Download:
pdf |
pdfPrivacy Impact Assessment
for the
National Intellectual Property Rights
Coordination Center
DHS/ICE/PIA-041
May 4, 2015
Contact Point
Peter Edge
Executive Associate Director
Homeland Security Investigations
Immigration and Customs Enforcement
U.S. Department of Homeland Security
(202) 732-5100
Reviewing Official
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
(202) 343-1717
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 1
Abstract
The National Intellectual Property Rights Coordination Center (IPR Center), led by U.S.
Immigration and Customs Enforcement, is a multi-agency task force that serves as the Federal
Government’s clearinghouse for investigations into violations of intellectual property rights,
including counterfeiting and piracy. The IPR Center solicits complaints from victims, witnesses,
and public and private organizations and uses this information to analyze, process, and deconflict
them in order to ensure that the appropriate investigative partner agency can examine and resolve
the complaint. The IPR Center is conducting this Privacy Impact Assessment because the IPR
Center solicits information through a public-facing website, some of which is personally
identifiable.
Overview
The National Intellectual Property Rights Coordination Center (IPR Center), led by U. S.
Immigration and Customs Enforcement (ICE), is responsible for coordinating a unified U.S.
Government response to the growing threat of intellectual property crimes, such as counterfeiting
and piracy. In addition to ICE, interagency participation currently includes: U.S. Customs and
Border Protection, U.S. Air Force Office of Special Investigations, Defense Criminal
Investigative Service, Defense Logistics Agency, Department of Commerce’s Office of
Intellectual Property Rights, Federal Bureau of Investigation, Food and Drug Administration’s
Office of Criminal Investigations, General Services Administration’s Office of the Inspector
General, National Aeronautics and Space Administration, Nuclear Regulatory Commission, U.S.
Army Criminal Investigation Command, U.S. Consumer Product Safety Commission, U.S.
Department of State’s Office of International Intellectual Property Enforcement, U.S. Naval
Criminal Investigative Service, U.S. Patent and Trademark Office, U.S. Postal Inspection
Service, U.S. Postal Service’s Office of the Inspector General, Federal Maritime Commission,
INTERPOL, and several foreign law enforcement agencies.
The IPR Center’s mission is to coordinate and enhance Intellectual Property (IP)
enforcement, raise awareness of the economic and social impact of the trade in counterfeit
products, create IP crime investigation training programs, and actively engage in and improve
enforcement and coordination efforts. The IPR Center places particular emphasis on protecting
the health and safety of U.S. consumers, investigating major criminal organizations engaged in
transnational IP crime, and pursuing the illegal proceeds derived from sales of counterfeit
merchandise. The IPR Center works with copyright owners, trade associations, and both foreign
and domestic law enforcement agencies. Through its website, the IPR Center accepts allegations
concerning IPR violations from individuals and entities in both the public and private sector. In
fiscal year (FY) 2013, the IPR Center received 8,540 complaints and leads regarding alleged IP
crimes. These complaints are analyzed by IPR Center staff (member agency representatives and
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 2
supporting personnel) or at partner agencies (in the case of complaints that fall under the
jurisdiction of the particular partner).
When a complaint is submitted to the IPR Center’s website or through its telephone line,
it is entered into an internal database and then analyzed by designated agency representatives to
the IPR Center to determine if additional information is required and whether any investigations
relating to the complaint are already ongoing. If there are no current investigations, the complaint
will be examined to decide if it should be opened as a criminal investigation. In that event, a lead
agency (one or more) is identified for investigative purposes, based on the commodity involved,
the origin of the lead, the agency with legal jurisdiction, and a rotation schedule. Once an
investigation has commenced, the IPR Center continues to track and monitor its progress,
providing investigative, deconfliction, and coordination assistance as appropriate. A working
group composed of representatives of partner agencies meets weekly to review lead and case
deconfliction results, discuss lead viability and dissemination, and coordinate identified overlap
between agency efforts. The IPR Center database will consist of only lead information and
investigative follow-up activity will not be tracked or input into the database. That information
will be maintained in the appropriate investigative case management system at the appropriate
agency.
The IPR Center is modernizing and automating its operations in an effort to gain
efficiencies and effectiveness. It has developed a new complaint form that appears on its website.
Individuals who wish to report an alleged IPR violation may voluntarily include identifying
information, such as name, telephone number, email address, and any other pertinent details
about the IPR matter they wish to report. Completing the form with personally identifiable
information (PII) is voluntary, but resolution of the matter may depend on obtaining sufficient
contact information in order to pursue the issue, particularly if there is a need for additional
clarifying details. The IPR Center will automate the intake, development, deconfliction, and
referral of investigative lead information intended for the purpose of initiating or resolving
criminal and civil investigations and will support actions involving IPR violations. The IPR
Center will accept complaints or new submissions of potential IP violations through its website
(http://www.iprcenter.gov/), populate an internal database with the particulars, and circulate by
encrypted email the new submissions to agency partners to determine whether an investigation is
warranted.
In addition to maintaining any PII from individuals submitting the complaints in its
internal database, the IPR Center may also maintain other PII derived from these complaints,
such as information pertaining to violators (e.g., name, business or personal address, or other
identifying details). Other PII in the database will consist of identifiers of ICE personnel who are
involved in maintaining the IPR Center’s website and its activities. The IPR public-facing
website and internal database will be maintained by an ICE administrator who will ensure that
those who view information have a need to know.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 3
Section 1.0 Authorities and Other Requirements
1.1
What specific legal authorities and/or agreements permit
and define the collection of information by the project in
question?
ICE may collect and maintain records pursuant to 5 U.S.C. § 302, 44 U.S.C. § 3101, 6
U.S.C. § 203; 8 U.S.C. § 1103; and 19 U.S.C. § 1589a. In addition, the following authorities
support the work of the IPR Center: 17 U.S.C. § 506; 17 U.S.C. § 120 et seq.; 18 U.S.C. §§
1831-39; and 18 U.S.C. §§ 2318-20.
1.2
What Privacy Act System of Records Notice(s) (SORN(s))
apply to the information?
To the extent that information in the IPR Center’s database is about individuals and is
retrieved by their names or personal identifiers, SORN coverage is provided by DHS/ICE-009,
External Investigations. 1
1.3
Has a system security plan been completed for the
information system(s) supporting the project?
The security of the IPR Center’s public-facing website has, until recently, been the
responsibility of a partner agency. The security responsibilities are being transitioned to ICE, and
a revised system security plan will be developed and approved by ICE.
1.4
Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?
No. ICE is currently drafting a records schedule for its Investigative Case Files. The
schedule proposes retention for 15 years after a case is closed, to consist of transfer to a Federal
Records Center after five years and destruction after an additional 20 years. As proposed,
allegations that do not rise to the level of an investigation will be maintained only for five years
after a determination is made not to pursue them. ICE will retain all IPR Center records until
NARA approves the final IPR records schedule.
1
DHS/ICE-009 External Investigations, 75 FR 404 (Jan. 5, 2010).
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 4
1.5
If the information is covered by the Paperwork Reduction
Act (PRA), provide the OMB Control number and the
agency number for the collection. If there are multiple
forms, include a list in an appendix.
The IPR Center is currently seeking OMB approval (and a control number) for its
complaint form that it will use on its website to collect information from the public.
Section 2.0 Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected, as
well as reasons for its collection.
2.1
Identify the information the project collects, uses, disseminates or
maintains
The IPR Center form collects identifying information provided voluntarily from the
complainants regarding potential or actual intellectual property crimes. This information consists
of full name, address, telephone number, email address, and website address, if pertinent. The
form also asks questions about the alleged crime, including details about the alleged perpetrator,
if known. The IPR Center maintains information on the status of its deconfliction 2 and
investigative efforts in its database.
2.2
What are the sources of the information and how is the
information collected for the project?
Initially, information is collected from the public (which includes individuals, trade
associations, members of industry, law enforcement, and other government agencies) who
complete complaint forms for reporting allegations of intellectual property crimes. The
information is then routed to agency partners participating in the IPR Center (either at the IPR
Center or at their home agencies) for review and analysis to determine if the complaint is one
that is currently being investigated, is similar to other complaints that are under investigation, or
is something new. If the information is sent to partner agencies, it is sent as an encrypted email.
Receiving offices query their respective records and advise the IPR Center whether they
have a potential matching record to deconflict or jurisdictional interest in the matter. If the
complaint presents a novel issue, it is assigned to the agency with appropriate jurisdiction or, if
2
In this context, deconfliction is the process by which the IPR Center ensures that a new investigative lead is not
already being investigated by one of its participating agencies. The purpose of deconfliction is to ensure agencies do
not expend resources in a duplicative or redundant manner, and to ensure the safety of law enforcement officers who
are working on the case.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 5
there is no clear jurisdictional nexus, to the next agency on a rotation list of participants that are
available for an investigation.
2.3
Does the project use information from commercial sources
or publicly available data? If so, explain why and how this
information is used.
Yes. The starting point for any investigation by IPR Center agency members is the
complaint form. In determining whether to open an investigation, IPR Center members may
manually query commercial databases or publicly available information as part of the analysis of
the complaint, e.g., to obtain additional information about the subject of a complaint and to
determine if it is actionable. The resultant information could be maintained in the IPR Center
database, in an agency’s investigative case file, or both, if the agency decides to open an
investigation.
2.4
Discuss how accuracy of the data is ensured.
Complainants voluntarily submit their own PII. Complainants also submit information
about alleged IPR perpetrators. The accuracy of the submitted information may be able to be
verified during the deconfliction process if other complaints from the same person or entity or
about the same alleged perpetrator have been received. It is not until the complaint is referred for
investigation, however, that the accuracy of what is alleged can be verified or disproved.
2.5 Privacy Impact Analysis: Related to Characterization of the
Information
Privacy Risk: There is a risk that allegations about the potential perpetrator of an
intellectual property crime may not be accurate.
Mitigation: The review and analysis of complaints that occurs during the deconfliction
process, during which information can be corrected and updated as necessary, and the
investigative process itself, reduces the potential that inaccurate information will become the
basis of law enforcement action.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 6
Section 3.0 Uses of the Information
The following questions require a clear description of the project’s use of information.
3.1
Describe how and why the project uses the information.
The IPR Center will use complaints entered through the IPR Center’s website as the basis
to determine whether investigative action is warranted. The PII that the complainant provides
may be used for contact purposes if there are additional questions or a need for clarification of
the initial information. Information about the alleged perpetrator will be used by IPR Center
members to query their data holdings to determine if there is already an investigation underway
or if the initiation of one should be undertaken (and by whom). Some of the information may
ultimately be included in reports about the IPR Center’s activities. However, the personal
identifiers of complainants will not be included in any report that is disseminated outside the IPR
Center members.
3.2
Does the project use technology to conduct electronic
searches, queries, or analyses in an electronic database to
discover or locate a predictive pattern or an anomaly? If so,
state how DHS plans to use such results.
No.
3.3
Are there other components with assigned roles and
responsibilities within the system?
Yes. U.S. Customs and Border Protection participates in the IPR Center.
3.4
Privacy Impact Analysis: Related to the Uses of Information
Privacy Risk: There is a risk that IPR Center participants will use the information that is
collected and maintained for purposes beyond those described in this PIA.
Mitigation: Participants in the IPR Center have agreed to a set of protocols for lead
dissemination and case deconfliction that specify, among other provisions, that all information
provided during the case deconfliction process is the exclusive property of the submitting
partner. No further dissemination of the information is authorized without prior approval from
the submitting partner, including to agency field offices. Consequently, the agency with
jurisdiction over the complaint can rely on this agreement to safeguard against inappropriate use.
With increased automation of IPR Center processes it will be easier to audit agency action to
ensure the protocols are followed.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 7
Section 4.0 Notice
The following questions seek information about the project’s notice to the individual about the information
collected, the right to consent to uses of said information, and the right to decline to provide information.
4.1
How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why
not.
Individuals or entities that submit complaints to the IPR Center do so voluntarily and are
provided with a Privacy Act notice on the submission form that explains the authority, purpose,
and uses of their information. Submission of the complaint form constitutes consent for the IPR
Center to use the information to look into the complaint further and take action where
appropriate. Individuals may provide contact information, but it is not required. If provided, the
complainant may be contacted by members of the IPR Center for follow-up.
4.2
What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?
Because submission of personal identifiers of complainants is voluntary, individuals can
decline to provide this information and submit a complaint/referral anonymously. The alleged
perpetrators who are named in the online submissions will potentially be subjects of
investigations and therefore unable to decline the use of their information.
4.3
Privacy Impact Analysis: Related to Notice
There is little privacy risk to the complainant regarding notice because the IPR Center
provides a Privacy Act notice to complainants about how their information will be used. The IPR
Center notifies complainants that submission of personally identifiable data is voluntary.
Privacy Risk: The risk is that individuals who are the subject of a complaint may be
unaware that their information was provided to the IPR Center.
Mitigation: There is no mitigation for this risk. Individuals who are the subject of a
complaint will likely be unaware that a complaint was made against him or her.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 8
Section 5.0 Data Retention by the project
The following questions are intended to outline how long the project retains the information after the initial
collection.
5.1
Explain how long and for what reason the information is retained.
The proposed retention schedule for IPR Center investigative records is 10 years from the
time an investigation is opened. Complaints that are not deemed sufficient for investigation are
proposed to be maintained for five years after that determination has been made. Once the
retention schedule is approved for these records, the destruction date will be calculated based on
the date of the record (and pertinent action pertaining to it). These retention periods will facilitate
the IPR Center’s ability to make comparisons among cases and analyze trends over time.
5.2
Privacy Impact Analysis: Related to Retention
Privacy Risk: Until the retention schedule is approved, IPR Center records must be
maintained as permanent records. Therefore, there is a risk that information submitted by
individuals will be retained for longer than necessary.
Mitigation: This risk is partially mitigated. The Federal Records Act requires agencies to
schedule records or, in the absence of an approved schedule, to maintain them until a schedule is
approved. The risk is partially mitigated for complainants because complainants can submit
information anonymously. For individuals who are named as alleged perpetrators, the risk is
more significant, but through investigation the subject may be cleared of any suspicion and the
records updated accordingly. Once the retention schedule for IPR Center records is approved, the
record destruction date will be calculated from the date the complaint was resolved, not the date
the schedule was approved.
Section 6.0 Information Sharing
The following questions are intended to describe the scope of the project information sharing external to
the Department. External sharing encompasses sharing with other federal, state and local governments, and private
sector entities.
6.1
Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.
Yes. U.S. law enforcement agencies have overlapping areas of responsibility for
enforcing intellectual property laws. Recognizing that collective leverage of resources and
expertise is essential to success, the IPR Center shares information and promotes a coordinated
U.S. Government response to IPR enforcement. Complaints about alleged intellectual property
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 9
crimes received by the IPR Center consequently are shared among the partners. IPR Center
members also share information from investigations that will aid future inquiries, such as
emerging trends and new infringing technologies.
6.2
Describe how the external sharing noted in 6.1 is compatible with
the SORN noted in 1.2.
ICE’s External Investigations SORN covers the information that ICE collects through the
IPR Center and permits sharing with other law enforcement agencies for purposes of
collaboration, coordination, and deconfliction of cases. Routine uses K (law enforcement efforts
pertaining to export violations), Q (law enforcement intelligence), and S (deconfliction), among
others, permit sharing of information for these purposes: they are compatible with the stated
purpose of the system, which is to identify potential criminal activity, to uphold and enforce the
law, and to ensure public safety.
6.3
Does the project place limitations on re-dissemination?
Onward sharing of information is permitted to the extent necessary for the agency with
lead authority to investigate allegations in a complaint and with the consent of the agency partner
whose information is to be shared. Information about cases, stripped of personally identifiable
details, may also be used in the IPR Center’s substantial outreach and training efforts. Since July
2008, the IPR Center has conducted nearly 2,000 outreach and training events.
6.4
Describe how the project maintains a record of any
disclosures outside of the Department.
The spreadsheet on which complaints are maintained logs information about disclosures
of the information for purposes of compiling reports and developing statistical information. The
same log can be used to maintain a record of disclosures of any PII that is provided by
complainants.
6.5
Privacy Impact Analysis: Related to Information Sharing
Privacy Risk: There is a risk that data will be shared more widely among partner
agencies than is necessary to assign responsibility for any follow-up investigation.
Mitigation: Agencies that participate in the IPR Center agree to a set of protocols that
govern the way complaints are handled and information is used by all members of the Center.
Use of the information includes access to the IPR Center’s internal database on a need-to-know
basis as determined by ICE Homeland Security Investigations (HSI) representatives at the IPR
Center.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 10
Section 7.0 Redress
The following questions seek information about processes in place for individuals to seek redress which
may include access to records about themselves, ensuring the accuracy of the information collected about them,
and/or filing complaints.
7.1
What are the procedures that allow individuals to access
their information?
Individuals seeking access to records maintained as a result of their complaint to the IPR
Center may submit a request in writing to the ICE Freedom of Information Act (FOIA) Office by
mail or facsimile by following the procedures posted at http://www.ice.gov/foia/request.
Individuals about whom complaints are submitted may be unaware that they have been identified
in a complaint to the IPR Center. Their records, when they are retrieved by name or personal
identifier, are exempt from access pursuant to the Privacy Act, and may be withheld in whole or
in part, to prevent harm to law enforcement investigations or interests. Nevertheless, Privacy Act
requests are also considered under FOIA in order to provide the greatest access to the requester,
whether complainant or subject.
7.2
What procedures are in place to allow the subject individual
to correct inaccurate or erroneous information?
Individuals who submit a complaint to the IPR Center may correct anything that may be
inaccurate by submitting an updated complaint. Because investigative action may be taken on the
submission, it is important to have accurate information. Individuals who are the subject of a
complaint, on the other hand, may be unaware of that status. Their ability to correct the
information is limited because once a matter is taken for investigation, some or all of the
information may be exempt from correction pursuant to the Privacy Act in order to prevent harm
to law enforcement investigations or interests. Through the investigative process, however,
information in complaints is verified, and the records that are compiled as a result of any
investigation will reflect any updates or corrections that are found to be required.
7.3
How does the project notify individuals about the
procedures for correcting their information?
Each participating agency in the IPR Center maintains a link on its home page where
information can be found about submitting FOIA and Privacy Act requests. ICE’s instructions
for submitting a request can be found at http://www.ice.gov/foia/request. Individuals about
whom complaints are submitted may not have notice of that fact, but if the complaint is accepted
for investigation, they may have notice as a result of the investigatory process.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 11
7.4
Privacy Impact Analysis: Related to Redress
Privacy Risk: With regard to individuals who submit complaints to the IPR Center, there
is a privacy risk that during an investigation, the submitter may not be able to access his or her
information. With regard to individuals about whom a complaint is submitted, they may be
unaware that a complaint has been lodged that implicates them and therefore unaware of any
potential redress.
Mitigation: Individuals who submit complaints control how much information they
provide and so can mitigate the privacy risk that their own information will be unavailable while
an analysis and potential investigation of their complaint is underway.
Because the records of the IPR Center (those that are not maintained separately in agency
investigative files) are collected for a law enforcement purpose, individuals’ rights to be notified
of the existence of data about them and how that data are used may be limited, particularly as it
concerns individuals who are the subjects of complaints/investigations. Notification to these
individuals that information about them is being gathered could compromise the existence of
ongoing law enforcement activities.
Section 8.0 Auditing and Accountability
The following questions are intended to describe technical and policy based safeguards and security
measures.
8.1 How does the project ensure that the information is used in
accordance with stated practices in this PIA?
Agencies that participate in the IPR Center agree to a set of protocols that govern the way
complaints are handled and information is used by all members of the Center. Use of the
information includes access to the IPR Center’s internal database on a need-to-know basis as
determined by ICE Homeland Security Investigations (HSI) representatives at the IPR Center.
A working group, composed of representatives of partner agencies, meets weekly to
review lead results and case deconfliction results, discuss lead viability and dissemination, and
coordinate identified overlap between agency efforts. In the unlikely event that disagreements
cannot be resolved by the working group, the protocols provide that the issues be escalated to the
principals of partner agencies.
8.2 Describe what privacy training is provided to users either
generally or specifically relevant to the project.
Participating agencies in the IPR Center are responsible for ensuring that their
representatives have the requisite background to identify and handle intellectual property crimes.
Privacy Impact Assessment
DHS/ICE/PIA-041
National Intellectual Property Rights Center
Page 12
Additionally, each agency is responsible for any privacy and security training of its personnel.
ICE employees are required to have yearly privacy and information security training.
Additionally, HSI personnel at the IPR Center will ensure that all personnel with access to the
IPR Center database have had appropriate privacy and information security training.
8.3 What procedures are in place to determine which users may
access the information and how does the project determine
who has access?
As noted above, a set of protocols determines who has access to information collected by
the IPR Center and to the Center’s database. If there is overlap, the matter is assigned for joint
action to all agencies with jurisdiction. Even after a lead is assigned and a participating agency
opens an investigation, the IPR Center continues to monitor its progress, providing coordination
assistance as required.
8.4 How does the project review and approve information
sharing agreements, MOUs, new uses of the information,
new access to the system by organizations within DHS and
outside?
If additional agencies wish to participate in the IPR Center and share information about
intellectual property crimes, representatives from the agencies agree to be bound by the
protocols. Agreement is signified by an addendum to the protocols.
Responsible Officials
Lyn Rahilly
Privacy Officer
U.S. Immigration and Customs Enforcement
Department of Homeland Security
Approval Signature
Original signed and on file with the DHS Privacy Office.
________________________________
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
File Type | application/pdf |
File Title | DHS/ICE/PIA-041 IPR Center |
Author | U.S. Department Of Homeland Security Privacy Office |
File Modified | 2015-05-05 |
File Created | 2015-05-04 |