Privacy Impact Assessment Integrated Automated Fingerprint Identification System National Security Enhancements

Contact Point:

David Cuthbertson
Section Chief
Programs Development Section

Criminal Justice Information Services Division Reviewing Officials:
Jane C. Horvath
Chief Privacy Officer and Civil Liberties

Officer Department of Justice Patrick W. Kelley
Senior Privacy Official, Office of the General Counsel
Federal Bureau of Investigation
Department of Justice


Pursuant to 28 U.S.C. § 534, the FBI acquires, collects, classifies, and preserves identification, criminal identification, crime, and other records and exchanges such records and information with, and for the official use of, authorized officials of the Government, including the United States Sentencing Commission, the States, cities, and penal and other institutions. Since 1924, the FBI has collected, preserved, classified, and exchanged fingerprint records in support of its identification activities and the activities of other Federal, state, and local law enforcement agencies. Categories of fingerprints currently maintained in the Fingerprint Identification Record System (FIRS) includes: criminal fingerprints, federal applicants and employees, United States military, aliens, and those submitted to the FBI by persons desiring to have their fingerprints placed on record for personal identification purposes. Additionally, fingerprints of military detainees and other persons of national security interest are now being collected for national security purposes.

The Integrated Automated Fingerprint Identification System

In July 1999, the fingerprint identification function was automated in the Integrated Automated Fingerprint Identification System (IAFIS). This national, computerized system for storing, comparing, and exchanging fingerprint data in a digital format permits comparisons of fingerprints in a faster and more accurate manner. It is located in, and operated by, the Criminal Justice Information Services (CJIS) Division of the FBI in Clarksburg, West Virginia. IAFIS provides three major services to its customers. First, it is a repository of criminal history information, fingerprints, criminal subject photographs, as well as information regarding military and civilian federal employees and other individuals as authorized by Congress. Second, it provides positive identification of individuals based on fingerprint submissions (both through ten‑print fingerprints and latent fingerprints). Third, it provides tentative identification of individuals based on descriptive information such as a name, date of birth, distinctive body markings, and identification numbers. IAFIS's primary function is to provide the FBI a fully automated fingerprint identification and criminal history reporting system. Additionally, IAFIS has made several other accomplishments. It has improved latent fingerprint identification services to the law enforcement community and it has also helped to develop uniform biometric standards. These improvements have eliminated the need to process and retain paper fingerprint cards and has, thereby, accelerated the identification process. Another benefit has been the development of improved digital image quality.

National Security Enhancement

Subsequent to the attacks on the United States on September 11, 2001, Congress passed the "Homeland Security Information Act," codified at 6 U.S.C. § 481. This statute acknowledges that information systems have been established for rapid sharing of "classified" and "sensitive but unclassified" information among Federal, state, and local entities and that increased efforts to share homeland security information should avoid duplicating existing information systems. By Memorandum, dated April 11, 2002, the United States Attorney General provided guidance for coordinating information relating to terrorism (AG Directive). The AG Directive provides that "the prevention of terrorist activity is the overriding priority of the Department of Justice." In light of that overriding priority, the Attorney General ordered the FBI (among others) to expand terrorist information in its databases. The Attorney General specifically directed the FBI, through its Legal Attache Offices (Legats), to obtain fingerprints, other identifying information, and available biographic data of all known or suspected foreign terrorists who have been identified and processed by foreign law enforcement agencies. The AG Directive also ordered the FBI to obtain similar information from the Department of Defense (DoD) to the extent permitted by law. Information from both DoD and the Legats was to be placed in IAFIS and other appropriate law enforcement databases to assist in detecting and locating foreign terrorists. Lastly, the AG Directive reinforced earlier directives, dated November 8 and 13, 2001, that order Department of Justice (DOJ) components to review their policies and procedures to ensure information sharing, information analysis, and coordination of activities with Federal, state, and local agencies to prevent acts threatening public safety and national security. By Executive Order 13388, dated October 25, 2005, the President provided the following guidance: To the maximum extent consistent with applicable law, agencies shall, in the design and use of information systems and in the dissemination of information among agencies: (a) give the highest priority to (i) the detection, prevention, disruption, preemption, and mitigation of the effects of terrorist activities against the territory, people, and interests of the United States of America; (ii) the interchange of terrorism information among agencies; (iii) the interchange of terrorism information between agencies and appropriate authorities of state, local, and tribal governments, and between agencies and appropriate private sector entities; and (iv) the protection of the ability of agencies to acquire additional such information; and (b) protect the freedom, information privacy, and other legal rights of Americans in the conduct of activities implementing subsection (a). Since September 11, 2001, the CJIS Division has undertaken aggressive efforts to expand and enhance the use of identification information and related records to support the FBI mission of protecting and defending the United States against terrorist threats. The FBI has successfully obtained the fingerprints of known and suspected terrorists (KSTs) identified and processed by foreign and U.S. government agencies. These fingerprints have been incorporated within the IAFIS so they can be further shared with system users, including the Department of Homeland Security (DHS), DoD, Department of State, and law enforcement agencies. Dissemination beyond CJIS Division is controlled by agreements with the information "owners." In some instances, those owners may decline to permit the release of the information. In any event, this information is never disseminated beyond those agencies authorized access by statute. Pursuant to the above-listed directives, the FBI CJIS Division has obtained fingerprint submissions of KSTs and individuals of national security interest. The overwhelming majority of these fingerprints are of aliens whose fingerprints are obtained outside the United States.

Section 1.0

1.1 What information is to be collected?

1.1.1 Identify and list all of the types of information in identifiable form that are collected and stored in the system that either directly identify an individual (such as name, address, social security number, telephone number, e-mail address, biometric identifiers, photograph, or other unique identifying number, code, or characteristic) or that when combined, indirectly identify an individual (such as a combination of gender, race, birth date, geographic indicator, license number, vehicle identifier including license plate, and other descriptors).

The information being collected consists primarily of fingerprints that have been provided by DoD, other federal agencies, and foreign governments, along with minimal descriptive information such as name, date of birth, and place of birth. The accompanying information can also include much more detail such as photographs, physical characteristics, or descriptions of scars, marks, and tattoos. Some of these fingerprints are from individuals who have been arrested or incarcerated. Other individuals have been detained because of suspicious activity or as military detainees.

1.2 From whom is the information collected?

1.2.1 List the individual, entity, or entities providing the specific information identified above. For example, is the information collected directly from the individual, as in the case of an investigator taking a statement from a suspect, or is it collected from other sources, such as commercial data aggregators?

Military detainee information is provided to the FBI CJIS Division by the DoD. The FBI CJIS Division also receives KST data from FBI Legats, FBI Field Offices, DoD, and other federal agencies. Fingerprints of persons of national security interest may also be provided to the CJIS Division by foreign governments. In all cases involving collection of fingerprint data, the information is derived directly from the individual. None of this information is collected from commercial sources.

1.2.2 Describe why information from sources other than the individual are required. For example, if a program is systematically incorporating databases of information in identifiable form that are purchased or obtained from a commercial aggregator of information or if information needs to be collected from third parties in an ongoing investigation, state the fact that this is where the information is coming from and then in 2.1 indicate why the program is using this source of data.

Biometric information is originally obtained directly from the individual, although it may be obtained involuntarily. The identifying information is obtained in response to Congressional, Presidential, and Attorney General mandates and because the agencies are the only sources for this essential national security information.

Section 2.0

2.1 Why is the information being collected?

2.1.1 In responding to this question, you should include: A statement of why this PARTICULAR information in identifiable form that is collected and stored in the system is necessary to the component's or to the Department’s mission. Merely stating the general purpose of the system without explaining why particular types of information in identifiable form should be collected and stored is not an adequate response to this question.

Fingerprints and associated biographic information are the current types of information used to positively identify individuals by both the FBI, state and local law enforcement agencies, and other agencies. Accordingly, positive identification is the first step in determining whether the identified individual continues to be of national security interest.

Section 3.0

Uses of the System and the Information. The following questions are intended to clearly delineate the intended uses of the information in the system.

3.1 Describe all uses of the information.

3.1.1 Identify and list each intended use (internal and external to the Department) of the information collected or maintained.

Fingerprints are submitted to the CJIS Division for comparison against the national fingerprint repository for both criminal and noncriminal justice purposes. A growing and fundamental use of such comparisons is for national security purposes. Consequently, the retention of fingerprints that have been identified by the FBI, DoD, other federal agencies, or foreign governments permits positive identifications of those individuals who later come into contact with agencies that have been approved access to the Fingerprint Identification Record System (FIRS) for either criminal or noncriminal justice purposes.

3.1.2 If a SORN is being or has been published for the system, the routine uses from the SORN should be listed in this section. (A copy of the notice or its Register citation may be provided in order to meet this requirement.) In addition, list the uses internal to the Department since the routine uses listed in the SORN are limited to disclosures made outside of the Department.

The majority of these fingerprints are of aliens whose fingerprints were obtained outside the United States and, thus, are not Privacy Act protected. Nonetheless, the current SORN is being revised to include these categories of individuals. The current fingerprint SORN, published September 28, 1999, may be found at 64 FR 52343. Additionally, applicable blanket routine uses may be found at 66 FR 33558 and 70 FR 7513-02. The IAFIS is used internally by the DOJ to support criminal and intelligence investigations, to perform employment suitability background investigations, and to provide identification services for disaster relief and for other humanitarian purposes. Section 4.0 The following questions are intended to define the scope of sharing both within the DOJ and with other recipients.

4.1 With which internal components of the Department is the information shared?

4.1.1 Identify and list the name(s) of any components, offices, and any other organizations within the Department with which the information is shared.

All DOJ components, offices, and organizations are authorized to receive fingerprint data pursuant to 28 U.S.C. § 534. Consequently, each DOJ component may submit fingerprints to the FBI for criminal history record checks. Section 5.0 External Sharing and Disclosure The following question is intended to define the content, scope, and authority for information sharing external to DOJ which includes foreign, Federal, state and local government, and the private sector.

5.1 With which external (non-DOJ) recipient(s) is the information shared?

5.1.1 Identify and list the name or names of the foreign, federal, state, or local government agencies, private sector organizations, or individuals with which/whom the information is shared.

Dissemination of this information is exclusively limited to agencies authorized access by statute for official purposes, to include the federal intelligence community. The CJIS Division regularly provides the results of fingerprint-based record checks to authorized Federal, state, joint, tribal, foreign, and international criminal justice agencies, or to agencies, organizations, persons, or entities in either the private or public sector, domestic or foreign, where such disclosures may promote, assist, or otherwise serve law enforcement and/or national security interests.

Section 6.0

Notice The following questions are directed at notice to the individual of the scope of information collected, the opportunity to consent to uses of said information, and the opportunity to decline to provide information.

6.2 Do individuals have an opportunity and/or right to decline to provide information?

6.2.1 Can the person from or about whom information is collected decline to provide the information and if so, is there any penalty or denial of service that is the consequence of declining to provide the information?

No. The information is collected as part of an arrest process, military detention, or criminal/intelligence/military investigation.

6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?

No. Fingerprints are placed in the IAFIS as part of the National Security Enhancement initiative and subjects of national security interest (predominantly of aliens whose fingerprints were taken outside the United States) do not have the right to consent to the uses of information.

Section 8.0

Technical Access and Security The following questions are intended to describe technical safeguards and security measures. 8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated. For example, were decisions made to encrypt certain data sets and not others. No privacy risks were associated with CJIS Division obtaining, retaining, and disseminating fingerprint identification records of individuals determined to be of national security interest. The fingerprints so obtained are, with few exceptions, uniformly either of foreign subjects, from foreign sources, or from DoD records. All identified recipients of FIRS data are currently authorized to receive FBI maintained records pursuant to Federal statute. These agencies have been receiving similar records from the CJIS Division for years, they have signed User Agreements to abide by the CJIS Security Policy, and the agencies are subject to audit to ensure their compliance with that policy.

Responsible Officials:
__________________________________ ______________

David Cuthbertson  / date


Section Chief
Programs Development Section
Criminal Justice Information Services Division
Federal Bureau of Investigation
Department of Justice

Reviewing Officials:

__________________________________ ______________

Patrick W. Kelley /  date
Senior Privacy Official

Office of the General Counsel
Federal Bureau of Investigation
Department of Justice

___________________________________ ______________

Jane Horvath  / date


Chief Privacy and Civil Liberties Officer
Department of Justice