Pia_dhs-all-028

Privacy Impact Assessment Update
for the

Department Freedom of Information Act
and Privacy Act Records Program
DHS/ALL/PIA-028(c)
December 20, 2018
Contact Point
James Holzer
Deputy Chief FOIA Officer
Department of Homeland Security
(202) 343-1717
Reviewing Official
Jonathan R. Cantor
Deputy Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
DHS/ALL/PIA-028(c) FOIA and Privacy Act Records Program
Page 2

Abstract
The Freedom of Information Act (FOIA) and Privacy Act (PA) process for the Department
of Homeland Security (DHS) is maintained by the DHS Privacy Officer (PRIV). The FOIA and
PA process allows individuals to request access to federal agency records. PRIV is deploying a
new feature, “Public Access Link (PAL),” to enhance the use of its FOIA Information Technology
(IT) management software, FOIAXpress. This feature will allow requesters to access the FOIA IT
system through a digital portal, enabling them to submit requests or appeals, track the status of
their requests or appeals, communicate with FOIA analysts, and receive responses to their requests
or appeals. This Privacy Impact Assessment (PIA) Update is being completed to document this
new feature and discuss how personally identifiable information (PII) will be impacted.

Overview
The Freedom of Information Act (FOIA) is a federal statute that provides that any person
has the right to request access to federal agency records. FOIA also establishes a presumption that
records in the possession of the agencies and departments of the Executive Branch of the U.S.
Government are accessible to the people, except to the extent those records are protected from
disclosure by any of nine exemptions contained in the law or by one of three special law
enforcement exclusions. The Department of Homeland Security (DHS) FOIA and Privacy Act
(PA) Disclosure Division of the DHS Privacy Office (PRIV) exists to promote transparency of
Department Operations. The DHS Chief Privacy Officer serves concurrently as the Chief FOIA
Officer to promote efficiency, effectiveness, and statutory compliance throughout the Department.
FOIA provides the public with access rights to government records while the PA grants
individuals the right to access records about themselves. FOIA requires federal agencies to disclose
any information requested unless it falls under one of nine exemptions, which protect interests
such as personal privacy, national security, and law enforcement. The PA provides individuals the
right to access information about themselves, request amendment or correction of those records,
and request an accounting of disclosures of their records by the Department. The PA ensures proper
protections covering records maintained by the agency on individuals.
The DHS FOIA and PA Disclosure Division and most of the Department’s FOIA Service
Centers and FOIA offices use FOIAXpress,1 a commercial-off-the-shelf Information Technology
(IT) system, to manage the entire lifecycle of FOIA/PA requests and appeals (requests), from the
initial request to the final delivery of records. It enhances the ability of DHS FOIA Service Centers
and FOIA offices to receive, track, distribute, and respond to requests. The purposes of
FOIAXpress includes: (1) processing access requests and administrative appeals made under
FOIA, in addition to access and amendment requests and administrative appeals under the PA; (2)
1

All DHS Operational Components, with the exception of U.S. Citizenship and Immigration Services (USCIS) and
U.S. Customs and Border Protection (CBP) use a version of FOIAXpress to manage the lifecycle of requests within
their organization.

Privacy Impact Assessment Update
DHS/ALL/PIA-028(c) FOIA and Privacy Act Records Program
Page 3

participating in litigation regarding agency action on such requests and appeals; and (3) assisting
DHS FOIA offices in carrying out any other responsibilities related to FOIA and the PA, such as
reporting to the DHS FOIA and PA Disclosure Division of PRIV and other federal executive
officials.
The DHS FOIA and PA Disclosure Division is the FOIAXpress System Owner and is
responsible for the overall operation and maintenance of the system.

Reason for the PIA Update
This PIA is being updated to outline a new FOIAXpress feature known as the Public Access
Link (PAL). The PAL feature is a public‐facing web portal that complements the FOIAXpress
system by providing efficient and secure communication between agencies and the public. The
PAL feature allows members of the public to submit and track the status of requests and receive
responses directly through the FOIAXpress web portal.2
PAL enhances functionality, increases productivity, and speeds service delivery through a
personalized, secure web portal. PAL is integrated directly with FOIAXpress and offers a
centralized location for receiving online requests, delivering responsive records, communicating
with requesters, collecting fees, and providing access to released documents in a public reading
room in accordance with agency proactive disclosure guidelines.
The PAL is publicly accessible through the Internet; however, requesters do not have the
ability to directly access the FOIAXpress system or other data stored in the system. Only
authorized DHS FOIA/PA personnel have access to the data supplied by requesters via
FOIAXpress.
PRIV is acquiring this feature to satisfy compliance with the FOIA Improvement Act of
2016, which requires the Federal Government to create a consolidated online request portal that
allows a member of the public to submit a request for records under subsection (a) to any agency
from a single website. FOIA.gov was created to serve as the designated website, and federal
agencies have been tasked to create a public-facing portal that has interoperability with FOIA.gov.
3

2

This is different from the previous process that required requesters to submit requests to the Department through
various methods including U.S. mail, facsimile, email, web form, or via commercial shipping method. The web form
is a digital form, located on the DHS.gov website, which any user can use to file a request.
3
FOIA Improvement Act of 2016 (Public Law No. 114-185), available at https://www.gpo.gov/fdsys/pkg/PLAW114publ185/content-detail.html.

Privacy Impact Assessment Update
DHS/ALL/PIA-028(c) FOIA and Privacy Act Records Program
Page 4

Privacy Impact Analysis
In each of the below sections consider how the system has changed and what impact it has on the below fair
information principles. In some cases there may be no changes and indicate as such.

Authorities and Other Requirements
The FOIA Improvement Act of 2016 requires the Federal Government to create a
consolidated online request portal that allows a member of the public to submit a request for
records to any agency from a single website.
Information within the DHS FOIA and PA program is collected, maintained, used, and
disseminated in accordance with DHS/ALL-001 Freedom of Information Act and Privacy Act
Records System.4 The collection of additional information to allow individuals to use and access
the PAL feature of FOIAXpress (e.g., username and password) is covered under DHS/ALL-004
General Information Technology Access Account Records System (GITAARS).5
Characterization of the Information
FOIAXpress collects and maintains personally identifiable information (PII) for FOIA and
PA requests. FOIA requests are required to include basic contact information (e.g., first and last
name; home, work, or P.O. Box address; phone number; and email address) in order to respond to
the requester appropriately. PA requests are required to include PII for identifying records
contained within a specified DHS System of Records, and requesters are required to provide basic
contact information to process requests. If a PA requester is seeking information pertaining to him
or herself, he or she must sign the request, and the signature must be notarized, or the requester
can submit the request under 28 U.S.C. § 1746, which is a law that permits statements to be made
under penalty of perjury as a substitute for notarization.
Requesters who use PAL must set up their own accounts to electronically submit requests.
In order to set up a PAL user account, a requester may provide his/her full name, phone and/or fax
number, home address, email address, job title, and organization name, and his/her fee category.6
The data required by the PAL feature to file a FOIA/PA request is the same information previously
required to file a request and is covered by DHS/ALL-001 Freedom of Information Act and
Privacy Act Records System. The only new information collected through the implementation of
PAL will be a username and password that are required to create an account.
Privacy Risk: The central privacy risk associated with using FOIAXpress continues to be
the possible over-collection of information, whether through the presence of sensitive PII in the
4

DHS/ALL-001 Freedom of Information Act and Privacy Act Records System, 79 FR 6609 (February 4, 2014).
DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), 77 FR 70792
(November 27, 2012).
6
Fees are assessed in accordance with the DHS FOIA/PA regulations, based on three categories of requestors:
commercial requesters; news media, educational, and scientific requesters; and all other requesters. For more
information, please see https://www.dhs.gov/foia-fee-structure-and-waivers.
5

Privacy Impact Assessment Update
DHS/ALL/PIA-028(c) FOIA and Privacy Act Records Program
Page 5

requests or responsive records saved in the system, or the submission of more information than is
necessary.
Mitigation: To mitigate these risks, the DHS FOIA and PA Disclosure Division has taken
steps to minimize the amount of information that the agency collects and maintains while
processing requests. For example, the PAL feature only asks for the minimum amount of contact
information necessary to communicate with requesters and respond to requests; the DHS FOIA
offices do not ask requesters to provide sensitive information (e.g., Social Security numbers).
Furthermore, when a FOIA/PA professional provides documents in response to a request,
the FOIA staff redacts personal information from the documents when the information, if publicly
disclosed, would cause a “clearly unwarranted invasion of personal privacy.”7 When a requester
is seeking his or her own information under the PA, FOIA staff verifies the individual’s identity.
Privacy Risk: There is a risk that a request, contact information, or any supporting
information provided, could be lost, misplaced by a mail service and/or FOIA/PA professional, or
entered into the system incorrectly.
Mitigation: This risk has been mitigated. The PAL feature allows users to enter in their
own contact information into the FOIAXpress system, and they have the ability to update this
information at any time, ensuring accuracy. The PAL feature also allows users to enter their FOIA
requests into FOIAXpress, and upload any pertinent documents to help assist in the search. This
minimizes the risk that a request and/or any additional materials would be lost or misplaced by a
mail service and/or FOIA/PA professional.
All FOIA personnel, including those FOIA/PA professionals who use FOIAXpress, are
subject to DHS policies and requirements for safeguarding PII. All FOIA personnel receive annual
computer-based privacy and security training, as well as other guidance explaining how to
safeguard information. The interactive online training covers topics such as how to properly handle
sensitive PII and other data, online threats, social engineering, and the physical security of
documents. In addition, all FOIA/PA professionals comply with the Department’s internal
procedures for safeguarding sensitive PII, which ensures such information is handled
appropriately.
Each FOIA/PA professional also takes periodic training on FOIA and PA issues provided
by approved outside sources (e.g., Department of Justice, Department of Agriculture Graduate
School, American Society of Access Professionals).
Uses of the Information
The information collected in the FOIAXpress system is used to respond to requests under
FOIA or the PA, to track these requests in order to maintain compliance with statutory response
times, and to maintain documents responsive to these requests in compliance with legal retention
7

See 5 U.S.C. § 552(b)(6).

Privacy Impact Assessment Update
DHS/ALL/PIA-028(c) FOIA and Privacy Act Records Program
Page 6

and disposition schedules, including any records that are exempt from disclosure to the requester
under FOIA or the PA. The information is also used to generate annual aggregate reports to the
Department of Justice (DOJ) as required by FOIA.
The information now collected through the implementation of the new PAL feature is used
to create user accounts for those who wish to submit requests.
Privacy Risk: There is a risk that the information maintained in FOIAXpress could be
used or accessed inappropriately.
Mitigation: This risk is mitigated. To avoid unauthorized access or disclosure, FOIA/PA
professionals follow agency procedures for storing, sharing, sending, transporting, logging, and
destroying sensitive personal information. Access to FOIAXpress, and the information it
maintains, is limited (by software licenses) to a small number of specified FOIA/PA professionals
who need system access to complete their professional responsibilities. Users may access
FOIAXpress only after entering a unique username and password, which they must change every
60 days. Only the user and FOIA/PA professionals with Administrator rights can change these
passwords.
Notice
Notice of the new PAL feature and the collection of information (e.g., username and
password) will be provided on the DHS Privacy Office public-facing website and accompanied by
an updated Privacy Notice. In addition to the website, the DHS FOIA and PA Disclosure Division
of PRIV will provide other public outreach efforts to familiarize the public with this new process.
Data Retention by the project
The previous General Records Schedule (GRS) 14, issued by National Archives and
Records Administration (NARA), for FOIA, Privacy Act, and classified documents administrative
records has been updated since the publication of the last PIA. The old GRS schedule has now
been superseded by GRS 4.2, Information Access and Protection Records.8 Record responses are
now retained for six (6) years rather than three (3) years that the previous scheduled stated.
The Retention Policy Management module in FOIAXpress allows for the creation,
safeguarding, and access, archival, and disposal of records according to the GRS. The FOIAXpress
retention policy begins when a request is closed. When closing a request, the system will set the
retention expiration date based on the retention policy configuration (6 years after final agency
action or 3 years after final adjudication by the courts, whichever is later).
Additionally, FOIAXpress will verify whether any open appeal or litigation matters exist
for the closed request. In such instances, the system will not allow users to mark the request for
deletion.
8

See https://www.archives.gov/files/records-mgmt/grs/grs04-2.pdf.

Privacy Impact Assessment Update
DHS/ALL/PIA-028(c) FOIA and Privacy Act Records Program
Page 7

Information Sharing
No changes from previous PIAs.
Redress
No changes from previous PIAs.
Auditing and Accountability
No changes from previous PIAs.

Responsible Official
James Holzer
Deputy Chief FOIA Officer
Privacy Office
Department of Homeland Security

Approval Signature
Original, signed copy on file with the DHS Privacy Office.
________________________________
Jonathan R. Cantor
Deputy Chief Privacy Officer
Department of Homeland Security