Sevis Pia Update 2011

Privacy Impact Assessment Update
for the

Student Exchange Visitor Information System
(SEVIS)
DHS/ICE/PIA – 001(a)
June 23, 2011
Contact Point
James Dinkins
Executive Associate Director
Homeland Security Investigations
Immigration and Customs Enforcement
(202) 732-5100
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780

Privacy Impact Assessment Update
ICE, Student Exchange Visitor Information System (SEVIS)
Page 2

Abstract
Department of Homeland Security (DHS) Immigration Customs Enforcement (ICE) is
updating the Privacy Impact Assessment (PIA) for the Student Exchange Visitor Information
System (SEVIS) published on February 5, 2005, in order to provide further notice of the
expansion of routine sharing of SEVIS with the intelligence community in support of the
Department’s mission to protect the United States from potential terrorist activities.

Introduction
Congress mandated that DHS in consultation with the Departments of State (DOS) and
Education (DOED), develop a national system to collect and maintain pertinent information on
nonimmigrant students and exchange visitors, and the school and exchange visitor sponsors that
host these individuals in the United States. ICE’s Student and Exchange Visitor Program
(SEVP) operates the SEVIS database under the authority of 8 U.S.C. § 1372 in coordination with
the DOS, which oversees the operation of the Exchange Visitor (EV) program. Section 1372
requires DHS to develop and conduct a program to collect electronically from approved
educational institutions and designated EV programs in the United States certain information
about aliens who have or are applying for F, M, or J non-immigrant status. Section 1372 also
requires that particular information be collected, such as identifying information about the alien;
field of study, status and compliance information from educational institutions and exchange
visitor programs; and the alien’s date and port of entry.
Student, exchange visitor, and dependent information are maintained in SEVIS. SEVIS
is an Internet-based system that maintains real time information on nonimmigrant students (F
and M visa), exchange visitors (J visa), and their dependents (F/M/J-2). Designated school
officials of SEVP-certified schools and responsible officers of DOS-approved programs use
SEVIS to transmit mandatory information and event notification via the Internet to DHS and
DOS throughout the lifecycle of a student or exchange visitor, from entry, to stay and to exit
from the United States.
Pursuant to the National Security Act of 1947, as amended, the National Counter
Terrorism Center (NCTC) “serve[s] as the central and shared knowledge bank on known and
suspected terrorists and international terror groups, as well as their goals, strategies, capabilities,
and networks of contacts and support.” 50 U.S.C. § 404o. In order to enhance information
sharing, the President issued Executive Order 13388, Further Strengthening the Sharing of
Terrorism Information to Protect Americans (October 27, 2005), which provides that the Head
of each agency that possesses or acquires terrorism information shall promptly give access to that
information to the head of each other agency that has counterterrorism functions. The
Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004 (Pub. L. No. 108-458), as

Privacy Impact Assessment Update
ICE, Student Exchange Visitor Information System (SEVIS)
Page 3

amended places an obligation on U.S. government agencies to share terrorism information with
the intelligence community, including NCTC. In certain instances, DHS shares the entire dataset
with an intelligence community member in order to support the counterterrorism activities of the
intelligence community and to identify terrorism information within DHS data. DHS has
decided to share the entire SEVIS database with NCTC under a Memorandum of Agreement
(MOA). The MOA permits NCTC to use SEVIS information to facilitate NCTC’s
counterterrorism efforts. This information sharing also aligns with DHS’s mission to prevent
and deter terrorist attacks. The MOA includes a number of safeguards to ensure the data is only
used for the purposes explicitly permitted under the MOA, this PIA, and the DHS/ICE – 001
Student and Exchange Visitor Information System of Records Notice (SORN) 75 FR 412,
January 5, 2010. 1 The MOA also limits the amount of time the information is maintained at
NCTC, ensures proper information technology security is in place during and after transmission
of the SEVIS data to NCTC, requires deletion of data, requires training for staff accessing
SEVIS, and provides for routine reporting and auditing of NCTC’s use of the data.

Reason for the PIA Update
DHS/ICE is updating the existing SEVIS PIA (DHS/ICE/PIA-001) published on
February 5, 2005, 2 to account for the routine sharing of SEVIS data with the intelligence
community, including NCTC. DHS has entered into an MOA NCTC in order to facilitate
NCTC’s counterterrorism efforts. This information sharing also aligns with DHS’s mission to
prevent and deter terrorist attacks. DHS and NCTC have placed specific safeguards in this MOA
to ensure that the data is used appropriately and in accordance with the existing SORN,
DHS/ICE – 001 Student and Exchange Visitor Information System of Records, 75 FR 412,
January 5, 2010, and this PIA.

Privacy Impact Analysis
The System and the Information Collected and Stored within the System
There is no change in the collection of SEVIS information. ICE continues to collect the
following type of information from nonimmigrant students, exchange visitors, and dependents:
the nonimmigrant's name, country of birth, date of birth, country of citizenship, educational
background, information on the education/program activity for which the individual is seeking
admittance, and passport and visa information. A complete list of information collected and
maintained in SEVIS on all nonimmigrant students, exchange visitors, and their dependents is
listed in Appendix C of DHS/ICE/PIA-001 SEVIS PIA published on February 5, 2005.

1
2

Available at: http://edocket.access.gpo.gov/2010/E9-31268.htm.
Available at: http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_sevis.pdf.

Privacy Impact Assessment Update
ICE, Student Exchange Visitor Information System (SEVIS)
Page 4

Certified schools must provide specific information regarding the school, the nature and
requirements of the educational program, location and contact information, and costs to attend.
Designated sponsors must provide similar information regarding their exchange visitor
programs. A full list of information collected from schools and sponsors is listed in Appendix C
of DHS/ICE/PIA-001 SEVIS PIA published on February 5, 2005.
ICE is providing a subset of SEVIS data to NCTC in order to facilitate NCTC’s
counterterrorism efforts. This information sharing also aligns with DHS’s mission to prevent
and deter terrorist attacks.
Uses of the System and the Information
DHS/ICE has not changed the uses of the information.
Retention
The DHS retention period for SEVIS has not changed. The retention period for SEVIS
records is 75 years. For the purposes of the MOA with NCTC, DHS has identified certain data
fields as presumed U.S. Person information. Fields identified as U.S. Persons may be retained
by NCTC for up to 180 days in order to identify terrorism information, in support of its
counterterrorism mission and in support of DHS’s mission to prevent and deter terrorist attacks.
NCTC may retain any SEVIS information it identifies as “terrorism information” as defined in
the Intelligence Reform and Terrorism Prevention Act of 2004 (Pub.L. 108-458) for as long as it
is permitted to under applicable laws, policies, and standards governing the retention of terrorism
information.
Internal Sharing and Disclosure
No changes have been made to internal sharing. Information about non-immigrant
students and exchange visitors from SEVIS is systematically shared with US-VISIT in order to
build the Arrival and Departure Information System (ADIS) 3 to identify immigrants and non
immigrants.
External Sharing and Disclosure
DHS has entered into a MOA with NCTC in order to facilitate NCTC’s counterterrorism
efforts. This information sharing also aligns with DHS’s mission to prevent and deter terrorist
attacks. This sharing is conducted pursuant to routine use W of the SEVIS SORN, which states
that DHS may share SEVIS information with “a federal, state, or local agency, or other
appropriate entity or individual, or through established liaison channels to selected foreign
governments, in order to provide intelligence, counterintelligence, or other information for the
purposes of intelligence, counterintelligence, or antiterrorism activities authorized by U.S. law,
Executive Order, or other applicable national security directive.”
3

The PIA and SORN for DHS/NPPD/US-VISIT/ADIS can be found at www.dhs.gov/privacy.

Privacy Impact Assessment Update
ICE, Student Exchange Visitor Information System (SEVIS)
Page 5

NCTC will process SEVIS data identified as or presumed to be U.S. Person information
within 180 calendar days of receipt from DHS to determine whether a nexus to terrorism exists.
NCTC will immediately purge all SEVIS data that do not constitute terrorism information no
more than 180 calendar days from receipt. This process will be audited as required under the
MOU. NCTC will review, retain, and disseminate SEVIS data it has determined to have a nexus
to terrorism in accordance with procedures approved for NCTC by the Attorney General in
accordance with Section 2.3 of Executive Order 12333 and additional terms specified in the
MOU.
The MOU has strict safeguards to protect the PII provided to NCTC. These protections
include oversight of NCTC’s use of the data by DHS personnel detailed to NCTC. In addition,
training has been provided to NCTC users on the appropriate use of personally identifiable
information (PII). DHS/ICE will provide annual and periodic training to appropriate NCTC
personnel on proper interpretation of the data contained in SEVIS and on proper treatment of
data from certain categories which require special handling, such as asylum, refugee, and U.S.
Person data.
NCTC may not disseminate to third parties information derived from SEVIS data, unless
that data was identified as containing terrorism information. NCTC shall maintain an electronic
copy of the SEVIS data that was disseminated, to whom, and the purpose for the dissemination.
Additionally, DHS is accounting for the disclosures of SEVIS data to NCTC pursuant to
subsection (c) of the Privacy Act, which requires the Department to maintain an account of
disclosures of Privacy Act records when such records are disclosed outside of DHS.
Notice
The SEVIS SORN was published in the Federal Register on January 5, 2010, 75 FR 412,
and remains accurate and current. Routine Use W covers this sharing.
Individual Access, Redress, and Correction
No changes have been made to access, redress, and correction.
DHS allows persons, including foreign nationals, to seek administrative access under the
Privacy Act to certain information maintained in SEVIS. Individual’s may request access to
their own data maintained in SEVIS by filing a request under the Freedom of Information
Act/Privacy Act to the ICE FOIA Office. Specific instructions for filing a request with the ICE
FOIA Office may be found at www.ice.gov/FOIA.
Requests should conform to the requirements of 6 CFR Part 5, which provides the rules
for requesting access to Privacy Act records maintained by DHS. The envelope and letter should
be clearly marked “Privacy Act Access Request.” The request should include a general
description of the records sought and must include the requester’s full name, current address, and

Privacy Impact Assessment Update
ICE, Student Exchange Visitor Information System (SEVIS)
Page 6

date and place of birth. The request must be signed and either notarized or submitted under
penalty of perjury.
Technical Access and Security
The new sharing is conducted in conformance with existing information technology
security protocols, including encryption.
Technology
No changes.

Responsible Official
Lyn Rahilly
Privacy Officer
U.S. Immigration and Customs Enforcement
Department of Homeland Security

Approval Signature
Final signed version on file with the DHS Privacy Office.
________________________________
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security