PIA_DHS-NPPD-PIA-018(a)

Privacy Impact Assessment Update
for the

Chemical Facility Anti-Terrorism
Standards (CFATS) Personnel Surety
Program, Initial Implementation
DHS/NPPD/PIA-018(a)
May 1, 2014
Contact Point
David Wulf
NPPD/IP/ISCD
(703) 603-4778
Reviewing Official
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 2

Abstract
The Department of Homeland Security (DHS) / National Protection and Programs
Directorate (NPPD) is updating the Chemical Facility Anti-Terrorism Standards (CFATS)
Personnel Surety Program’s Privacy Impact Assessment (PIA) to account for changes to the
Program since the publication of the program’s original PIA on May 4, 2011.

Overview
On October 4, 2006, the President signed the Department of Homeland Security (DHS)
Appropriations Act of 2007 (the Act). 1 Section 550 requires DHS to regulate the security of
high-risk chemical facilities. DHS promulgated regulations implementing Section 550, the
Chemical Facility Anti-Terrorism Standards (CFATS). 2
Section 550 also requires that DHS establish risk-based performance standards (RBPS)
for high-risk chemical facilities. DHS promulgated 18 RBPS under CFATS. RBPS 12 –
Personnel Surety – requires high-risk chemical facilities to:
Perform appropriate background checks on and ensure appropriate credentials for facility
personnel, and as appropriate, for unescorted visitors with access to restricted areas or
critical assets, including, (i) Measures designed to verify and validate identity; (ii)
Measures designed to check criminal history; (iii) Measures designed to verify and
validate legal authorization to work; and (iv) Measures designed to identify people with
terrorist ties. 3
The ability to identify affected individuals (i.e., facility personnel or unescorted visitors
with or seeking access to restricted areas or critical assets at high-risk chemical facilities) who
have terrorist ties is an inherently governmental function and necessarily requires the use of
information held in government-maintained databases that are unavailable to high-risk chemical
facilities. Thus, under RBPS 12(iv), which requires high-risk chemical facilities to take
measures to identify people with terrorist ties, DHS and high-risk chemical facilities must work
together to satisfy the “terrorist ties” aspect of the Personnel Surety performance standard. 4
Each chemical facility that DHS determines to be high-risk must submit a Site Security
Plan (SSP), or an Alternative Security Program (ASP) for DHS approval that satisfies each
applicable RBPS.

1

Department of Homeland Security Appropriations Act of 2007, Pub. L. 109-295, 120 Stat. 1355 (2006).
See 6 CFR Part 27.
3
See 6 CFR § 27.230(a)(12).
4
See 6 CFR § 27.230(a)(12)(iv).
2

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 3

Options for facilities to comply with RBPS 12(iv):
Under the CFATS Personnel Surety Program, a high-risk chemical facility has at least
three options under RBPS 12(iv) for each affected individual:
•

•

•

5

Option 1 – Direct vetting: High-risk chemical facilities (or their designees 5) may submit
information to NPPD about an affected individual to be compared against identifying
information of known or suspected terrorists contained in the Federal Government’s
terrorist watchlist, the Terrorist Screening Database (TSDB), which is maintained by the
Department of Justice (DOJ) Federal Bureau of Investigation’s (FBI) Terrorist Screening
Center (TSC) 6, and/or
Option 2 – Use of vetting conducted under other DHS programs: High-risk chemical
facilities (or their designees) may submit information to NPPD about an affected
individual’s enrollment in the Transportation Security Administration (TSA)
Transportation Worker Identification Credential (TWIC) Program 7; TSA Hazardous
Materials Endorsement (HME) Program 8; or the U.S. Customs and Border Protection
(CBP) NEXUS, Secure Electronic Network for Travelers Rapid Inspection (SENTRI),
Free and Secure Trade (FAST), and Global Entry Trusted Traveler Programs (Trusted
Traveler Program). 9 Each of those programs conducts recurrent vetting, which is
equivalent to the terrorist ties vetting conducted under Option 1, and/or
Option 3 – Electronic verification of TWIC: High-risk chemical facilities may
electronically verify and validate an affected individual’s TWIC 10 through the use of
TWIC readers (or other technology that is periodically updated with revoked card

Third parties or organizations employing affected individuals that provide services to high-risk chemical facilities.
For more information about the TSDB, see DOJ/FBI – 019 Terrorist Screening Records System, 72 FR 47073
(August 22, 2007).
7
See DHS/TSA/PIA-012 - Transportation Worker Identification Credential (TWIC) Program, available at
www.dhs.gov/privacy. See also DHS/TSA 002 - Transportation Security Threat Assessment System, 75 FR 28046
(May 19, 2010).
8
See DHS/TSA/PIA-002 - Hazardous Materials Endorsement (HME), available at www.dhs.gov/privacy. See also
DHS/TSA 002 - Transportation Security Threat Assessment System, 75 FR 28046 (May 19, 2010).
9
See DHS/CBP/PIA-002 - Global Enrollment System (GES), available at www.dhs.gov/privacy. See also
DHS/CBP-002 - Global Enrollment System, 78 FR 3441 (Jan. 16, 2013). U.S. Customs and Border Protection
(CBP) has introduced SENTRI and Global Entry as Trusted Traveler Programs since the publication of CFATS in
April 2007. DHS, therefore, intends to enable high-risk chemical facilities (or their designees) to submit
information about affected individuals’ SENTRI and Global Entry enrollments to DHS under Option 2, even though
SENTRI and Global Entry were not listed along with the other Trusted Traveler Programs in the CFATS Interim
Final Rule preamble. See 72 FR 17688, 17709 (April 9, 2007).
10
Verification and validation of an affected individual’s TWIC requires authentication that the affected individual’s
TWIC is (1) a valid credential issued by TSA, and (2) contains the Card Holder Unique Identifier and correct digital
signature.
6

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 4

information) 11, rather than submitting information about the affected individual to NPPD.
In addition to the options described above for satisfying RBPS 12(iv), high-risk chemical
facilities may propose alternative or supplemental options not described in this PIA in their SSPs
or ASPs. NPPD will assess the adequacy of alternative or supplemental options on a facility-byfacility basis, in the course of evaluating each facility’s SSP or ASP.12
Recurrent vetting
Under Options 1 and 2, facilities (or their designees) will submit information about
affected individuals through NPPD’s Chemical Security Assessment Tool (CSAT) Personnel
Surety application. As long as the individual is an affected individual, he or she will undergo
recurrent vetting. Recurrent vetting compares an affected individual's information against new
or updated TSDB records as those new or updated records become available. A facility is
required to notify NPPD when an affected individual no longer has access to restricted areas or
critical assets, so that DHS can stop vetting the individual under the CFATS Personnel Surety
Program. A facility (or its designee) can notify NPPD by entering a future date during the initial
data submission, or as an update, indicating when the individual will no longer need access.
TSA’s Office of Transportation Threat Assessment and Credentialing (TTAC), which
conducts vetting of information against the TSDB for several DHS programs, conducts the
recurrent vetting on behalf of NPPD under Option 1. 13 TTAC compares the information
pertaining to affected individuals to information listed in the TSDB. TTAC determines whether
each individual's personally identifiable information (PII): 1) does not match a TSDB record; or
2) is a potential match to a TSDB record. Each potential match to the TSDB is then manually
vetted to determine whether a match has occurred.
TTAC forwards results of all positive matches to FBI’s TSC, which makes final match
determinations. Upon final determination by TSC that an individual is a positive match, TSA
notifies other divisions/offices within FBI and DHS (NPPD) as appropriate.

11

The Department currently offers two ways to determine if a TWIC has been revoked (or reported lost or stolen).
One is the Canceled Card List (CCL), the other is the Certificate Revocation List (CRL). More information about
the CCL may be found at
http://www.tsa.gov/sites/default/files/publications/pdf/twic/canceled_card_list_ccl_faq.pdf. More information about
the CRL may be in the TWIC Notice of Proposed Rulemaking published on March 29, 2009, at 74 FR 13364, which
may be accessed at https://www.federalregister.gov/articles/2009/03/27/E9-6852/transportation-workeridentification-credential-twic-reader-requirements#p-122.
12
High-risk chemical facilities have wide latitude in how they chose to comply with RBPS 12(iv). The choice will
likely be based on how the facility has established its operational and business processes, which will vary from
facility to facility. Facilities have the ability to leverage any of the options, propose an alternative, or use a
combination of options.
13
Under Option 2, however, TTAC is not conducting vetting on behalf of NPPD but rather NPPD works with TSA
and CBP to confirm an affected individual’s enrollment in one of the other DHS programs.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 5

Federal response to a positive match
In the event that there is a potential match, DHS will have procedures in place that it
follows to confirm the match and coordinate with appropriate law enforcement entities as
necessary.
When notified that an affected individual has known or suspected terrorist ties, NPPD
will review the records within its possession and provide information to appropriate individuals
and agencies about:
•
•

To which high-risk chemical facility(ies) the affected individual with known or suspected
terrorist ties may have access; and
Relevant information about the facility that may be pertinent to investigations about the
affected individual with known or suspected terrorist ties, or to other terrorism
investigations.

Appropriate offices within DHS will obtain references to or information about the
affected individual from other government law enforcement and intelligence databases, as well
as other relevant databases that may contain terrorism information. DHS will use the
information to assess the risk the affected individual poses to the high-risk chemical facility(ies)
at which the affected individual with known or suspected terrorist ties may have access. DHS
shares the determination of risk to the high-risk chemical facility by the affected individual with
known or suspected terrorist ties with appropriate individuals and agencies for further
coordination.
DHS’s design of the CFATS Program is intended to promote and enhance the security of
high-risk chemical facilities; the Personnel Surety Program is one element of the larger CFATS
Program. To prevent a significant threat to a facility or loss of life, a high-risk chemical facility
will be contacted where appropriate and in accordance with federal law and policy, as well as
law enforcement and intelligence requirements.
CSAT Personnel Surety Application Reports
Facilities will have the ability to download reports from the CSAT Personnel Surety
application. These reports may be customized to include information submitted about affected
individuals. These reports are official government records and the information contained within
the reports is covered under the Privacy Act of 1974, as amended, and therefore must be
protected (as described in more detail later in this PIA).

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 6

Reason for the PIA Update
This PIA Update addresses several specific updates and improvements to the CFATS
Personnel Surety Program since the publication of the program’s original PIA on May 4, 2011. 14
NPPD is publishing a PIA Update for several reasons, including:
General Program updates
•
•

•

•

To limit the information collection, and to limit initial CFATS Personnel Surety
Program implementation, to only Tier 1 and Tier 2 15 high-risk chemical facilities.
To accept credential information for the Global Entry Trusted Traveler Program and
to permit high-risk chemical facilities to electronically verify and validate affected
individuals’ TWICs, through the use of TWIC readers (or other technology that is
periodically updated with revoked card information), rather than submitting
information about them to NPPD through CSAT.
To provide a description of what information will be provided to high-risk chemical
facilities and their designees after NPPD attempts to verify an affected individual’s
enrollment in any of the Trusted Traveler Programs, the HME Program, or the TWIC
Program.
To more clearly describe the CFATS Personnel Surety Program recurrent vetting and
positive match processes.

Program Updates with Privacy Impact
•

•

•

•
•
•
14

To outline the reduction of privacy risks associated with collecting and submitting
information to NPPD by leveraging data already collected through the facility’s
standard business practices.
To clarify expectations NPPD has of high-risk chemical facilities and their designees
for protecting information about affected individuals used as part of background
checks required under RBPS 12.
To clarify the record retention policy for records about affected individuals that have
been input into the CSAT Personnel Surety application, but that have not been
submitted to NPPD.
To provide a revised sample Privacy Act Statement for high-risk chemical facilities
opting to implement Options 1 and 2. See Attachment 1.
To provide a sample Privacy Notice for high-risk chemical facilities opting to
implement Option 3. See Attachment 2.
To outline expectations NPPD has for CSAT users when safeguarding PDF reports

See DHS/NPPD/PIA-018 Chemical Facilities and Anti-Terrorism Standards Personnel Surety, available at
www.dhs.gov/privacy.
15
See 6 CFR § 27.105.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 7

•
•

•

generated from the CSAT Personnel Surety application that contain information about
affected individuals.
To provide a copy of the new CSAT Personnel Surety application Rules of Behavior.
See Attachment 3.
To clarify the expectations NPPD has of high-risk chemical facilities for managing
user roles within the CSAT Personnel Surety application and limiting access to
information pertaining to affected individuals only to individuals who have a need-toknow.
To clarify the expectations NPPD has for conducting data accuracy reviews and
audits under the CFATS Personnel Surety Program.

DHS will continue to update the CFATS Personnel Surety Program PIA, as necessary in
response to any future program changes or developments.

Privacy Impact Analysis
In each of the below sections consider how the system has changed and what impact it has on the below fair
information principles. In some cases there may be no changes and indicate as such.

Authorities and Other Requirements
There have been no changes to authorities since the original PIA. Section 550 provides
DHS the authority to regulate high-risk chemical facilities. 16 The implementing regulations for
Section 550 require that high-risk chemical facilities implement “measures designed to identify
people with terrorist ties.” 17 The CFATS Personnel Surety Program will provide the capability
for high-risk chemical facilities to meet this requirement to ensure all affected individuals are
recurrently vetted against the TSDB through at least three Options.
Characterization of the Information
The data collected under the CFATS Personnel Surety Program has not changed since the
publication of the program’s original PIA. Biographic information, such as Name, Date of Birth,
Citizenship, Gender or Unique Credential Information is collected as required data and
information such as Aliases, Place of Birth or Redress Number is optional. 18 However, NPPD
has added options a facility has for complying with RBPS 12(iv). Specifically, NPPD added the
addition of the Global Entry Trusted Traveler Program under Option 2, and the electronic
verification of TWIC under Option 3, which are described below.

16

Department of Homeland Security Appropriations Act of 2007, Pub. L. 109-295, § 550, 120 Stat. 1355, 1388
(2006).
17
See 6 CFR § 27.230(a)(12)(iv).
18
For a complete list of required and optional data for Options 1 and 2, please refer to the original PIA published on
May 4, 2011. See DHS/NPPD/PIA-018 Chemical Facilities and Anti-Terrorism Standards Personnel Surety,
available at www.dhs.gov/privacy.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 8

Sources of information and how the information is collected and used
Under the CFATS Personnel Surety Program, a high-risk chemical facility would have at
least three options under RBPS 12(iv) for each affected individual:
Option 1 – Direct vetting (no changes since original PIA)
High-risk chemical facilities (or their designees) may submit information to NPPD about
an affected individual to be compared on a recurrent basis against information about known or
suspected terrorists contained in the TSDB.
How information is used under Option 1
PII that pertains to affected individuals that high-risk chemical facilities (or their
designees) submit to NPPD is then transmitted electronically by NPPD to TSA. TSA’s TTAC,
which conducts vetting of information against the TSDB for several DHS programs, conducts the
recurrent vetting on behalf of NPPD.
TTAC compares the information pertaining to affected individuals to information listed
in the TSDB. TTAC determines whether each individual's PII: 1) does not match a TSDB
record; or 2) is a potential match to a TSDB record. Each potential match to the TSDB is then
manually vetted to determine whether a match has occurred.
TTAC forwards results of all positive matches to the FBI’s TSC, which makes final
match determinations. When TSC determines that an individual is a positive match, TSA
notifies other divisions/offices within FBI and DHS (NPPD) as appropriate.
Option 2 – Use of vetting conducted under other DHS programs (change since
original PIA includes addition of Global Entry Trusted Traveler Program)
High-risk chemical facilities (or their designees) may submit information to NPPD about
an affected individual’s enrollment in the TWIC Program, 19 HME Program, 20 or a Trusted
Traveler Program. 21 Each of those programs conducts recurrent vetting, which is equivalent to
the terrorist ties vetting conducted under Option 1.
How information is used under Option 2
DHS uses information about an affected individual submitted by, or on behalf of, highrisk chemical facilities under Option 2 to verify enrollment in a Trusted Traveler Program, the
HME Program, or the TWIC Program.
19

See DHS/TSA/PIA-012 - Transportation Worker Identification Credential (TWIC) Program, available at
www.dhs.gov/privacy. See also DHS/TSA 002 - Transportation Security Threat Assessment System, 75 FR 28046
(May 19, 2010).
20 20
See DHS/TSA/PIA-002 - Hazardous Materials Endorsement (HME), available at www.dhs.gov/privacy. See
also DHS/TSA 002 - Transportation Security Threat Assessment System, 75 FR 28046 (May 19, 2010).
21 21
See DHS/CBP/PIA-002 - Global Enrollment System (GES), available at www.dhs.gov/privacy. See also
DHS/CBP-002 - Global Enrollment System, 78 FR 3441 (Jan. 16, 2013).

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 9

NPPD verifies an affected individual’s enrollment in a Trusted Traveler Program by
transmitting the affected individual’s unique program identification number (i.e., PASS ID
Number) to CBP. CBP returns the biographic enrollment information associated with the PASS
ID Number and NPPD then compares the biographic data elements to determine if there is a
match. If there is a match, NPPD has verified the affected individual’s enrollment in the Trusted
Traveler Program. NPPD then notifies the Submitter 22 that it verified the individual’s enrollment
in a Trusted Traveler Program. If the affected individual’s enrollment in a Trusted Traveler
Program has been verified, NPPD will periodically re-verify the affected individual’s continued
enrollment. If the affected individual’s enrollment is no longer verified, then NPPD may
transmit the information about the affected individual to TSA for vetting under Option 1. NPPD
will also notify the high-risk chemical facility, or its designee. The high-risk chemical facility is
responsible for taking action in accordance with its SSP or ASP, which may include submitting
new or updated information on that affected individual.
NPPD verifies an affected individual’s enrollment in the HME Program by transmitting
at a minimum the required data elements, which include: the affected individual’s unique
program identification number (i.e., State-issued Commercial Driver’s License Number) along
with the issuing State, the affected individual’s full name, and date of birth to TSA. TSA
compares the affected individual’s data against the Security Threat Assessments TSA has
performed for individuals currently active in the HME program. TSA provides NPPD the results
of its analysis as to whether there is a matching Security Threat Assessment. If there is a current
and active Security Threat Assessment that matches the biographic data NPPD received from a
Submitter, NPPD has verified the affected individual’s enrollment in the HME Program. NPPD
then notifies the Submitter that it verified the affected individual’s enrollment in the HME
Program. If an affected individual’s enrollment in the HME Program has been verified, NPPD
will periodically re-verify the affected individual’s continued enrollment. If the affected
individual’s enrollment is no longer verified, then NPPD will notify the high-risk chemical
facility, or its designee. NPPD may initiate vetting under Option 1, as appropriate. The highrisk chemical facility is responsible for taking action in accordance with its SSP or ASP, which
may include submitting new or updated information on that affected individual.
NPPD verifies an affected individual’s enrollment in the TWIC Program by transmitting
to TSA at a minimum the required data elements, which include: the affected individual’s full
name, date of birth, and the expiration date displayed on the TWIC. 23 TSA compares the
affected individual’s data against the Security Threat Assessments TSA has performed for
individuals currently active in the TWIC program. TSA provides the results of its analysis as to
22

A submitter is a facility employee, corporate employee, or third-party designee that submits vetting information
directly to NPPD on behalf of a facility.
23
NPPD will also transmit to TSA the following optional data elements for TWIC and HME if provided by the
Submitter: Gender, Citizenship, Aliases, Place of Birth, Alien Registration Number, and Passport Number.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 10

whether there is a matching Security Threat Assessment. If there is a current and active Security
Threat Assessment that matches the biographic data NPPD received from a Submitter, NPPD has
verified the affected individual’s enrollment in the TWIC Program. NPPD then notifies the
Submitter that it verified the individual’s enrollment in the TWIC Program. If an affected
individual’s enrollment in the TWIC Program has been verified, NPPD will periodically reverify the affected individual’s continued enrollment. If the affected individual’s enrollment is
no longer verified, then NPPD will notify the high-risk chemical facility, or its designee. NPPD
may initiate vetting under Option 1, as appropriate. The high-risk chemical facility is
responsible for taking action in accordance with its SSP or ASP, which may include submitting
new or updated information on that affected individual.
Option 3 – Electronic verification of TWIC (new since original PIA)
High-risk chemical facilities may electronically verify and validate an affected
individual’s TWIC through the use of TWIC readers (or other technology that is periodically
updated with revoked card information), rather than submitting information about the affected
individual to NPPD.
How information is used under Option 3
NPPD will not collect information about affected individuals in the possession of TWICs
if a high-risk chemical facility chooses to implement Option 3. Rather, high-risk chemical
facilities may use a TWIC Reader, in accordance with its SSP or ASP to electronically verify the
affected individual’s current enrollment in the TWIC Program.
DHS believes that under this option, a high-risk chemical facility is implementing an
adequate security measure to ensure affected individuals do not have terrorist ties because the
TWIC in the affected individual’s possession is being electronically verified and validated.
Summary
High-risk chemical facilities have discretion as to which option(s) to use for an affected
individual. For example, even though a high-risk chemical facility could comply with RBPS
12(iv) for certain affected individuals by using Option 2 because they are existing credential
holders, the high-risk chemical facility could choose to use Option 1 for those affected
individuals instead because the facility feels that Option 1 may be easier to manage under their
existing business processes. Similarly, a high-risk chemical facility, at its discretion, may choose
to use either Option 1 or Option 2 rather than Option 3 for affected individuals who have TWICs.
High-risk chemical facilities also may choose to combine Option 1 with Option 2 and/or Option
3, as appropriate, to ensure that adequate terrorist ties checks are performed on different types of
affected individuals (e.g., employees, contractors, unescorted visitors). Each high-risk chemical
facility will need to describe how it will comply with RBPS 12(iv) in its SSP or ASP.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 11

In addition to the options described above for satisfying RBPS 12(iv), high-risk chemical
facilities may propose alternative or supplemental options not described in this PIA in their SSPs
or ASPs. NPPD will assess the adequacy of such alternative or supplemental options on a
facility-by-facility basis, in the course of evaluating each facility’s SSP or ASP. If there are any
changes to the options for complying with RBPS 12(iv), the PIA will be updated as appropriate.
Federal response to a positive match
The PIA is being updated to provide a clearer description of the CFATS Personnel Surety
Program positive match process. In the event that there is a potential match, regardless of the
option, DHS has procedures in place that it follows to confirm the match and coordinate with
appropriate law enforcement entities as necessary.
DHS’s design of the CFATS Program is intended to promote and enhance the security of
high-risk chemical facilities; the Personnel Surety Program is one element of the larger CFATS
Program. To prevent a significant threat to a facility or loss of life, a high-risk chemical facility
will be contacted where appropriate and in accordance with federal law and policy, as well as
law enforcement and intelligence requirements.
Reduction of privacy risks associated with collecting and submitting information to
NPPD by leveraging data already collected through the facility’s standard business
practices
In general, NPPD expects that high-risk chemical facilities or their designees will already
possess much, if not all, of the necessary information about affected individuals as a result of
standard business practices related to employment or managing of service contracts. In the event
that high-risk chemical facilities, or their designees, need to collect any additional information
for the purpose of complying with RBPS 12(iv), they have significant flexibility in how to
collect this information since CFATS does not prescribe how to do so.
Expectations NPPD has of high-risk chemical facilities and their designees for
protecting information about affected individuals used as part of background
checks required under RBPS 12
This PIA update aims to clarify NPPD’s expectations around the protection of
information under RBPS 12(i)-(iii) 24 and RBPS 12(iv).
RBPS 12(i)-(iii)
The information collected by a high-risk chemical facility pursuant to RBPS 12(i)-(iii) is
not submitted to NPPD. Thus, the information is not covered under the Privacy Act of 1974.
NPPD expects that the high-risk chemical facilities and their designees safeguard information
24

RBPS 12(i)-(iii) are not the subject of this PIA, however they are discussed in certain sections for context to assist
in explaining the implementation of RBPS 12(iv).

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 12

they collect and maintain. The sensitivity of PII related to background checks is evident by the
federal and state laws pertaining to background checks, state privacy laws, the Fair Credit
Reporting Act 25, and the Driver’s Privacy Protection Act 26, which seek to protect individuals
against the misuse of data or fraud. High-risk chemical facilities are required to protect
information under these existing laws (as applicable), which provide protections for the
information that has been collected by the facility in order to comply with RBPS 12(i)-(iii).
While under CFATS, no specific controls are required for information collected by high-risk
chemical facilities with regard to RBPS 12(i)-(iii), NPPD expects that high-risk chemical
facilities will protect and safeguard the information in accordance with any other federal, state,
or local privacy laws that are applicable to the collection of the information, just as they would
for other similar information collected under a facility’s normal business practices that is not
related to the CFATS Program.
RBPS 12(iv)
The information collected by a high-risk chemical facility pursuant to RBPS 12(iv) may
be submitted to NPPD under Option 1 or Option 2. Information collected or retained by the
facility that has not been submitted to NPPD and facility-generated copies of information that
have been submitted to NPPD are not considered government records and therefore are not
covered under the Privacy Act of 1974. However, any information about affected individuals
that is obtained from the CSAT Personnel Surety application is a government record and subject
to the Privacy Act of 1974. Generally, the information obtained from the CSAT Personnel
Surety application will be marked with the following banner:
WARNING: This document contains sensitive personally identifiable information
and is subject to the Privacy Act of 1974, 5 U.S.C. § 552a. This document, and any
information copied or removed from it, (1) must not be disclosed or shared with
individuals unless they have a need-to-know, and (2) must be protected as stated in
the DHS CSAT Personnel Surety application Rules of Behavior.

Record retention for un-submitted records about affected individuals in the CSAT
Personnel Surety application
The CSAT Personnel Surety application will delete records of affected individuals input
into the CSAT Personnel Surety application but not submitted to NPPD after 14 days.

25

See 15 U.S.C § 1681 et seq., available at http://www.ftc.gov/sites/default/files/fcra.pdf.
See 18 U.S.C. § 2721, available at http://www.gpo.gov/fdsys/pkg/USCODE-2011-title18/pdf/USCODE-2011title18-partI-chap123-sec2721.pdf.
26

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 13

Notice
Revised sample Privacy Act Statement for high-risk chemical facilities opting to
implement Option 1 and 2
As described in the May 4, 2011 PIA, high-risk chemical facilities and their designees
must provide notice to affected individuals prior to submitting any PII to NPPD. The
requirements for the notice have not changed. In Attachment 2 of the previous PIA, NPPD
provided a sample notice, which high-risk chemical facilities may choose to use to provide
notice to affected individuals under Option 1 and Option 2. NPPD has revised the sample. 27
Sample Privacy Notice for a high-risk chemical facility opting to implement Option
3
A high-risk chemical facility will not submit information to NPPD if the facility opts to
electronically verify and validate affected individuals’ TWICs through the use of TWIC readers
(or other technology that is periodically updated with revoked card information). A high-risk
chemical facility that opts to implement this option, if authorized or approved in its SSP or ASP,
must provide notice to the affected individual whose TWIC is being verified and validated.
Although Option 3 allows high-risk chemical facilities to comply with RBPS 12(iv) without
submitting information to NPPD, DHS feels that appropriate notice should still be given to those
individuals so that they know their TWICs are now being used to comply with 6 CFR §
27.230(a)(12)(iv). A sample notice is attached to this PIA. 28
Information Sharing
Under the CFATS Personnel Surety Program, NPPD shares information to facilitate the
TSDB vetting and positive match processes, as well as to ensure compliance with RBPS 12(iv).
This PIA provides an update regarding NPPD sharing information with a high-risk chemical
facility, through the facility’s ability to generate PDF reports from CSAT, for the purposes of
ensuring that information on all affected individuals submitted by or on behalf of the facility has
been appropriately submitted to DHS. These PDF reports are copies of the official government
record of the information that the high-risk chemical facility, or its designee, has provided to
NPPD about affected individuals with access to that facility as well as status of enrollment in
other DHS programs. These PDF reports contain Sensitive Personally Identifiable Information
(Sensitive PII).
Each user of the CSAT Personnel Surety application will be required to affirm a Rules of
Behavior prior to being granted access to the CSAT Personnel Surety application. 29 PDF reports
generated by high-risk chemical facilities or their designees may be shared only as authorized by
27

See Attachment 1.
See Attachment 2.
29
See Attachment 3.
28

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 14

the Privacy Act of 1974. PDF reports must be secured during storage and transmission
commensurately with DHS guidance outlined in the DHS Handbook for Safeguarding Sensitive
Personally Identifiable Information 30 and the CSAT Personnel Surety application User Guide
(which will be published prior to program implementation), and must display the following
Privacy Warning language:
WARNING: This document contains sensitive personally identifiable information and is
subject to the Privacy Act of 1974, 5 U.S.C. § 552a. This document, and any information
copied or removed from it, (1) must not be disclosed or shared with individuals unless they
have a need-to-know, and (2) must be protected as stated in the DHS CSAT Personnel Surety
application Rules of Behavior.

This external sharing of information with high-risk chemical facilities and their designees
is specifically covered in the updated Chemical Facility Anti-Terrorism Standards Personnel
Surety Program System of Records Notice (SORN). 31
Auditing and Accountability
The auditing and accountability of CSAT, the system in which the CSAT Personnel
Surety application resides, is covered by the overarching CFATS Program PIA. 32
Ensuring need-to-know is appropriately managed under the CFATS Personnel
Surety Program
Within DHS, only individuals with a need-to-know will have access to information under
the CFATS Personnel Surety Program. Information will only be disclosed to individuals outside
of DHS in accordance with the Routine Uses listed in the Chemical Facility Anti-Terrorism
Standards Personnel Surety Program SORN. 33
This PIA is being updated to clarify the expectations NPPD has of high-risk chemical
facilities for managing need-to-know. This will assist with auditing and accountability purposes
to ensure that information is only being used in accordance with the stated practices in this PIA
Update. High-risk chemical facilities will be responsible for managing their user roles and
determining what access each user may have within the CFATS Personnel Surety application to
ensure that only the appropriate users have access to the information about affected individuals
30

See DEPARTMENT OF HOMELAND SECURITY, HANDBOOK FOR SAFEGUARDING SENSITIVE PERSONALLY
IDENTIFIABLE INFORMATION (2012), available at https://www.dhs.gov/sites/default/files/publications/privacy/
Guidance/handbookforsafeguardingsensitivePII_march_2012_webversion.pdf. This Handbook provides guidance
on how to safeguard Sensitive PII at DHS, but can be used as a reference by facilities and their designees.
31
DHS is publishing the updated SORN concurrently with this PIA. See also DHS/NPPD-002 – Chemical Facility
Anti-Terrorism Standards Personnel Surety Program System of Records, 76 FR 34732 (June 14, 2011).
32
See DHS/NPPD/PIA-009 - Chemical Facility Anti-Terrorism Standards (CFATS), available at
www.dhs.gov/privacy.
33
DHS is publishing the updated SORN concurrently with this PIA. See also DHS/NPPD-002 – Chemical Facility
Anti-Terrorism Standards Personnel Surety Program System of Records, 76 FR 34732 (June 14, 2011).

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 15

being submitted to NPPD.
NPPD currently has Information Sharing Agreements (ISA) with TSA and with CBP,
which describe how the CSAT Personnel Surety application interfaces with the TSA and CBP
systems. DHS will review any future requests, both internal and external, to access the CSAT
Personnel Surety application, and when appropriate, establish an ISA or other appropriate
vehicle necessary to share information.
Conducting data accuracy reviews and audits under the CFATS Personnel Surety
Program
Finally, this PIA is being updated to clarify how NPPD may conduct data accuracy
reviews and audits as part of the CFATS Personnel Surety Program. High-risk chemical
facilities may propose to maintain different sorts of records or information related to RBPS 12 as
part of their SSPs or ASPs, and NPPD expects that the records or information available could
vary from one high-risk chemical facility to another. The types of information NPPD could
request from high-risk chemical facilities as part of data accuracy reviews or audits could thus
vary from facility to facility, based on each facility’s standard business practices and SSP or
ASP. The records requested may contain information pertaining to affected individuals that was
previously provided to NPPD by the high-risk chemical facility.

Responsible Official
David Wulf
Director, Infrastructure Security Compliance Division
Office of Infrastructure Protection, National Protection and Programs Directorate
Department of Homeland Security

Approval Signature
Original signed and on file with the DHS Privacy Office
________________________________
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 16

ATTACHMENT 1
Sample Privacy Act Notice to Individuals Regarding a High-Risk Chemical
Facility’s Compliance with 6 CFR § 27.230(a)(12)(iv) and Participation in The
CFATS Personnel Surety Program
This is a sample Privacy Act notice, which high-risk chemical facilities may choose to
use to provide required notice to affected individuals. DHS may review notices for adequacy, as
appropriate, under CFATS. This updated notice replaces the sample notice that was published as
Attachment 2 in the original PIA on May 4, 2011.
(To be provided by a High-Risk Chemical Facility to Affected Individuals prior to the
submission of PII to DHS under Option 1 and Option 2 for purposes of compliance with 6
CFR § 27.230(a)(12)(iv))
The Department of Homeland Security (DHS) requires [INSERT NAME OF CFATSCOVERED FACILITY] to comply with DHS Chemical Facility Anti-Terrorism Standards
(CFATS) program requirements to identify affected individuals with terrorist ties. [INSERT
NAME OF CFATS-COVERED FACILITY] has opted to comply with this requirement by
collecting and submitting the personally identifiable information (PII) of affected individuals to
DHS for the purpose of comparing that PII against information pertaining to known and
suspected terrorists maintained by the federal government in the Terrorist Screening Database
(TSDB). Affected individuals are: (1) facility personnel (e.g., employees and contractors) with
access, or seeking access, (unescorted or otherwise) to restricted areas or critical assets; and (2)
unescorted visitors with access, or seeking access, to restricted areas or critical assets. Affected
individuals will undergo recurrent vetting against the TSDB.
In certain cases, DHS may require [INSERT NAME OF CFATS-COVERED
FACILITY] to collect and submit additional information (e.g., visa information) about affected
individuals in order to clarify data errors or to resolve potential matches (e.g., in a situation in
which an affected individual has a common name, additional information could assist DHS in
distinguishing that individual from known or suspected terrorists with similar names). Such
requests will not imply, and should not be construed to indicate, that an individual has been
confirmed as a match to the TSDB.
DHS conducts CFATS Personnel Surety Program activities pursuant to section 550 of the
Homeland Security Appropriations Act of 2007, and section 27.230(a)(12)(iv) of the Chemical
Facility Anti-Terrorism Standards (CFATS).
DHS may share information provided by [INSERT NAME OF CFATS COVERED
FACILITY, AND OF THIRD PARTY SUBMITTER (IF APPLICABLE)] about you with law
enforcement or intelligence agencies under its Privacy Act System of Records Notice published

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 17

in the Federal Register. To view this System of Records Notice (Department of Homeland
Security/National Protection and Programs Directorate – 002 Chemical Facility Anti-Terrorism
Standards Personnel Surety Program System of Records) and for more information on DHS
privacy policies, please see the DHS Privacy Office website at http://www.dhs.gov/privacy.
DHS may also share your information and information about you with [INSERT NAME
OF CFATS COVERED FACILITY, AND OF THIRD PARTY SUBMITTER (IF
APPLICABLE)].
Please note that DHS will not make available certain information about you that was not
supplied by [INSERT NAME OF CFATS COVERED FACILITY, AND OF THIRD PARTY
SUBMITTER (IF APPLICABLE)], but may provide credential status to [INSERT NAME OF
CFATS COVERED FACILITY, AND OF THIRD PARTY SUBMITTER (IF APPLICABLE)]
for affected individuals whose information was submitted by them to electronically verify and
validate enrollment in a Trusted Traveler Program, the HME Program, or the TWIC Program.
ACCESS & CORRECTIONS:
If you would like access to the information provided by [INSERT NAME OF CFATS
COVERED FACILITY, AND OF THIRD PARTY SUBMITTER (IF APPLICABLE)] about
you, you may contact [INSERT CONTACT NAME & NUMBER OR EXPLAIN INTERNAL
PROCEDURE]. If your information contains errors, you should inform [INSERT NAME OF
CFATS COVERED FACILITY], which is obligated to correct your information and resubmit it
to DHS.
You may also write to the NPPD Freedom of Information Act (FOIA) Officer at 245
Murray Lane SW, Washington, D.C. 20528-0380, to obtain access to your information, and if
necessary to correct inaccurate or erroneous information. The requirements for filing such a
request may be found at 6 CFR § 5.21(d) or accessed from the DHS Privacy Office website at
http://www.dhs.gov/foia.
REDRESS:
If you believe that the information submitted by [INSERT NAME OF CFATS
COVERED FACILITY AND OF THIRD PARTY SUBMITTER (IF APPLICABLE)] has been
improperly matched by DHS to the identity of a known or suspected terrorist, you may write to
the NPPD FOIA Officer at 245 Murray Lane SW, Washington, D.C. 20528-0380. You may also
request an administrative adjudication under CFATS. 34

34

See 6 CFR 27.310(a)(1).

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 18

ATTACHMENT 2
Sample Notice to an Individual Whose TWIC Is Being Electronically Verified
And Validated Through The Use of a TWIC Reader For Purposes of
Compliance with 6 CFR § 27.230(a)(12)(iv) and Participation in The CFATS
Personnel Surety Program
Prior to electronically verifying and validating an affected individual’s TWIC for
purposes of compliance with 6 CFR § 27.230(a)(12)(iv), a high-risk chemical facility should
provide notice to affected individuals informing them that their TWIC will now be used for
compliance with 6 CFR § 27.230(a)(12)(iv).
This is a sample notice, which high-risk chemical facilities may choose to use. NPPD
may review notices for adequacy, as appropriate, under CFATS.
(To Be Provided by a High-Risk Chemical Facility to Affected Individuals Prior to verify
and validating an affected individuals TWIC for purposes of compliance with 6 CFR §
27.230(a)(12)(iv))
Notice to individuals regarding use of the Transportation Worker Identification Credential
(TWIC) under the Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety
Program:
The Department of Homeland Security (DHS) requires [INSERT NAME OF CFATS
COVERED FACILITY] to comply with the DHS Chemical Facility Anti-Terrorism Standards
(CFATS) program requirement to identify affected individuals with terrorist ties. [INSERT
NAME OF CFATS COVERED FACILITY] has opted to comply with this requirement by
electronically verifying and validating TWICs using a [INSERT TWIC READER OR NAME
OF OTHER TECHNOLOGY]. Affected individuals are: (1) facility personnel (e.g., employees
and contractors) with access, or seeking access, (unescorted or otherwise) to restricted areas or
critical assets; and (2) unescorted visitors with access, or seeking access, to restricted areas or
critical assets. If your TWIC is successfully verified and validated, no information about you will
be submitted to DHS under the CFATS Personnel Surety Program. If your TWIC cannot be
successfully verified and validated, [INSERT NAME OF CFATS COVERED FACILITY] will
[DESCRIBE THE PROCEDURES THAT THE FACILITY HAS AGREED TO UNDERTAKE
IN ITS ASP OR SSP IN THIS SITUATION]. You may also visit the Transportation Security
Administration TWIC Program web page at: http://www.tsa.gov/stakeholders/transportationworker-identification-credential-twic for more information regarding your TWIC.
DHS conducts CFATS Personnel Surety Program activities pursuant to section 550 of the
Homeland Security Appropriations Act of 2007, and section 27.230(a)(12)(iv) of CFATS.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 19

ATTACHMENT 3
DHS CSAT Personnel Surety Application Rules of Behavior
The following rules of behavior apply to users of the Department of Homeland Security
(DHS) Chemical Security Assessment Tool (CSAT) Personnel Surety application in support of
the Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program.
The rules of behavior apply to users regardless of work location (e.g., chemical facility,
home) or IT equipment used and do not replace any established IT or information security
policies governing their local IT equipment or networks.
Application Access
• I understand that I am given access to only the portions of CSAT applications for which I
require access to perform my official or authorized duties.
• I will not attempt to access CSAT applications I am not authorized to access, nor perform
actions I am not authorized to do.
Passwords
• I will choose passwords that meet or exceed the complexity requirements of the IT
system and that are at least eight characters long and have a combination of letters
(upper- and lower-case), numbers, and special characters.
• I will protect passwords from disclosure.
• I will not share passwords or provide my passwords to anyone, including system
administrators.
• I will not record passwords on paper or in electronic form and store them on or with
workstations, laptop computers, or portable electronic devices (PED).
• I will shield my keyboard from view as I enter my password to prevent others from
“shoulder surfing.”
• I will promptly change a password whenever the compromise of that password is known
or suspected.
Data Protection
• I understand that certain information entered into the CSAT Personnel Surety application
about affected individuals is considered sensitive personally identifiable information
(PII). I understand that this application, and any information copied or removed from it,
is subject to the Privacy Act of 1974. 35 I will protect the information contained in this
application, and any information copied or removed from this application, and will not
disclose or share it with individuals unless they have a need-to-know.
35

5 U.S.C. § 552a.

Privacy Impact Assessment Update
NPPD, CFATS Personnel Surety Program
Page 20

•

•

I understand that information copied or removed from the CSAT Personnel Surety
application is an official DHS record and I will only use it to ensure compliance with the
CFATS Personnel Surety Program.
I will refer to the DHS Handbook for Safeguarding Sensitive Personally Identifiable
Information to ensure the protections in place for handling sensitive PII are
commensurate with those outlined in DHS Privacy Policy. For example:
o Encrypt or password-protect electronic files containing sensitive PII.
o When there is a need to print, copy, or extract sensitive PII from a larger data set,
limit the new data set to include only the specific data elements needed to perform
the task at hand.
o Physically secure sensitive PII (e.g., in a locked drawer, cabinet, desk, or safe)
when not in use or not otherwise under the control of a person with a need-toknow.
o If there is a need to create duplicate copies of sensitive PII (e.g., a PDF Report of
detailed PII about affected individuals) to perform a particular task or project,
delete or destroy any copies (e.g., using a shredder) when they are no longer
needed.

Incident Reporting
• I will promptly report IT security incidents (e.g., a compromise of my CSAT Personnel
Surety application username and password) to the CFATS Help Desk at 866-323-2957.
• I will report a privacy incident (i.e., any suspected or confirmed loss or compromise of
the information contained in this application, and any information copied or removed
from this application) immediately upon discovery or detection to the CFATS Help Desk
at 866-323-2957.
Affirmation Statement
I affirm that I have read the rules of behavior, I understand them, and I will comply with
them. I understand that failure to comply with these rules could result in a verbal or written
warning, removal of system access, or legal action.