DHS/USCIS/PIA-027(b)

Privacy Impact Assessment Update
for the

Refugees, Asylum, and Parole System and the
Asylum Pre-Screening System
DHS/USCIS/PIA-027(b)
June 5, 2013
Contact Point
Donald K. Hawkins
Office of Privacy
United States Citizenship and Immigration Services
(202) 272-8030
Reviewing Official
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 2

Abstract
The U.S. Department of Homeland Security (DHS), United States Citizenship and
Immigration Services (USCIS) is updating the Privacy Impact Assessment (PIA) for the
Refugees, Asylum, and Parole System (RAPS) and the Asylum Pre-Screening System (APSS) in
order to provide notice of the expansion in the National Counterterrorism Center (NCTC)’s
“temporary retention” of RAPS information due to the March 2012 release of the Guidelines for
Access, Retention, Use and Dissemination by the National Counterterrorism Center and other
Agencies of Information in Datasets Containing Non-Terrorism Information (AG Guidelines).

Introduction
As set forth in Section 451(b) of the Homeland Security Act of 2002, Public Law 107296, Congress charged USCIS with the administration of the asylum program, which provides
protection to qualified individuals in the United States who have suffered past persecution or
have a well-founded fear of future persecution in their country of origin as outlined under
Section 208 of the Immigration and Nationality Act (INA), 8 U.S.C. § 1158 and 8 CFR § 208.
USCIS is also responsible for the adjudication of the benefit program established by Section 203
of the Nicaraguan Adjustment and Central American Relief Act (NACARA), Pub. L. 105-100, in
accordance with 8 CFR § 240.60, and the maintenance and administration of the credible fear
and reasonable fear screening processes, in accordance with 8 CFR §§ 208.30 and 208.31.
USCIS developed RAPS and APSS in order to carry out its obligations in administering these
benefit programs.
RAPS and APSS track case status and facilitate the scheduling of appointments and
interviews and the issuance of notices (including receipt notices, appointment notices, and
decision letters) at several stages of the adjudication process. USCIS Asylum Offices use RAPS
and APSS to record decisions and to generate decision documents such as approval, dismissal, or
rescission of an asylum or NACARA § 203 application, denial of an asylum application,
administrative closure of an asylum application, or referral of an asylum or NACARA § 203
application to Executive Office of Immigration Review (EOIR). The systems also initiate,
receive, and record responses for national security and background check screening and prevent
the approval of any benefit prior to the review and completion of all security checks. Finally, the
systems provide fully-developed and flexible means for analyzing and managing program
workflows and provide the Asylum Program with statistical reports to assist with oversight of
production and processing goals.
Pursuant to the National Security Act of 1947, as amended, the National
Counterterrorism Center (NCTC) “serve[s] as the central and shared knowledge bank on known
and suspected terrorists and international terror groups, as well as their goals, strategies,

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 3

capabilities, and networks of contacts and support” (50 U.S.C. § 404o). In order to enhance
information sharing, the President issued Executive Order 13388, Further Strengthening the
Sharing of Terrorism Information to Protect Americans (October 27, 2005), which provides that
the head of each agency that possesses or acquires terrorism information shall promptly give
access to that information to the head of each other agency that has counterterrorism functions.
The Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004 (Pub. L. No. 108-458),
as amended, places an obligation on U.S. government agencies to share terrorism information
with the Intelligence Community, including NCTC. In certain instances, DHS shares an entire
dataset with an Intelligence Community member in order to support the counterterrorism
activities of the Intelligence Community and to identify terrorism information within DHS data.
In 2011, DHS began sharing the entire RAPS1 dataset with NCTC under a Memorandum
of Understanding (MOU). In 2013, DHS and NCTC entered into a new Memorandum of
Agreement (MOA) that supersedes the 2011 MOU and documents an expansion of routine
sharing with NCTC. The MOA permits NCTC to use RAPS information to facilitate NCTC’s
counterterrorism efforts and helps to ensure that immigration benefits are not granted to
individuals who pose a threat to national security. This information sharing also aligns with
DHS’s mission to prevent and deter terrorist attacks. Pursuant to 8 CFR § 208.6(a), the
Secretary has authorized regular sharing of asylum-related information for this purpose. The
MOA includes a number of safeguards to ensure the information is only used for the purposes
explicitly permitted under the MOA, this PIA, and the DHS/USCIS-010 Asylum Information and
Pre-Screening SORN (January 5, 2010, 75 FR 409). The MOA also limits the amount of time
the information is maintained at NCTC, ensures proper information technology security is in
place during and after transmission of the RAPS information to NCTC, requires training on
interpreting RAPS information, and provides for routine reporting and auditing of NCTC’s use
of the information.

Reason for the PIA Update
USCIS is updating the existing PIA (DHS/USCIS/PIA-027)2, to provide notice of an
expansion in NCTC’s ‘temporary retention’ of RAPS information.3 Under Executive Order
12333, United States Intelligence Activities (December 8, 1981), as amended, IC elements are
required to have guidelines approved by the Attorney General of the United States for the
collection, retention, and dissemination of information concerning United States Persons (U.S.
1

The MOA does not include the APSS database.
The existing DHS/USCIS/PIA-027 was first published on November 24, 2009, and updated subsequently on June
30, 2011.
3
The purpose of this temporary retention period is to allow NCTC sufficient time to determine whether the U.S.
Person information it receives from other federal departments and agencies is terrorism information.
2

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 4

Persons).4 These guidelines outline temporary retention periods during which an IC element
must determine whether it can continue to retain U.S. Person information, consistent with
Executive Order 12333 and the purposes and procedures outlined in its guidelines.
In March 2012, the Attorney General of the United States approved Guidelines for
Access, Retention, Use and Dissemination by the National Counterterrorism Center and other
Agencies of Information in Data Sets Containing Non-Terrorism Information (AG Guidelines).5
These Guidelines establish an outside limit of five years for NCTC’s temporary retention of U.S.
Person information obtained from the datasets6 of other federal departments and agencies. The
purpose of this temporary retention is to provide NCTC sufficient time to determine whether the
U.S. Person information it receives from other federal departments and agencies is terrorism
information.7 The AG Guidelines allow NCTC to retain all information in the datasets it
receives for the full temporary retention period,8 whereby the information may be “continually
assessed” against new intelligence to identify previously unknown links to terrorism.9 NCTC
may only retain U.S. Person information within such datasets beyond the temporary retention
period if the information is “reasonably believed to constitute terrorism information.” 10 In light
of the new AG Guidelines, NCTC requested that DHS re-evaluate its information sharing and
access agreements with NCTC, including the 2011 MOU to share RAPS information.
NCTC’s Guidelines use the definition of U.S. Person provided in Executive Order 12333, which states that a U.S.
Person is “a United States citizen, an alien known by the intelligence element concerned to be a permanent resident
alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens,
or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign
government or governments.” See Executive Order 12333, Section 3.5(k).
5
See NCTC’s AG Guidelines, available at http://www.nctc.gov/docs/NCTC Guidelines.pdf.
6
In the context of DHS’s information sharing relationship with NCTC, a “dataset” refers to a collection of
information about a set of individuals that DHS has gathered during its routine interactions (e.g., screening travelers,
reviewing immigration benefit applications, issuing immigration benefits) with the public. Consequently, DHS
datasets contain information about individuals who have no connection to terrorism. A dataset may constitute all the
records in a Privacy Act System of Records, or a portion of the records therein.
7
NCTC’s AG Guidelines use the statutory definition of “terrorism information” in Section 1016 of the Intelligence
Reform and Terrorism Prevention Act of 2004, which states “the term ‘terrorism information’—(A) means all
information, whether collected, produced, or distributed by intelligence, law enforcement, military, homeland
security, or other activities relating to: (i) the existence, organization, capabilities, plans, intentions, vulnerabilities,
means of finance or material support, or activities of foreign or international terrorist groups or individuals, or of
domestic groups or individuals involved in transnational terrorism; (ii) threats posed by such groups or individuals
to the United States, United States persons, or United States interests, or to those of other nations; (iii)
communications of or by such groups or individuals; or (iv) groups or individuals reasonably believed to be assisting
or associated with such groups or individuals; and (B) includes weapons of mass destruction information.” 6 U.S.C.
§ 485(a)(5).
8
As noted later in the PIA, the Guidelines allow departments and agencies to negotiate the terms and conditions of
information sharing and access agreements. Through these negotiations, departments and agencies may establish
temporary retentions period that are less than the five year outside limit established by the AG Guidelines. DHS’s
agreement with NCTC for RAPS information establishes a temporary retention period of three years for reasons
explained later in the PIA.
9 See NCTC’s AG Guidelines, available at http://www.nctc.gov/docs/NCTC Guidelines.pdf.
10 See NCTC’s AG Guidelines, available at http://www.nctc.gov/docs/NCTC Guidelines.pdf.
4

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 5

The AG Guidelines preserve the Department’s authority to negotiate with NCTC the
terms and conditions of information sharing and access agreements relating to, among other
things, “privacy or civil rights or civil liberties concerns and protections.”11 One such protection
is the amount of time NCTC may retain DHS data that does not constitute terrorism information.
With this in mind, DHS developed a Data Retention Framework of Factors to determine
appropriate temporary retention periods for DHS datasets on a system-by-system basis. This
Framework includes factors related to the sensitivity of a dataset and operational considerations.
Factors related to the sensitivity of a dataset include: the circumstances of collection, the amount
of U.S. Person information in the dataset, and the sensitivity of the particular data fields (e.g.,
sensitive personally identifiable information) that are requested. Operational factors include: the
mission benefits to DHS, the mission benefits to NCTC, and any limitations for the DHS data
steward (e.g., DHS’s own retention period for the dataset). Using the Data Retention Framework
of Factors, DHS and NCTC agreed to a three year temporary retention period for all RAPS
information provided to NCTC.
RAPS information is further controlled by regulations related to asylum information.
The federal regulation at 8 CFR § 208.6 generally prohibits the disclosure to third parties of
information contained in or pertaining to asylum applications—including information contained
in RAPS—except under certain limited circumstances. Pursuant to 8 CFR § 208.6(a), the
Secretary of Homeland Security may specifically authorize the disclosure of asylum-related
information, and the Secretary has authorized DHS to share asylum-related information with
elements of the Intelligence Community and agencies with counterterrorism functions. These
organizations may retain asylum-related information for a maximum period of three years, unless
the asylum-related information is identified as terrorism information or, in the case of an
Intelligence Community element, as information determined to be relevant to the element’s
authorized intelligence function(s).
The 2013 MOA documents NCTC’s expanded temporary retention period and augments
the privacy protections of the 2011 agreement with NCTC. The MOA continues to recognize the
special considerations attendant with using, retaining, and dissemination RAPS information. In
addition, the MOA augments privacy protections related to transparency, redress, and oversight.
To promote transparency, the MOA requires DHS and NCTC to develop public PIAs that
provide notice regarding the existence and contents of the MOA and to cooperate to promote
transparency through efforts such as joint presentations to Congress and the DHS Data Privacy
and Integrity Advisory Committee. With respect to redress, the MOA requires NCTC to
establish a redress mechanism for individuals whose PII has been retained as terrorism
information. The redress process will direct any request for correction or redress to DHS for
resolution, as appropriate. For any records corrected by DHS through this process, NCTC will

11

See NCTC’s AG Guidelines, available at http://www.nctc.gov/docs/NCTC Guidelines.pdf.

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 6

correct those records in its possession when it receives a notification of the correction from DHS.
To increase oversight, DHS and NCTC have refined the quarterly reporting requirements
regarding NCTC’s use and retention of the DHS information. Additionally, the MOA allows
DHS to assign an on-site oversight representative to NCTC to provide intelligence, data
stewardship, privacy, civil rights, and civil liberties oversight of the handling of DHS
information by NCTC.

Privacy Impact Analysis
The System and the Information Collected and Stored within the System
There is no change in the collection of RAPS and APSS information.
Uses of the System and the Information
There are no changes to the uses of the system and the information described in the
RAPS and APSS PIA.
Retention
The DHS retention period for RAPS and APSS have not changed.
Pursuant to the MOA, NCTC will now be allowed to temporarily retain RAPS
information for up to three years in order to identify terrorism information, in support of its
counterterrorism mission and in support of DHS’s mission. NCTC previously retained RAPS
information for 180 days. The three year temporary retention period commences when DHS
delivers the RAPS information to NCTC. When NCTC replicates RAPS information, the
records will be marked with a “time-to-live” date, which will specify when the RAPS
information will be deleted if it is not identified as terrorism information. NCTC will purge all
RAPS records not determined to constitute terrorism information no later than three years from
receipt of the record from DHS. This process will be audited as required under the MOA.
Since NCTC’s AG Guidelines allow information to be “continually assessed” during the
temporary retention period,12 NCTC may retain all RAPS information for three years, regardless
of whether NCTC has made a terrorism information determination about a particular RAPS
record, as it is possible that new intelligence or terrorism information will identify previously
unknown terrorism information within that RAPS record. NCTC may retain RAPS records
determined to constitute terrorism information in accordance with NCTC’s authorities and
policies, applicable law, and the terms of the MOA.

12

See NCTC’s AG Guidelines, available at http://www.nctc.gov/docs/NCTC Guidelines.pdf.

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 7

Internal Sharing and Disclosure
There are no changes to the internal sharing and disclosures described in the RAPS and
APSS PIA.
External Sharing and Disclosure
DHS has entered into an updated MOA with NCTC in order to facilitate NCTC’s
counterterrorism efforts and to identify terrorism information within RAPS. Pursuant to 8 CFR §
208.6(a), the Secretary has authorized regular sharing of asylum-related information for this
purpose. This information sharing also aligns with DHS’s mission to prevent and deter terrorist
attacks and helps to ensure that immigration benefits are not granted to individuals who pose a
threat to national security. This sharing is conducted pursuant to routine uses H and I of the
DHS/USCIS-010 SORN, which states that DHS may share RAPS and APSS information with
“any element of the U.S. Intelligence Community, or any other federal or state agency having a
counterterrorism function, provided that the need to examine the information or the request is
made in connection with its authorized intelligence or counterterrorism function or functions and
the information received will be used for the authorized purpose for which it is requested.”
A material condition for DHS’s sharing RAPS information with NCTC is that the sharing
must provide real and ongoing value to both NCTC’s and DHS’s missions. NCTC replicates
RAPS information into its Counterterrorism Data Layer (CTDL) to support its counterterrorism
efforts. The CTDL provides NCTC analysts “with the ability to search, exploit, and correlate
terrorism information in a single environment.”13 For example, NCTC analysts may run queries
against RAPS information in the CTDL to identify terrorism information within RAPS. When
RAPS information is determined to constitute terrorism information, NCTC will provide
feedback to DHS, which DHS may use to support its mission to prevent and deter terrorist
attacks.
Additionally, NCTC will conduct automated screening of all RAPS information to
generate potential leads that may constitute terrorism information. NCTC analysts will review
all of the potential leads to determine whether the RAPS information constitutes terrorism
information. NCTC will process all RAPS records through this screening support process within
the temporary retention period of three years to determine whether RAPS records constitute
terrorism information. This screening support activity supports DHS’s mission to prevent and
deter terrorist attacks and assists DHS in its assessment of the national security risk that may be
posed by granting asylum status to applicants. Because this screening support assists DHS, the
MOA includes provisions to allow DHS, in coordination with NCTC, to perform the review of

13

See “Information Sharing Environment Annual Report to the Congress: National Security Through Responsible
Information Sharing,” dated June 30, 2012. Available at: http://
http://ise.gov/sites/default/files/ISE_Annual_Report_to_Congress_2012.pdf.

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 8

the automated matches if NCTC resources or workload prioritization preclude NCTC from
providing this review.
NCTC will review, retain, and disseminate RAPS records it has determined to constitute
terrorism information in accordance with procedures approved for NCTC by the Attorney
General in accordance with Section 2.3 of Executive Order 12333, and additional terms specified
in the MOA.
The MOA has strict safeguards to protect the PII provided to NCTC. These protections
include limitations on disclosures to foreign governments. In addition, the completion of
training on privacy and RAPS information is a requirement for NCTC personnel to receive and
maintain access to RAPS. The agreement stipulates that both DHS and NCTC personnel will be
appropriately trained regarding the proper treatment of PII and proper care of the information
systems used to ensure the overall safeguarding of the information in addition to applicable rules
and conditions concerning United States Persons information. DHS and NCTC will each ensure
that its employees, including contractors with access to any of the other Party’s records, have
completed privacy training on the handling of PII.
Within 30 days of signing the new MOA, DHS/USCIS will provide initial training to all
current NCTC users of RAPS information on RAPS, protections for asylum and refugee-related
information, and other Special Protected Classes of individuals as they relate to RAPS
information. New NCTC users of RAPS information will complete the appropriate initial
training before they access RAPS information. All NCTC users who access RAPS information
will complete refresher training provided by DHS/USCIS at least annually in order to retain their
access. Additionally, the MOA allows DHS to assign an on-site oversight representative to
NCTC to provide intelligence, data stewardship, privacy, civil rights, and civil liberties oversight
of the handling of DHS information by NCTC.
The MOA stipulates that NCTC may not disseminate to third parties information derived
from RAPS information unless that information is identified as terrorism information. The MOA
also establishes procedures for NCTC’s dissemination of RAPS information that has been
identified as terrorism information. NCTC will maintain an electronic copy of the RAPS
information that is disseminated, including to whom the information is disseminated and the
purpose for the dissemination. However, if there is a question on RAPS information and its
relationship to terrorism, NCTC may request permission from DHS to share this RAPS
information with other intelligence agencies.
This external sharing is also being appropriately logged pursuant to subsection (c) of the
Privacy Act, which requires the Department to maintain a log of when records have been shared
outside of DHS.

Privacy Impact Assessment Update
USCIS, RAPS PIA Update
Page 9

Notice
The system of records notice for RAPS and APSS was published on January 5, 2010, 75
FR 409, and remains accurate and current. Routine uses H and I cover this sharing.
Individual Access, Redress, and Correction
There are no changes to the access, redress, and correction procedures described in the
RAPS and APSS PIA.
Technical Access and Security
No changes.
Technology
No changes.

Responsible Official
Donald K. Hawkins
Privacy Officer
U.S. Citizenship and Immigration Services
U.S. Department of Homeland Security

Approval Signature
Original signed copy on file with DHS Privacy Office.
_________________________________

Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security