Privacy Impact Assessment (PIA)
DOJ/FBI-DHS Interim Data Sharing Model (iDSM)
The Interim Data Sharing Model (iDSM) is a pilot effort between the Department of Homeland Security (DHS) and the Department of Justice (DOJ)/FBI.
To enhance national information sharing capabilities, the DHS and the FBI are working to achieve interoperability between their biometric-based information systems. The iDSM objective is to achieve biometric-based interoperability with a reciprocal exchange of a small subset of DHS and FBI data. The FBI subset will include information on individuals with outstanding warrants for which biometric information exists ("Wanted Person File"). The DHS subset will include information on individuals who have been denied Visas or aliens who have been expeditiously removed from the United States.
The iDSM initiative will provide significant short-term operational benefits to both agencies resulting from its pooled biometrics-based screening capability. At the same time, iDSM will serve as an evaluation platform to investigate technical alternatives for a long-term interoperability capability.
The iDSM consists of both a shared data component and a shared service component. The shared data component will make copies of each agency’s fingerprint image data and minimal biographic data available at the other agency’s location to allow the other agency to efficiently conduct fingerprint comparisons. Shared services relates to an existing infrastructure that allows each agency to obtain related biographic, criminal history, and immigration history data from the other agency as a follow-up to a fingerprint identification, while at the same time allowing the source agency to maintain control over the criminal history (FBI) or immigration history data (DHS) maintained in its System of Records.
Components developed by the DHS will include changes to their Automated Biometric Identification System (IDENT) which will allow IDENT users to fully benefit from FBI maintained criminal history record information. Components of iDSM developed by the FBI will include changes to the FBI Fingerprint Identification Record System (FIRS) which will allow authorized users to obtain new information regarding aliens who should not be in the United States and thus lead to additional arrests and deportations.
1.1 What information is to be collected?
1.1.1 Identify and list all of the types of information in identifiable form that are collected and stored in the system that either directly identify an individual (such as name, address, social security number, telephone number, e-mail address, biometric identifiers, photograph, or other unique identifying number, code, or characteristic) or that when combined, indirectly identify an individual (such as a combination of gender, race, birth date, geographic indicator, license number, vehicle identifier including license plate, and other descriptors).
New information is not being collected; however, the existing FIRS and IDENT systems of records maintain fingerprints and biographic data on identifiable groups of individuals which will be used to populate the iDSM.
The FBI will be sharing fingerprint images, names, dates of birth, gender, and FBI numbers of individuals who have been entered into the National Crime Information Center (NCIC) Wanted Person File. The DHS will be providing similar information from IDENT that is linked to aliens who have been denied Visas or who have been expeditiously removed from the United States.
1.2 From whom is the information collected?
1.2.1 List the individual, entity, or entities providing the specific information identified above. For example, is the information collected directly from the individual, as in the case of an investigator taking a statement from a suspect, or is it collected from other sources, such as commercial data aggregators?
Persons listed in the NCIC Wanted Person File who have had prior encounters with the criminal justice system will have fingerprints and associated biographic data in the FIRS. Accordingly, the fingerprints and associated data will have been taken from the individual during the time of that encounter. Similarly, data maintained in IDENT will have been taken from individuals, or from documents submitted by individuals, as part of the Visa request process or at the time of removal from the United States.
1.2.2 Describe why information from sources other than the individual are required. For example, if a program is systematically incorporating databases of information in identifiable form that are purchased or obtained from a commercial aggregator of information or if information needs to be collected from third parties in an ongoing investigation, state the fact that this is where the information is coming from and then in 2.1 indicate why the program is using this source of data.
Information in FIRS is obtained from the individual, documents carried by the individual, or subsequent encounters with the criminal justice community that can be directly related to specific arrests. FIRS biographic information, such as height and weight, may be estimated by observation.
Information in IDENT is obtained from the individual, documents carried by the individual, or documents submitted by the individual.
2.1 Why is the information being collected?
2.1.1 In responding to this question, you should include:
18.104.22.168 A statement of why this PARTICULAR information in identifiable form that is collected and stored in the system is necessary to the components or to the Department’s mission. Merely stating the general purpose of the system without explaining why particular types of information in identifiable form should be collected and stored is not an adequate response to this question.
Fingerprints and associated biographic information is the current method used to positively identify individuals by both the FBI and DHS, although other modals are being developed. (e.g., iris scan, DNA, facial recognition).
Individuals who have been arrested will often have had their fingerprints taken and submitted to the FBI for inclusion in the FIRS pursuant to 28 United States Code (U.S.C.), section 534. If a law enforcement agency subsequently enters a warrant in the NCIC for such an individual, it will often include the FBI number that was previously assigned. Similarly, DHS maintains fingerprints and associated biographic and encounter data of aliens who have been denied Visas or who have been expeditiously removed from the United States, and DHS assigns unique identifying numbers to each such individual.
Uses of the System and the Information.
The following questions are intended to clearly delineate the intended uses of the information in the system.
3.1 Describe all uses of the information.
3.1.1 Identify and list each intended use (internal and external to the Department) of the information collected or maintained.
IDENT users need more timely access to Wanted Person information maintained by the FBI. The iDSM will provide border management personnel with a more efficient method to conduct risk assessments based on positive identifications, which in turn will assist DHS and DOS in their admissibility decisions.
The iDSM will be used by the FBI on behalf of authorized criminal justice and noncriminal justice agencies to access a small subset of DHS’s biometrically-based immigration information to identify and locate individuals who should not be in the United States. This will lead to more arrests and deportation actions by criminal justice agencies and provide authorized noncriminal justice agencies the true identity /immigration status of individuals seeking employment/licensing benefits in the United States.
Initially, three non-DOJ agencies have been selected to pilot the use of iDSM. These agencies consist of one local law enforcement agency (Boston), one State law enforcement agency (Texas), and a federal agency that provides background screening for Federal employment (Office of Personnel Management). This program will help these agencies identify individuals who are in the United States illegally and are potential risk s to public safety or who are not available for national security or public trust employment. As the iDSM matures, more users may be invited to participate and additional agencies may be added as mutually agreed to by the parties (there are over 70,000 law enforcement agencies utilizing FIRS).
3.1.2 If a SORN is being or has been published for the system, the routine uses from the SORN should be listed in this section. (A copy of the notice or its Federal Register citation may be provided in order to meet this requirement.) In addition, list the uses internal to the Department since the routine uses listed in the SORN are limited to disclosures made outside of the Department.
The current FIRS SORN, published September 28, 1999, may be found at 64 FR 52343-01. Additionally, applicable blanket routine uses may be found at 66 FR 33558 and 70 FR 7513-02.
As noted above, non-FBI DOJ agencies are not currently part of the pilot program. However, any comparisons that result in a positive identification will also be shared with the wanting agency and with authorized recipients as currently authorized for official purposes.
The following questions are intended to define the scope of sharing both within the Department of Justice and with other recipients.
4.1 With which internal components of the Department is the information shared?
4.1.1 Identify and list the name(s) of any components, offices, and any other organizations within the Department with which the information is shared.
All DOJ components, offices, and organizations are authorized to receive FIRS data pursuant to 28 U.S.C. Section 534. As noted above, the three pilot agencies are not part of DOJ; however, positive comparisons may be shared with DOJ authorized recipients for relevant criminal justice purposes.
External Sharing and Disclosure
The following question is intended to define the content, scope, and authority for information sharing external to DOJ which includes foreign, Federal, state and local government, and the private sector.
5.1 With which external (non-DOJ) recipient(s) is the information shared?
5.1.1 Identify and list the name or names of the foreign, federal, state, or local government agencies, private sector organizations, or individuals with which/whom the information is shared.
The pilot agencies are:
Boston Police Department,
Texas Department of Public Safety, and the
United States Office of Personnel Management.
Additionally, the law enforcement entity that entered the wanted person information into the FBI system will be informed that the person wanted by its jurisdiction has been positively identified and be provided contact information of the agency submitting the fingerprints through existing procedures.
The following questions are directed at notice to the individual of the scope of information collected, the opportunity to consent to uses of said information, and the opportunity to decline to provide information.
6.2 Do individuals have an opportunity and/or right to decline to provide information?
6.2.1 Can the person from or about whom information is collected decline to provide the information and if so, is there any penalty or denial of service that is the consequence of declining to provide the information?
For the most part, this is not a new collection of information, but rather it is a sharing of previously collected information. As originally collected, the Shared Want List information contributed by the FBI relates to persons wanted by, and trying to avoid encounters with, law enforcement authorities. Notice/consent issues are not relevant in such situations.
6.3 Do individuals have an opportunity to consent to particular uses of the information, and if so, what is the procedure by which an individual would provide such consent?
Individuals placed in the Wanted Person File do not have the right to consent to the uses of information. If an individual desires to contest the information contained in FIRS, access and appeal procedures are provided at 28 Code of Federal Regulations (CFR), sections 16.30 – 16.34.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
8.9 Privacy Impact Analysis: Given access and security controls, what privacy risks were identified and describe how they were mitigated. For example, were decisions made to encrypt certain data sets and not others.
Privacy risks have not been identified. Rather, all identified recipients to FIRS data are currently authorized to receive FBI maintained records pursuant to federal statute. These agencies have been receiving similar records from the CJIS Division for years, they have signed User Agreements to abide by the CJIS Security Policy, and the agencies are subject to audit to ensure they are complying with the CJIS Security Policy.
Biometric Interoperability Program Office
Criminal Justice Information Services Division
Federal Bureau of Investigation Department of Justice
I note that this PIA assesses the privacy impact related to the FBI side of this joint program. (Similarly, DHS is conducting a PIA to assess the privacy impact related to the DHS side of the program.)
|Patrick W. Kelley||date|
Senior Privacy Official
Office of the General Counsel
Federal Bureau of Investigation
Department of Justice
Chief Privacy and Civil Liberties Officer
Department of Justice