as state and local entities (an issue unrelated to this proposed rulemaking); (4) taking Privacy Act exemptions where disclosure from the individual is withheld; (5) removing the use of the Privacy Act exemptions that address “relevant and necessary;” (6) the new fusion center PIA (an issue unrelated to this proposed rulemaking); and (7) the new suitable retention and disposal standards. Finally, the commenter recommends the creation of an independent oversight mechanism to prevent mission creep and uphold reporting requirements (an issue unrelated to this proposed rulemaking).

In response to the comment on broad purpose, authority, and sharing of this system of records (1 and 2 above), the Department notes that the NOC is authorized by law to be “the principal operations center for the Department of Homeland Security,” (6 U.S.C. 321d) and this system of records allows the NOC to fulfill this mission. Through the NOC, OPS provides real-time situational awareness and a common operating picture to the Department leadership and senior management. The NOC operates 24 hours a day, seven days a week, and 365 days a year and coordinates information sharing to help deter, detect, and prevent terrorist acts and to manage domestic incidents. With regards to point 3, DHS is not being contradictory on the nature of fusion centers, which are state and local entities. This system of records may maintain information received from fusion centers, but only when that information is sent to the NOC by fusion centers. Additional information on fusion centers can be found on the Department's Web page at www.dhs.gov and in the DHS/ALL/PIA-011 Department of Homeland Security State, Local, and Regional Fusion Center Initiative PIA, December 11, 2008, which addresses privacy analysis on fusion centers and is available at www.dhs.gov/​privacy.

DHS' decision to take exemptions to the Privacy Act (point 4) are appropriate given the law enforcement nature of the collection and the concern that providing access may give individuals the ability to contravene legitimate law enforcement activities. DHS also notes that as a matter of policy it reviews all Privacy Act requests to determine whether or not it can provide access to the information. With regards to the comments concerns regarding exemptions from the “relevant and necessary” standard (point 5), sufficient means do exist to verify the accuracy of the data and ensure that incorrect data is not used against an individual. System users are trained to verify information obtained from the NOC before including it in any analytical reports. Verification procedures include direct queries to the source databases from which the information was originally obtained, queries of commercial or other government databases when appropriate, and interviews with individuals or others who are in a position to confirm the data. These procedures mitigate the risk posed by inaccurate data in the system and raise the probability that such data will be identified and corrected before any action is taken against an individual. In addition, the source systems from which the NOC obtains information may, themselves, have mechanisms in place to ensure the accuracy of the data prior to the information being shared, as outlined in the ISE.

The commenter expressed concern about the DHS/ALL/PIA-011 Department of Homeland Security State, Local, and Regional Fusion Center Initiative PIA, December 11, 2008 (point 6) and whether it was accurate given this system of records notice. As noted above, this system of records does not cover fusion centers, but may receive information from fusion centers if it is relevant to the purpose of this system of records and the mission of OPS. This PIA is currently under review for possible update as required by law. The commenter expressed concern about the records retention and disposal standards. DHS has an updated records schedule approved by NARA for records contained in this system of records, Steady state (normal day-to-day) records are kept for five years and destroyed. All records that become part of a Phase 2 or 3 event are transferred to the National Archives five years after the event or case is closed for permanent retention in the National Archives (NARA schedule N1-563-11-010).

Finally, the commenter recommended that the Department establish additional independent oversight for fusion centers beyond what currently exists at the Department. This is outside the purview of this rulemaking.

The third and final comment is from a private individual. This individual wrote to the Department to explain the circumstances related to this individual's arrest by a state law enforcement authority resulting in what this individual believes to be faulty information received from a state intelligence center. The individual goes on to detail issues related to the state's fusion center as it applied to this individual's case. The individual requested no specific action or amendment related to the proposed rulemaking and the individual's comments were unrelated to the proposed rulemaking.

After careful consideration of public comments, the Department will implement the rulemaking as proposed, additionally the Department will not update the Systems of Records Notice.

List of Subjects in 6 CFR Part 5

• Freedom of information
• Privacy

For the reasons stated in the preamble, DHS amends Chapter I of Title 6, Code of Federal Regulations, as follows:

PART 5—DISCLOSURE OF RECORDS AND INFORMATION

1. The authority citation for Part 5 continues to read as follows:

Authority: 6 U.S.C. 101 et seq.; Pub. L. 107-296, 116 Stat. 2135; 5 U.S.C. 301. Subpart A also issued under 5 U.S.C. 552. Subpart B also issued under 5 U.S.C. 552a.

2. Add at the end of Appendix C to Part 5, the following new paragraph “68”:

Appendix C to Part 5—DHS Systems of Records Exempt From the Privacy Act

68. The DHS OPS-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion System of Records consists of electronic and paper records and will be used by DHS and its components. The DHS OPS-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion System of Records is a repository of information held by DHS to serve its several and varied missions and functions. This system also supports certain other DHS programs whose functions include, but are not limited to, the enforcement of civil and criminal laws; investigations, inquiries, and proceedings there under; national security and intelligence activities; and protection of the President of the U.S. or other individuals pursuant to Section 3056 and 3056A of Title 18. The DHS OPS-003 Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion System of Records contains information that is collected by, on behalf of, in support of, or in cooperation with DHS and its components and may contain personally identifiable information collected by other federal, state, local, tribal, foreign, or international government agencies. This system is exempted from the following provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1), (k)(2), (k)(3): 5 U.S.C. 552a(c)(3); (d); (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I); and (f). Exemptions from these particular subsections are justified, on a case-by-case basis to be determined at the time a request is made, for the following reasons:

(a) From subsection (c)(3) (Accounting for Disclosures) because release of the accounting of disclosures could alert the subject of an investigation of an actual or potential criminal, civil, or regulatory violation to the existence of that investigation and reveal investigative interest on the part of DHS as well as the recipient agency. Disclosure of the accounting would therefore present a serious impediment to law enforcement efforts and/or efforts to preserve national security. Disclosure of the accounting would also permit the individual who is the subject of a record to impede the investigation, to tamper with witnesses or evidence, and to avoid detection or apprehension, which would undermine the entire investigative process.

(b) From subsection (d) (Access and Amendment) because access to the records contained in this system of records could inform the subject of an investigation of an actual or potential criminal, civil, or regulatory violation to the existence of that investigation and reveal investigative interest on the part of DHS or another agency. Access to the records could permit the individual who is the subject of a record to impede the investigation, to tamper with witnesses or evidence, and to avoid detection or apprehension. Amendment of the records could interfere with ongoing investigations and law enforcement activities and would impose an unreasonable administrative burden by requiring investigations to be continually reinvestigated. In addition, permitting access and amendment to such information could disclose security-sensitive information that could be detrimental to homeland security.

(c) From subsection (e)(1) (Relevancy and Necessity of Information) because in the course of investigations into potential violations of federal law, the accuracy of information obtained or introduced occasionally may be unclear, or the information may not be strictly relevant or necessary to a specific investigation. In the interests of effective law enforcement, it is appropriate to retain all information that may aid in establishing patterns of unlawful activity.

(d) From subsections (e)(4)(G), (e)(4)(H), and (e)(4)(I) (Agency Requirements) and (f) (Agency Rules), because portions of this system are exempt from the individual access provisions of subsection (d) for the reasons noted above, and therefore DHS is not required to establish requirements, rules, or procedures with respect to such access. Providing notice to individuals with respect to existence of records pertaining to them in the system of records or otherwise setting up procedures pursuant to which individuals may access and view records pertaining to themselves in the system would undermine investigative efforts and reveal the identities of witnesses, and potential witnesses, and confidential informants.