Privacy Impact Assessment for the FBI Routine Databases
April 7, 2008

Contact Point
Elizabeth Withnell
Unit Chief
Privacy and Civil Liberties Unit
Office of the General Counsel

Reviewing Officials
Vance Hitch
Chief Information Officer
Office of the General Counsel
Department of Justice

David C. Larson
Privacy and Civil Liberties Officer
Department of Justice

Approving Official
Kenneth Mortensen
Acting Chief Privacy and Civil Liberties Officer
Department of Justice

Privacy Impact Assessment for FBI Routine Databases

The Federal Bureau of Investigation manages its information resources in an electronic environment that facilitates the collection of a wide variety of data. The current electronic environment, however, is not always flexible enough to meet the ever-increasing demands of the Bureau for situational awareness, strategic planning, and reporting. Consequently, a majority of Bureau units have or are considering developing routine databases, 1) using Microsoft Access or 2) other standard applications, to repackage Bureau information into a format that more closely meets operational requirements. These routine databases combine information already collected by the FBI and maintained in its case management system (the Automated Case Management system or ACS) or its administrative records, but permit a combination of data in ways that may reveal additional useful information about events and the individuals associated with them.

Routine databases created in the FBI share common characteristics. They are created using approved applications and are maintained primarily on local servers that are connected to the FBI's internal computer network. Supervisors in an office, squad or program typically function as the database administrator and assign access privileges to employees, contractors or task force members based on need to know and role. They can also perform oversight of database use in order to detect anomalies. Routine databases are password protected to further limit access. Information in these databases, which may take the form of spreadsheets, word processing documents, as well as the more typical database applications, is derived from information already collected by the FBI for mission-related purposes, for which Privacy Act system of records notices have been published as necessary, or is information available to the public at no cost. To the extent that data is derived from ACS, permission to extract the data is controlled by the FBI's Information Technology Operations Division and is subject to control by the FBI division owner of the originating information.

When a system uses technology to manipulate existing data about individuals in a way that the data is no longer functionally obscure but, instead, may be readily retrievable, a Privacy Impact Assessment (PIA) is required by both FBI policy (see, e.g.,Privacy Impact Assessments and Privacy Threshold Analyses, Updated Guidance, 66F-HQ-1201415 (Dec. 21, 2006)), DOJ Order 3011.1A, and by Section 208 of the E-Government Act and the implementing guidance published by the Office of Management and Budget. Experience has demonstrated, however, that routine databases meeting certain criteria all contain similar privacy risks and mitigate those risks in similar ways. Therefore, individual PIAs for such databases tend to be repetitive in nature.

This PIA is intended to cover all routine databases that meet the system description contained herein. If all criteria described below are met, then this PIA satisfies the FBI and E-Government Act privacy assessment requirements. To verify that this is the case, a checklist has been developed (attached as an appendix) that must be completed by the database owner and provided for review and approval, along with a description of the compliant database, to both the pertinent Division Management and its Privacy Officer as well as to the FBI Privacy and Civil Liberties Officer. Copies of approved checklists should be maintained by Division Privacy Officers and available for inspection upon request.  

Section 1.0
The System and the Information Collected and Stored within the System.

1.1 What information is to be collected?

A routine database will extract and store personally identifiable data from existing FBI records or from records that are available to the public at minimal cost, such as Internet search engines or the news media. 3The data may be derived from ACS, the Bureau's main case management system. 4It may also consist of administrative information that the FBI otherwise maintains, such as payroll or personnel data. The databases may be maintained by an FBI Headquarters division or office or locally by a field division. If a database contains information that may be considered sensitive or controversial or is maintained as part of a larger FBI program, the database administrator or program manager must consult with the FBI's Office of the General Counsel, Privacy and Civil Liberties Unit about the need to assess the privacy risks in a separate PIA.

1.2 From whom is the information collected

The information is provided by individuals and/or is collected by FBI personnel. Case-related information is derived from interviews, investigations or other activities performed pursuant to the FBI’s mission. Administrative information is collected from employees, contractors or others who perform work for the FBI. Routine databases do not include information from commercial databases unless that information was previously incorporated into the other FBI records from which information in the routine database is derived. Information in the databases, however, may be obtained from sources that any member of the public could access at minimal cost.

Section 2.0
The Purpose of the System and the Information Collected and Stored within the System.

2.1 Why is the information being collected?

The information has already been collected in support of the work of the FBI unit that will use the database or is obtainable from public sources, but it is being reconfigured into a functional format so that it can be manipulated in order to meet reporting requirements, to improve situational awareness, to facilitate strategic planning and to make associations within the data, if any, more apparent.

2.2 What specific legal authorities, arrangements, and/or agreements authorize the collection of information?

The general authority for the FBI to investigate crimes, including terrorism, and to acquire, collect, classify and preserve records pertaining to those investigations can be found in 28 U.S.C. §§ 533 and 534. The FBI also has jurisdiction over specific crimes as a result of more narrowly focused legislative enactments and has intelligence responsibilities pursuant to the Patriot Act and other statutes. Administrative information is collected pursuant to the general government authority for this purpose.

2.3 Privacy Impact Analysis: Given the amount and type of information collected, as well as the purpose, discuss what privacy risks were identified and how they were mitigated.

The information in the routine databases covered by this assessment duplicates information that the FBI has legally collected and maintains in another FBI system(s) or is information that is publicly available. There is a privacy risk from the recombination of information into a separate database, because connections among the data that might have been obscure could become more apparent. One of the reasons for using available application software, however, is precisely to make these connections more transparent. This privacy risk is mitigated by the fact that access to these databases is limited to a squad, unit or office that is likely already to have access to the information that will populate a routine database, but needs the added benefit of the software tools to improve its ability to pursue law enforcement or terrorism assignments, provide analysis, conduct administrative operations and create required reports.

Section 3.0
Uses of the System and the Information.

3.1 Describe all uses of the information.

As noted in the previous section, the information will be used for tactical, strategic and reporting purposes. The recombination of information from existing FBI systems can help highlight important aspects of what is known about individual cases in ways that improve situational awareness and facilitate the appropriate use of resources. Information can be aggregated for reporting purposes and disaggregated in order to focus more clearly on significant incidents or people. Administrative information can be manipulated to produce analyses and reports.

3.2 Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern (sometimes referred to as data mining)?

Data mining involves the use of sophisticated data analysis tools to discover previously unknown, valid patterns and relationships in large data sets. While a by-product of the use of routine databases may be the ability to discern relationships among data that previously were not apparent, the use of these databases is not for purposes of data mining, but for improved data management. Large data sets are not being created in order to infer rules that allow for the prediction of future results -- one of the hallmarks of data mining -- and, in fact, any system that creates large data sets would require a separate privacy analysis. Smaller databases are being created from information maintained in ACS or elsewhere in order to more effectively manage and control data that will be useful for operational, strategic or administrative purposes.

3.3 How will the information collected from individuals or derived from the system, including the system itself, be checked for accuracy?

Because the FBI needs the flexibility to collect a wide variety of information for law enforcement purposes from a wide variety of sources, that information is not always accurate, complete, timely and relevant. This is primarily due to the fact that at the time of collection it is typically impossible to ascertain that the information meets these requirements. With the passage of time or when viewed in connection with other information, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light. The FBI, nevertheless, has a business need to maintain accurate records. Before the information that will be combined into the routine databases at issue is used for operational purposes, it is checked to ensure its integrity. Routine databases, moreover, are generally employed by squads or units that are already familiar with the information to be included. If an anomaly occurs during data manipulation, individual users have the ability to examine the source information and other data to correct the anomaly as necessary. In this vein, the recombination of existing FBI data into a routine database may reveal that the original information requires revision or updating. Consequently, these routine databases may themselves contribute to overall information accuracy. For routine databases containing administrative data, the information can be checked for accuracy against the source files.

3.4 What is the retention period for the data in the system? Has the applicable retention schedule been approved by the National Archives and Records Administration (NARA)?

The disposition of routine database records is directly managed by the Records Disposition Unit of the Records Management Division, which works with FBI system owners and NARA to develop disposition authorities for these electronic information systems.

3.5 Why is the information being collected?

The FBI's purpose in using routine databases is to facilitate the ability of individual offices, squads or programs to provide accurate and timely information for a variety of uses. There is an incentive to ensure that the information is correct because otherwise any resultant products, such as reports, will be inaccurate. As an enforcement and oversight mechanism, Division managers and Privacy Officers must review and approve a checklist that each program officer completes for a particular application to demonstrate compliance with the attributes required for approval. Oversight of this process will be provided through the FBI's Inspection Division working in conjunction with the Privacy and Civil Liberties Officer.

Controls on the use of information in these routine databases are applied at the user level and at the program level. Users are limited to the members of a division, squad or office who are provided access based on a defined need to know and an appropriate role requiring access to the data. Oversight is provided through the grant of access initially and through the ability to audit system use, including the ability to recommend disciplinary action for misuse. In addition, program controls are applied through supervisors who grant access to these databases and through the FBI’s Inspection Division, which conducts periodic compliance reviews.

Section 4.0
Internal Sharing and Disclosure of Information within the System.

4.1 With which internal components of the Department is the information shared?

The database will be accessible by those individuals who have authorized access to the “Bank Robbery Squad’s” (Squad 7) file located on the Atlanta Division’s “S-Drive.” Reports resulting from analyses may be shared internally with those who have a need for the information in the performance of their duties.

4.2 For each recipient component or office, what information is shared and for what purpose?

The FBI unit or office that creates the database establishes the rules for access, but typically access is limited to those within the unit or office that have a need for access to perform mission-critical tasks. Sharing beyond this core group typically does not take place, but the data may be used for reporting purposes and those reports would be shared more broadly based on operational need.

4.3 How is the information transmitted or disclosed?

Transmission is primarily electronic and may be done through electronic media or over a network.

4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated.

Because the information that populates routine databases is derived from data that already exists within the FBI or consists of public source material, there is a privacy risk that additional knowledge may be available from the combination of data that otherwise would not be apparent. This risk is also the benefit of using these routine applications to better understand what information an individual program has or knows. This risk is mitigated by limitations on individuals who can access the data in its combined form. Many routine databases are created for the convenience of a squad, unit, or office, and a database administrator limits access rights to those with a bona fide need to know. Passwords for access may also be employed to enhance the security and privacy of the information. In addition, any transfer of the information to mobile devices must meet the requirements of FBI policy for protecting information on mobile devices.

There is also a privacy risk that the replication of data from one database to another could result in the production of erroneous data through keystroke errors. The routine databases, however, are typically checked by supervisors to ensure data integrity and thus minimize that risk. There is a further privacy risk from the fact that the ability to audit these routine databases is not as robust as in other more sophisticated systems. But as a precondition of approval for these routine databases, the attached checklist requires the completing official to signify that there is an ability to audit access and use, so the privacy risk is reduced. If an individual user is found to be accessing the database inappropriately, disciplinary action can be taken. In addition, these databases will be subject to the FBI's periodic inspection process to ensure compliance with the requirements for database approval.

Section 5.0
External Sharing and Disclosure

5.1 With which external (non-DOJ) recipient(s) is the information shared?

No system-to-system sharing between an FBI routine database and an external recipient is contemplated. Instead, disclosures of discrete pieces of information may be made, as appropriate, to other federal, state, local, tribal or foreign law enforcement entities, Congress or the public in the same manner as such disclosures are made of information from the underlying systems. For example, if information from a routine database reveals criminal activity in a particular location, the FBI office maintaining the database may share that information with appropriate state or local law enforcement. This kind of routine sharing, which is subject to rules governing need to know, restrictions on further dissemination (as appropriate) and other limitations, already regularly occurs and the creation of these routine databases will not alter this. Alternatively, the routine databases may be used to develop required reports. In many cases, if data is used in reports that will be made public, the data will be stripped of identifiers, unless there is a need for their inclusion. External reporting, for example, of personnel information that may be derived from a routine database would likely not include individual employee names unless there was a business reason for doing so.

5.2 What information is shared and for what purpose?

See previous response.

5.3 How is the information transmitted or disclosed?

If sharing occurs, it could be by any means necessary to effect the transfer of discrete pieces of information -- electronic, paper or otherwise.

5.4 Are there any agreements concerning the security and privacy of the data once it is shared?

In the event information is shared externally and it includes personal identifiers, the sharing is subject to FBI corporate policy and controls regarding security and privacy that govern any disclosures of information from FBI files.

5.5 What type of training is required for users from agencies outside DOJ prior to receiving access to the information?

The external sharing that is contemplated will be consistent with disclosures currently made from FBI records. If training is required to understand the FBI information, it is provided on an individual basis. Because there will be no disclosures between these routine databases and other agency systems, however, there is no need for training on use of these databases.

5.6 Are there any provisions in place for auditing the recipients' use of the information?

As noted in the previous response, system-to-system disclosures will not be made. When disclosures are made from FBI records generally, any caveats on use of the information are associated with the data at the time of the disclosure.

5.7 Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and describe how they were mitigated.

The type of sharing of information from routine databases that is likely to occur is no different from the disclosures currently made from the underlying FBI records, and thus any sharing will be subject to current processes and limitations on the access to and use of FBI information. If personally identifiable information is downloaded to mobile devices for purposes of external sharing, FBI policy requires that it be adequately protected in transit through the use of passwords and encryption software. Consequently, there should be no additional privacy risk from the external sharing of the information. In many cases, moreover, information to be shared will not contain personal identifiers. 

Section 6.0

6.1 Was any form of notice provided to the individual prior to collection of information? If yes, please provide a copy of the notice as an appendix. (A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register.) If notice was not provided, why not?

Individuals are typically not provided a separate notice about the disposition of information collected from them in connection with a law enforcement or national security investigation. General notice is available, however, through publication of Privacy Act System of Records notices that govern information the FBI collects and maintains. The majority of information to be placed in the databases covered by this PIA would be covered by the system notice for the FBI's Central Records System, last published in the Federal Register on February 20, 1998 (63 Fed. Reg. 8671). When information is collected primarily for administrative purposes, notice is usually provided on the form used for the collection.

6.2 Do individuals have an opportunity and/or right to decline to provide information?

In many cases, the information at issue will be obtained through the results of investigations. In most cases, there is no right to decline to provide information. In those cases where there is a right not to participate in or cooperate with an investigation, or otherwise not provide information, the individual may be afforded that opportunity. When information is collected primarily for administrative purposes, the collection itself may be voluntary and thus the individual would have the right to decline to provide it.

6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?

If an individual has placed any enforceable restrictions on the use of information that the FBI has otherwise collected, those restrictions would follow recompilation of the information into a routine database. There is no other opportunity to consent to or restrict particular uses of the database information.

6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?

If an individual has placed any enforceable restrictions on the use of information that the FBI has otherwise collected, those restrictions would follow recompilation of the information into a routine database. There is no other opportunity to consent to or restrict particular uses of the database information.

6.4 Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how you mitigated them.

The system notice for the FBI's Central Records System, from which the majority of information will be obtained, explains that the "FBI uses its computers, when necessary, to collate, analyze, and retrieve investigative information in the most accurate and expeditious manner possible." It also states that the FBI supports complicated investigative matters by using specialized computer systems or individual microcomputers and that duplicate records and extracts of information are kept in various FBI divisions to assist in day-to-day operations. Thus, the public is on notice that the FBI combines the information it receives in ways designed to collate, analyze and retrieve information. This transparency helps to mitigate the privacy risk that accompanies recompilation of information from one collection into another routine database where relationships among the data may become more apparent. 

Section 7.0
Individual Access and Redress

7.1 What are the procedures which allow individuals the opportunity to seek access to or redress of their own information.

Individuals are entitled to avail themselves of the procedures outlined in 28 C.F.R. Part 16 in order to seek access or redress of their own information. Although many of the FBI's files are exempt from the access and amendment requirements of the Privacy Act, the FBI has a business need for accurate records and may, in its discretion, permit individuals to supply statements disputing particular facts in FBI records.

7.2 How are individuals notified of the procedures for seeking access to or amendment of their information?

Information on how to submit a Freedom of Information Act/Privacy Act request to the FBI is contained on the FBI's Internet site, and in 28 C.F.R. Part 16.

7.3 If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual?

Although the FBI's law enforcement record systems are typically exempt from the access and amendment provisions of the Privacy Act, in its discretion, the FBI may accept one page statements of disagreement about facts maintained in its records. This provides a means of redress in cases where data may be inaccurate or otherwise lacking in integrity and the records are not otherwise subject to amendment or correction.

7.4 Privacy Impact Analysis. Discuss any opportunities or procedures by which an individual can contest information contained in this system or actions taken as a result of agency reliance on information in the system.

As noted in the previous response, in its discretion the FBI considers requests for amendment/correction of its law enforcement records. Judicial review is also available in appropriate cases when an individual wishes to challenge action taken in reliance on information derived from FBI records from a particular database.

Section 8.0
Technical Access and Security

8.1 Which user group(s) will have access to the system?

Each office, unit or squad that uses routine databases defines its own rules for access based on operational need.

8.2 Will contractors to the Department have access to the system? If so, please submit a copy of the contract describing their role with this PIA.

It is possible that contractors located in particular offices, units or squads will have access to the databases covered by this PIA. In that event, however, contractors would be treated like employees and subject to the same restrictions on access and use. In addition, contracts with vendors that involve personally identifiable information contain the relevant Federal Acquisition Regulation provisions requiring Privacy Act compliance.

8.3 Does the system use "roles" to assign privileges to users of the system?

The answer depends on the rules established for each database, but generally a supervisor manages the database and users have read, write, or read and write access, depending on their office function.

8.4 What procedures are in place to determine which users may access the system and are they documented?

Because the databases are created by individual offices, units or squads, users are determined by the database creators/supervisory personnel. While written documentation may not be available in all cases, the checklist that each system supervisor must complete requires acknowledgment that access is limited only to those with an operational need to know.

8.5 How are the actual assignments of roles and rules verified according to established security and auditing procedures?

The assignment of roles is subject to supervisory approval and is based on mission requirements and the individual's need for access to perform his or her duties. The databases that are created using routine software must be capable of being audited to ensure that the data is being used consistent with the purpose for which the database was created and the database must operate on a platform for which a Certification and Accreditation has been performed. In most instances, the routine databases at issue will operate on the FBI's internal computer network.

8.6 What auditing measures and technical safeguards in place to prevent misuse of data?

See previous answer.

8.7 Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system?

All FBI employees, contractors and task force members are required to complete yearly information security training which contains a substantial privacy component. Additional privacy training is available on an ad hoc basis to individual FBI divisions or groups. In addition, the FBI has developed training on the use of U.S. person information that is available Bureau-wide. Other training is provided in connection with specific programs or systems.

8.8 Is the data secured in accordance with FISMA requirements? If yes, when was Certification and Accreditation last completed?

As noted previously, routine databases operate primarily on the FBI's computer network, which has been subjected to the C& A process. The system on which these databases operate was recertified and reaccredited in January 2008.

8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated.

Routine databases, using Microsoft Access or other software applications that have been approved for use throughout the FBI, help divisions, offices and squads manage information in a manner that effectively meets mission needs. These routine databases operate primarily on the FBI’s internal computer network, which meets Certification and Accreditation requirements. The information that populates these databases is derived from other FBI information systems or can be obtained by any member of the public. The recombination of data from these sources may result in new information being accessible that was previously obscure or unavailable. The privacy risk from this recombination, however, is mitigated by the fact that access to the databases is limited in each instance to those with an operational need to know and is controlled by supervisory personnel. In addition, to the extent that a clearer picture of an event or individual emerges, these databases may help increase data accuracy and integrity.  


To increase FBI efficiency and enhance operations, the FBI employs routine database technology to manage its information resources for purposes of situational awareness, strategic planning and reporting. The privacy concerns associated with the use of these databases are mitigated and outweighed by the benefits of enhanced information knowledge that flows from the use of this technology.

Reviewing Officials

______________________________ (Sign Date)
Elizabeth Withnell, Unit
Chief Privacy and Civil Liberties Unit

______________________________ (Sign Date)
David C. Larson
FBI Privacy and Civil Liberties Officer

Approved 8.29.08______________ (Sign Date)
Kenneth P. Mortensen
Acting Chief Privacy and Civil Liberties Officer
Department of Justice

Form Rev. 9/8/08


This checklist is based on the FBI Privacy Impact Assessment (PIA) for FBI Routine Databases of 4/7/2008 as approved 8/29/2008. In accordance with the PIA, this checklist may be used in lieu of any additional PIA (or PTA), so long as every one of the twelve blocks below can be checked. This checklist should be completed by the database manager (or other appropriate official/ as determined by the division) and approved by the Division Privacy Officer.

A. Add date checklist prepared:

B. Provide name and brief description of database (or comparable application):

C. Identify program division and unit/squad:

D. Provide name, address, and phone number of point of contact:

E. Checklist (all must be checked as being accurate for this database/application):

____ 1. Information in the system identifies individuals, either directly or indirectly. An individual can be identified indirectly through a combination of descriptors such as gender, race, birth data, geographic indicator, license number, or license plate number. 5

____ 2. The system derives information from FBI records covered by existing Privacy Act system of records notices ( regardless of format in which those records are maintained and/or from information that is publicly available at no cost. (If information comes from FBI records that are not covered by existing systems of records notices, contact the PCLU.)

____ 3. Neither commercial data nor paid subscription service data is included in the database unless that information is derived from existing FBI records.

____ 4. The system can be accessed only by members of a particular office, unit, squad or other similar FBI entity and sharing of information is based strictly on an operational need to know.

____ 5. The system is not used for purposes of pattern-based data mining.

____ 6. Initial and continued access to the system is subject to permission controls enforced by FBI supervisory personnel, including the use of access passwords.

____ 7. Access to the system can be audited.

____ 8. The system is part of an established platform on which a Security Certification and Accreditation has been performed.

____ 9. The system was developed after April 17, 2003.6

____ 10. If the system maintains information about U.S. citizens or legal permanent residents, it is covered by a published Privacy Act System of Records Notice.

____ 11. Records retention issues have been discussed with the Records Management Division.

____ 12. Any personally identifiable information placed on a mobile device or on media that is transported outside FBI facilities must comply with the FBI policy on encryption and must be password protected.

F. If a database contains information that may be considered sensitive/controversial or is maintained as part of a larger FBI program, the database administrator or program manager (or division privacy officer) must consult with the FBI's Office of the General Counsel, Privacy and Civil Liberties Unit about the potential need to assess the privacy risks in a separate PIA.

G. File Notes (summarize any additional information that may be warranted for record purposes, e.g., coordination with OGC, etc.):


Program Manager (or other appropriate official as division determines) Division Privacy Officer

Date signed:

Date signed:


- File signed original (or copies) in one or more official division/program files for documentation, inspection, records, and other oversight purposes.
- Forward copy to the FBI Privacy and Civil Liberties Unit (PCLU) (JEH 7338).

1 For purposes of this PIA, the term "routine database" is used to signify those databases, spreadsheets or even word processing programs that are employed to manipulate existing FBI data, but that do not rise to the level of a major information system. The routine databases at issue are all covered by the certification and accreditation of an established FBI Federal Information Security Management Act (FISMA) system.

2 Microsoft Access permits the creation of a relational database management system that allows users to organize, query, manipulate, link and view data from multiple sources and to use the resultant information for operational purposes as well for statistical reporting requirements. In the case of the Microsoft Access databases covered by this Privacy Impact Assessment, ACS will provide the source for information. Reference to Microsoft Access implies no endorsement of this particular product, but is simply a reflection of the fact that this software, among others, is employed in the FBI.

3 Paid subscriptions to databases maintained by commercial data brokers in general do not meet the requirement for “at minimal cost.”

4 As the FBI converts its case management system from ACS to Sentinel, the need for routine databases may diminish. This PIA, however, is intended to cover any such databases that are created based on information in the FBI's primary case management system or other existing files.

5 Systems that do not contain any personally identifiable information need not complete this checklist.

6 Systems developed before April 17, 2003 , and not modified since then are not required to conduct a PIA until a modification occurs that would change the privacy risks to information in the system.