Download: doc | pdf

Privacy Impact Assessment
for the

Western Hemisphere Travel Initiative

Land and Sea Final Rule

January 2008

Rulemaking Contact Point
Colleen M. Manaher

Director, WHTI Program Office

U.S. Customs and Border Protection

(202) 344-3003

Reviewing Official
Hugo Teufel III
Chief Privacy Officer
U.S. Department of Homeland Security
(703) 235-0780

Abstract

The Department of Homeland Security (DHS) and U.S. Customs and Border Protection (CBP), in conjunction with the Bureau of Consular Affairs at the Department of State (DOS), published in the Federal Register a final rule to notify the public of how they will implement the Western Hemisphere Travel Initiative (WHTI) for sea and land ports-of entry. [cite to FR] The final rule removes the current regulatory exceptions to the passport requirement provided under sections 212(d)(4)(B) and 215(b) of the Immigration and Nationality Act (INA). On August 9, 2007, the DHS Privacy Office issued a Privacy Impact Assessment (PIA) for the proposed rule, which was published in the Federal Register on June 26, 2007, at 72 FR 35088. This PIA updates the earlier PIA for the proposed rule to reflect changes in the WHTI final rule for land and sea ports-of-entry.

Introduction

The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), as amended, provides that upon full implementation, generally U.S. citizens and nonimmigrant aliens may enter the United States only with passports or such alternative documents as the Secretary of Homeland Security designates as satisfactorily establishing identity and citizenship. The final rule is the second phase of a joint DHS and DOS plan, known as WHTI, to implement these new requirements at sea and land ports-of-entry.

On August 9, 2007, the DHS Privacy Office issued a PIA examining the privacy impact of the proposed rule as it relates to the Fair Information Practice Principles (FIPPs): Transparency, Individual Participation, Purpose Specification, Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. It is available on the DHS Privacy Office’s public website, www.dhs.gov/privacy, and is the starting place for understanding the privacy issues surrounding the land and sea port-of-entry implementation of WHTI and the steps the Department has taken to mitigate privacy concerns.¹ The PIA concluded that while passport and other information will be collected from a larger class of individuals at the border under the proposed rule, the processes for doing so are well established, applicable PIAs and Privacy Act system of records notices (SORNs) are in place, and implementation includes affirmative steps to preserve the FIPPs.

This update provides a summary of the changes made to the WHTI land and sea ports-of entry final rule and a brief discussion of the impact that these changes have on individual privacy. Finally, this PIA identifies additional privacy compliance documentation that will be issued during the implementation of WHTI.

Summary of Changes to Proposed Rule found in Final Rule

The final rule is substantially the same as the proposed rule published at 72 FR 35088. The two most significant changes apply exclusively to members of the United States Native American Tribes and Canadian Indians. Under the final rule, tribal enrollment or identification cards from a federally-recognized tribe or group of federally-recognized tribes will be permitted for use at entry at any land port-of-entry when arriving from a contiguous territory, if designated by the Secretary of Homeland Security. Also, for Canadian Indians, the proposed new Indian and Northern Affairs Canada card may also be presented as evidence of the citizenship and identity of Canadian Indians when they seek to enter the United States at land ports-of-entry, if designated by the Secretary of Homeland Security.

The final rule also specifically acknowledges that the Enhanced Driver’s License (EDL) that will be issued by the State of Washington is a WHTI-compliant document pursuant to an agreement between DHS and that State. Future compliant EDLs will be designated for acceptance by the Secretary of Homeland Security and notice of such designation will be published in the Federal Register.

Finally, the final rule adds a copy of a birth certificate to the list of documents evidencing citizenship that U.S. and Canadian citizen children under age 16 (or under age 18 when traveling in groups) may present at the border when arriving from a contiguous territory.

Privacy Impact

These changes do not have a distinct impact on individual privacy. The issues presented in the final rule mirror closely those addressed in the August 9, 2007 PIA on the proposed rule, available at www.dhs.gov/privacy. That PIA applied the FIPPs to the proposed phase two WHTI implementation described in the Notice of Proposed Rulemaking (NPRM) and examined the steps the Department has taken to mitigate privacy concerns. It identified the relevant existing SORNs and PIAs, and referred individuals who believe they have been improperly denied entry at the border to the DHS Traveler Redress Program (TRIP), the SORN for which is published at 72 FR 2292. It also pointed readers to the phase one WHTI PIAs, which are available on the DHS Privacy Office website.

As the August 9 PIA for the NPRM details, WHTI does not create a collection of new data elements by DHS; rather it permits collection of the same information from additional categories of individuals, closing, as it does, the regulatory exceptions to the general passport requirement provided under sections 212(d)(4)(B) and 215(b) of the Immigration and Nationality Act. The final rule does not impact the expectation created in the NPRM. Therefore, the PIA explored the privacy issues arising from the inclusion of additional records into an existing system.

That PIA concluded that the Department had taken steps to ensure the remaining passport exceptions closed by implementation of WHTI for land and sea ports-of-entry do not significantly impact individual privacy because the processes for collecting the information are well established, applicable PIAs and SORNs are in place, and implementation includes affirmative steps to preserve the FIPPs.

Additional Privacy Compliance Documentation

The Department recognizes that fully implementing WHTI will require additional privacy compliance documentation to be in place in the future. Below is a summary of the privacy compliance documentation that will be issued as WHTI becomes operational.

1. Use of Radio Frequency Identification (RFID) Technology for Border Crossings Privacy Impact Assessment (PIA)– As discussed in the PIA of the proposed rule and within the proposed rule itself, a number of WHTI compliant documents, including the Department of State’s anticipated passport card and CBP’s applicable trusted traveler cards, utilize various forms of RFID. Because there are privacy implications attendant with the use of RFID, DHS will issue a subsequent PIA discussing all the uses of RFID by CBP, including the use of RFID on the passport card in support of the WHTI program implementation.

2. CBP Procedures for Processing Travel Documents at the Border PIA. There are two methods of facilitating verification of the document from the source agency. The PIA will discuss the privacy issues and mitigation strategies for both the “push” and “pull” methods. The “Push” method is where the non-Federal Entity provides DHS with a copy of its EDL database or similar databases from other non-Federal Entities prior to an individual showing up at the border. The “pull” method is where DHS does not receive the information about the individual until the individual crosses the border at which time DHS pulls the information from the non-Federal Entity in real time to verify the accuracy of the travel documents. The PIA will be completed prior to the verification of EDLs against the issuing entity’s data.

3. Border Crossing Information System (BCIS) System of Record Notice (SORN) – Currently, CBP maintains this data in the Treasury Enforcement Communications System (TECS). The TECS SORN is published at 66 FR 53029. As part of an on-going effort to review legacy SORNs, as well as to promote transparency and help the public stay informed about DHS programs, the Department will create a distinct SORN for the portion of TECS related to BCIS prior to the verification of new documents at the border.

4. Non-Federal Entity Push Data SORN – As noted above there are two methods of facilitating verification of a document from a source agency: “push” and “pull” methods. Because the push method of information exchange between CBP and non-Federal entities, such as States or foreign governments will create a new record to be stored in a DHS system, the Department will publish a SORN describing the system of records, in compliance with the Privacy Act of 1974, before CBP accepts any data utilizing the push method, at the border.

Conclusion

This PIA updates the PIA which accompanied the WHTI NPRM for land and sea ports-of-entry. The final rule is substantially the same as the proposed rule, and there are no privacy concerns unique to it. Therefore, the NPRM PIA is the fullest examination of the privacy issues attendant with land and sea WHTI implementation. There is a further discussion of privacy issues related to the WHTI air rule, also published on the DHS Privacy Office website, www.dhs.gov/privacy.

Although the privacy compliance documentation is adequate to support WHTI implementation to date, the Department anticipates issuing additional compliance documents as additional elements of WHTI are rolled out according to the implementation plan in the final rule.

Responsible Officials

Laurence Castelli, Chief, Privacy Act Policy and Procedures Branch, Regulations and Rulings, Office of International Trade, U.S. Customs and Border Protection, (202) 572-8790.

Colleen M. Manaher, Director, WHTI Program Office, Office of Field Operations, U.S. Customs and Border Protection, (202) 344-3003.

Approval Signature Page

________________________________

Hugo Teufel III
Chief Privacy Officer
Department of Homeland Security

File Type	application/msword
File Title	Privacy Impact Statement
Author	Ed Obloy
Last Modified By	Authorized User
File Modified	2008-03-06
File Created	2008-03-06