Document
DHS/CBP/PIA-062 Trusted Worker Program System (TWP)
ICR 202508-1651-005 · OMB 1651-0034 · Object 162235700.
Document Viewer [pdf]
Status: Original and derived artifacts are available for this document.
Download: pdf
Loading document viewer…
Document Metadata
| File Type | application/pdf |
|---|---|
| File Title | DHS/CBP/PIA-062 Trusted Worker Program System (TWP) |
| Author | U.S. Department of Homeland Security Privacy Office |
| File Modified | 2020-01-24 |
| File Created | 2020-01-24 |
| Conversion State | complete |
Extracted Text
Privacy Impact Assessment for the Trusted Worker Program System (TWP) DHS/CBP/PIA-062 January 24, 2020 Contact Point John R. Maulella Office of Field Operations (OFO) U.S. Customs and Border Protection (CBP) (202) 344-2605 Reviewing Official Jonathan R. Cantor Acting Chief Privacy Officer Department of Homeland Security (202) 343-1717 Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 1 Abstract The U.S. Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP) is responsible for vetting and monitoring the eligibility of workers applying for access to sensitive CBP-controlled areas or positions. CBP uses the Trusted Worker Program System (TWP), which is a subsystem of the e-Business cloud and is hosted on the CBP Amazon Web Services (AWS) Cloud East (CACE), to facilitate enrollment and vetting of applicants for eBadge, Bonded Worker, and Broker’s License. In 2019, CBP migrated the data and vetting of trusted workers from the Global Enrollment System (GES) Trusted Worker (TW) to TWP. CBP has developed this overarching Privacy Impact Assessment (PIA) to: (1) document the creation of a new privacy sensitive system, TWP, (2) and provide notice of a web-service interface data exchange mechanism between CBP and the Transportation Security Administration (TSA) Transportation Vetting System (TVS) for the eBadge program. Overview CBP is responsible for vetting and monitoring the eligibility of workers applying for access to sensitive CBP-controlled areas or positions. CBP created TWP as the primary repository for program enrollment and background investigation data related to Trusted Worker programs. CBP has three trusted worker programs: (1) eBadge, which is responsible for vetting and credentialing third party workers who have access to secure areas at CBP facilities such as domestic airports and foreign preclearance facilities;1 (2) Bonded Worker, which is responsible for vetting individuals associated with bonded warehouses; and (3) Broker’s License, which is responsible for vetting applicants for a Broker’s License. TWP provides CBP with the ability to centralize many of the program applications and enrollment functions, standardize the risk assessment process for programs, and offer a more efficient approach in the administration of these programs. Previously, the Global Enrollment System housed all information related to the trusted worker population.2 CBP has developed this overarching PIA to: (1) document the creation of a new privacy sensitive system, TWP, (2) and provide notice of a web-service interface data exchange mechanism between CBP and the Transportation Security Administration (TSA) Transportation Vetting System (TVA) for the eBadge program. 1 CBP Preclearance provides for the U.S. border inspection and clearance of commercial air passengers and their goods in certain foreign countries. A preclearance inspection is essentially the same inspection an individual would undergo at a U.S port of entry. Visit https://www.cbp.gov/border-security/ports-entry/operations/preclearance for a list of CBP preclearance locations. 2 See DHS/CBP/PIA-002(c) Global Enrollment System (GES) (November 1, 2016), available at: www.dhs.gov/privacy. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 2 CBP migrated all trusted worker program data from GES to TWP, which is an operational subsystem under the e-Business Cloud.3 The e-Business Cloud resides in the CBP Amazon Web Services (AWS) Cloud East (CACE) environment and consolidates a number of cloud native, webbased systems into a single Security Authorization Package (SAP). CACE provides a secured facility, network, databases, and necessary encryption to protect the confidentiality, integrity, and availability of the user data. The data, including PII, is attributable to various DHS/CBP systems hosted in CACE. CBP conducted the migration from GES to TWP in order to separate trusted worker vetting from trusted traveler vetting and better handle the differing workloads. TWP offers a flexible, efficient, and scalable platform for data storage to operate CBP’s IT capabilities and solutions. Only CBP personnel provisioned under a specific role have access to and are the primary users of TWP. Future modifications of TWP will include a public portal. Applicants will be able to access this portal and submit applications for Trusted Worker programs electronically. CBP will document all future modifications to TWP in subsequent TWP PIAs. eBadge Program The eBadge program is only available to applicants applying for access to domestic and foreign preclearance airports. CBP continues to operate the eBadge program in conjunction with TSA and commercial service providers that process airport badges and credentials, such as the American Association of Airport Executives. TSA requires name-based Security Threat Assessments (STA) for all individuals seeking or holding airport identification badges or credentials in order to identify potential or actual threats to transportation or national security. The name-based STA involves recurring checks against federal terrorism, immigration, and law enforcement databases. Commercial service providers support airport authorities by channeling airport badge and credential PII to TSA for the STA. The eBadge program allows CBP to perform additional screening using the Automated Targeting System (ATS) Unified Passenger (UPAX),4 which includes checks against CBP databases, on the TSA-cleared airport employees seeking access to a Customs Security area, also referred to as a Federal Inspections Services (FIS) area, at any airport accommodating international air commerce designated for processing passengers, crew, their baggage and effects arriving from or departing to foreign countries, as well as the aircraft deplaning and ramp area and other restricted areas designated by the port director.5 CBP officers review the vetting results in order to 3 e-Business Cloud is a CBP major system that houses a variety of CBP cloud-based systems. e-Business Cloud does not have any user interfaces and simply acts as the overarching architecture to house certain CBP cloud systems, which are all separately covered with their own privacy compliance documentation. e-Business Cloud currently holds e-APIS Cloud and Trusted Worker Program System. 4 See DHS/CBP/PIA-006 (e) Automated Targeting System, which describes the super query function in detail. This PIA is available at: www.dhs.gov/privacy. 5 19 CFR § 122.181, Customs Duties; Part 122. Air Commerce Regulations, Subpart S. Access to Customs Security Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 3 determine the individual’s eligibility for a Customs Access Seal (CBP Seal).6 Upon successful CBP screening, CBP advises the commercial service providers to direct the airport authority to affix a CBP Seal to the individual’s TSA-approved Security Identification Display Area (SIDA) badge, which then authorizes the individual access to the FIS areas.7 All individuals submitting initial applications must appear in person with proper government-issued documents at the CBP Airport Security Program office to establish identity and verify employment eligibility. Individuals who have not first received clearance by TSA are not eligible to apply for the CBP Seal. TWP will be modified in the future to include a public facing web page, which eBadge applicants will be able to use to electronically submit CBP Form 3078 to CBP. The public portal will allow eBadge applicants to enter information that CBP does not receive from the CBP/TSA interface exchange. eBadge Applicant Requirements CBP operates the eBadge program in the airport environment. TWP receives the application via the new TSA Transportation Vetting System (TVS)8 interface as well as from an applicant directly submitting CBP Form 3078 to the CBP Airport Security Program Office at the airport where they wish to work. At this time, CBP still requires applicants to submit CBP Form 3078 even when CBP receives information via the TSA TVS interface. Additionally, the applicant’s employer must submit a letter of intent to the CBP Airport Security Program office. The letter of intent informs CBP what activities the applicant will be conducting in the FIS and provides information on the employer. This letter includes proof of citizenship and identification. A CBPO reviews the letter of intent and verifies information against the data received from TSA TVS. CBP Officers (CBPOs) manually enter the information from CBP Form 3078 into TWP prior to submitting information to ATS UPAX for vetting. Port locations will securely store the paper copy for reference for 5 years. Additionally, both the CBP Form 3078 and employer letter of intent are scanned and uploaded into TWP by the CBPO. Once the CBPO submits information into the ATS UPAX system, the ATS UPAX system begins to run queries (i.e., ATS super query searches) on the applicant and to flag derogatory information. The CBPO receives from TWP all derogatory information flagged in ATS UPAX. The CBPO must evaluate the ATS UPAX vetting results provided in TWP and adjudicate the eBadge application. CBPOs working in the CBP Airport Security Program Office are responsible Areas. 6 19 CFR § 122.182, Customs Duties; Part 122. Air Commerce Regulations, Subpart S. Access to Customs Security Areas. 7 See DHS/TSA/PIA-020 Security Threat Assessment for Airport Badges and Credential Holders (SIDA), available at: www.dhs.gov/privacy. 8 See DHS/TSA/PIA-030(e) Traveler Vetting System, available at: www.dhs.gov/privacy. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 4 for reviewing applicant data. After the vetting results conclude on the applicant, the Port Director will review the local CBP Airport Security Program Office policy and determine if an interview is necessary. CBPOs conduct interviews with applicants identified to be at a higher risk threshold and/or individuals that require additional information or documentation to determine their eligibility for the program. CBPOs will reach out to the applicant to conduct an interview, at the applicant’s duty station only, to review the eBadge application information and ensure all biographic information entered on the CBP Form 3078 is correct. The port director has final discretion on CBP Seal approvals, denials, and revocations. eBadge Application: Approval, Denial, and Revocation Upon successful screening/vetting of the applicant, CBPOs will adjudicate the application in TWP and advise the employer and employee of the results.9 Applicants approved for the CBP Seal will receive a decal, which is affixed to their SIDA badge. The CBP Seal allows the employee to access secure CBP areas at airports. Badge access areas and requirements may vary between locations (i.e., zones, ports of entry); however, the eBadge vetting standards CBP has established for airports of entry are consistent and determined under 19 CFR 122.182, Security Provisions.10 CBP has the authority to deny any application if derogatory information is uncovered on the applicant during the vetting process. If an applicant is ineligible for the CBP Seal, he or she will receive a denial letter in the mail. The denial letter includes information on why CBP denied the application and may include specific derogatory information that CBP uncovered during vetting. The letter also informs the applicant of his or her right to appeal the denial before it becomes final. If the applicant choses to appeal the denial, the applicant must file a written appeal within 10 days of receipt of the letter. A written appeal, filed in duplicate, must contain evidence to overcome the reason for denial, and must be sent to the port director’s address noted in the denial letter. Within thirty days of the receipt of the appeal, CBP must make a final decision on the appeal. In some situations, CBP may revoke a CBP Seal, per the grounds in 19 CFR § 122.187, and the affected individual will receive a revocation letter in the mail.11 Reasons for revocation include: probable cause to believe seal was obtained through fraud; probable cause to believe the 9 This disclosure is consistent with DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities, which permits disclosures pursuant to Routine Use J: “to third parties during the course of a law enforcement investigation or background check to the extent necessary to obtain information pertinent to the investigation, provided disclosure is appropriate to the proper performance of the official duties of the officer making the disclosure.” 10 19 CFR § 122.182, Air Commerce Regulations; Subpart S. Access to Customs Security Areas, Section 122.182Security Provisions. 11 19 CFR §122.187, Air Commerce Regulations; Subpart S. Access to Customs Security Areas, Section 122.187Revocation or suspension of access. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 5 employee committed certain crimes;12 and misuse of seal. The individual has the right to appeal the revocation. If the individual chooses to appeal the revocation, he or she must file a written appeal within 10 days from receipt of the letter. A written appeal, filed in duplicate, must contain evidence to overcome the reason for revocation, and must be sent to the port director’s address noted in the revocation letter. Within thirty days of the receipt of the appeal, CBP must make a final decision on the appeal. eBadge: Web Service Data Exchange CBP conducts a background check on a subset of the Aviation Worker13 population through the eBadge program. Previously, employees seeking unescorted access to CBP-controlled FIS (i.e., secure areas of airports and aircraft) had to undergo two separate background checks (by TSA and CBP, respectively) with slightly different adjudication standards but similar data requirements. TSA and CBP developed a web-service interface to share biographic and biometric data (i.e., fingerprint images) between agencies electronically. Individuals undergoing a background check by TSA submit their biographic and biometric data to TSA during the SIDA badge process. The web service then transmits the biographic and biometric data from TSA TVS to CBP TWP. CBP uses this information to adjudicate eBadge applications without having to collect certain biometric and biographic data separately. For now, aviation workers will still be required to submit Form 3078 to cover additional information not initially captured by TSA, but CBP is working with TSA to create a standardized collection. The data transmitted through the network will be limited to CBP and TSA network unclassified operational and administrative data. The transmission of data across government agencies reduces duplicative efforts on aviation workers to enter data, and lessens the administrative burden on CBPOs, who previously entered the applicant’s information manually in to the CBP Global Enrollment System (GES). Bonded Worker Program The Bonded Worker program applies to individuals who work at locations where bonded warehouses, facilities, or designated areas operate under CBP supervision.14 This program applies only to warehouse proprietors, Foreign Trade Zone (FTZ) operators, officers, and recordkeeping 12 For a list of disqualifying offenses see 19 CFR § 122.183 (a)(4) Denial of access, available at: https://www.govinfo.gov/app/details/CFR-2012-title19-vol1/CFR-2012-title19-vol1-sec122-183. 13 The aviation worker population refers to an individual employed in, or applying for, a position as a security screener under section 44935(e), or a position in which the individual has unescorted access, or may permit other individuals to have unescorted access, to aircraft of an air carrier or foreign air carrier, or a secure area of an airport in the United States the Administrator designates that serves as an air carrier or foreign air carrier. See 49 U.S. Code § 44936, Employment investigations and restrictions. 14 19 U.S.C. § 1555, Bonded Warehouses. A Customs bonded warehouse is a building or other secured area in which imported dutiable merchandise may be stored, manipulated, sorted, repacked, cleaned, or undergo manufacturing operation without payment of duty for up to 5 years from the date of importation. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 6 employees of a corporation that has been granted the right to operate the bonded facility. CBP has the authority to vet these individuals under the Bonded Worker program, and to revoke or suspend the bonded status of a warehouse proprietor, operator, or any officer of a corporation that holds the right to operate a bonded warehouse or an FTZ, upon conviction of certain crimes.15 An applicant seeking to establish a bonded warehouse must submit a written application to the local CBP port director nearest to where the warehouse is located, describing the premises, the location, and the class of warehouse under development. Additional information and steps required to be taken by the applicant can be found in 19 CFR § 19.2, Applications to bond. After the applicant successfully completes the application process, the port director shall promptly notify the applicant in writing of the decision to approve or deny the application to bond the warehouse. Applicants seeking to work in an approved bonded warehouse or facility must complete CBP Form 3078 and submit it to the port director of the port nearest to where the facility is located. As with eBadge, CBPOs manually enter CBP Form 3078 into the TWP and background vetting is then conducted through ATS UPAX. The vetting conducted for bonded warehouse workers is the same as for eBadge applicants. Port locations will keep the paper copy of Form 3078 for reference and store the document in a locked drawer for 5 years. See the Characterization of the Information section below for the data requirements pertaining to the Bonded Worker program. Broker’s License Program Customs brokers are private individuals, partnerships, associations, or corporations licensed, regulated, and empowered by CBP to assist importers and exporters in meeting federal requirements governing imports and exports.16 Customs brokers submit necessary information and appropriate payments to CBP on behalf of their clients and charge the clients a fee for this service. Customs brokers must have expertise in the entry procedures, admissibility requirements, classification, valuation, and applicable rates of duties, taxes, and fees for imported merchandise. The Broker’s License program applies to individual applicants, officers, and principals of customs brokerage firms whose primary responsibility is filing required documentation to import goods into the United States. A Broker’s License applicant must be a U.S. citizen who is not an officer or employee of the U.S. Government and is of good character, who has attained 21 years of age prior to submission of the application and has passed a Customs broker exam within 3 years of the submission of the application. Applicants must complete a Broker’s License application at 15 19 CFR § 19.2, Bonded Warehouses; Applications to bond; and 19 CFR § 19.3, Bonded Warehouses; alterations; relocation; suspensions; discontinuance. 16 “Customs broker” means a person who is licensed under 19 CFR § 111 to transact customs business on behalf of others. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 7 a CBP port of entry (PoE)17 and undergo a CBP background investigation.18 This vetting process adheres to regulatory requirements and verifies that the applicant does not have a history of activity that would make him or her unsuitable to carry out the responsibilities entrusted to a customs broker.19 Applicants must complete CBP Form 3124-Application for Customs Broker’s License and submit it to a CBP POE for manual entry into TWP.20 See the Characterization of the Information section below for the data requirements pertaining to the Broker’s License program. Trusted Worker Programs: New Applicant Vetting Process CBP uses ATS-UPAX to vet travelers in CBP’s Trusted Worker programs: eBadge, Bonded Worker, and Broker’s License.21 CBPOs enter applicant information manually into TWP. TWP creates a Person ID, which is associated with the new applicant, and initiates the screening process. The screening process consists of a standard series of queries run in ATS UPAX on the applicant, including automated queries against the CBP TECS System,22 which contains traveler history data for airport and land borders. This is conducted on all applicants regardless of the program for which they are applying. Applicants for the eBadge program undergo additional vetting, which will be discussed separately. CBPOs review the applicants’ information in ATS UPAX or TWP using a Risk Assessment Worksheet (RAW), which is created in ATS UPAX from ATS UPAX information. As part of the screening process, CBP may also conduct an interview with the applicant and may retain a photograph and fingerprints of the applicant.23 CBPOs adjudicate the applicants in either ATS UPAX or TWP. The RAW with the assigned pass/fail, generated from ATS UPAX, is 17 Port of Entry (PoE) is a place where one may lawfully enter a country (i.e., international airports, road and rail crossings on a land border, and seaports where a dedicated customs presence is posted). The eBadge program is available to domestic and foreign preclearance airports. The eBadge program is not currently available at U.S. land ports and seaports. 18 19 CFR § 111.11, Customs Brokers; Subpart B. Procedure To Obtain a License or Permit, Section 111.11- Basic Requirements for a Broker’s License. 19 19 CFR § 111.12, Customs Brokers; Subpart B. Procedure To Obtain a License or Permit, Section 111.12Application for License. 20 CBP Form 3124, available at: https://www.cbp.gov/document/forms/form-3124-application-customs-brokerlicense. 21 See DHS/CBP/PIA-006(e) Automated Targeting System, available at: www.dhs.gov/privacy. 22 See DHS/CBP/PIA-009 TECS System: CBP Primary and Secondary Processing, available at: www.dhs.gov/privacy. 23 Photographs and fingerprints of trusted workers are maintained in the Automated Biometric Identification System (IDENT) and covered by the existing DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities System of Records Notice, 73 FR 77753 (December 19, 2008). For more information on IDENT see DHS/OBIM/PIA-001 Automated Biometric Identification System, available at: www.dhs.gov/privacy. DHS is retiring IDENT and replacing it with the Homeland Advanced Recognition Technology System (HART), which will be discussed in a forthcoming PIA. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 8 automatically associated with the applicant’s TWP record. CBP then uses TWP to complete the applicant’s processing. Trusted Worker Programs and ATS UPAX Applicant Process Flow 1. Applicant applies for Trusted Worker Programs status. 2. Applicant information transfers to TWP electronically or is entered manually. 3. ATS UPAX queue receives information from TWP. 4. ATS UPAX vets applicant through the standardized process. 5. CBP staff reviews the Risk Assessment Worksheet (RAW) in ATS UPAX or TWP. 6. CBP staff adjudicates applicants in the ATS UPAX or TWP. 7. RAW with the recommended Pass/Fail is automatically associated with applicant’s TWP record; applicant processing is completed in TWP. Trusted Worker Programs: Recurrent Vetting ATS UPAX conducts recurrent vetting on individuals with approved applications and granted CBP Seals every 24 hours. Through recurrent vetting, every 24 hours, ATS-UPAX automatically reviews all information found on an approved applicant to determine there is any new derogatory or other information that needs to be manually reviewed by a CBPO. If new derogatory information exists, then CBP may conduct an interview with the applicant to determine whether the information is accurate and whether the applicant should be removed from the program and have his or her access revoked. If necessary, a port director may revoke credentials without conducting an interview. If the applicant’s status is revoked, the notification, electronically transmitted from TWP, shall state the grounds for revocation. The decision of the port director will be the final administrative determination in the matter. The notification will inform the individual of how he or she may appeal the decision. TWP does not conduct recurrent vetting on individuals who have had their application denied or revoked. Once an application is denied or revoked, information about the applicant is removed from ATS-UPAX, unless that information is linked to active law enforcement lookout records, enforcement activities, or investigative cases, in which case the data is maintained by CBP in ATS UPAX consistent with ATS retention schedule as reflected in the ATS SORN (i.e., for the life of the law enforcement matter to support the activity and other enforcement activities that may become related). Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 9 eBadge Program: Derogatory Update Notification Service In addition to ATS UPAX recurrent vetting through CBP holdings, CBP plans to leverage DHS Automated Biometric Identification System (IDENT)24 services to assist in the recurrent vetting of eBadge program enrollees. CBP will leverage notification services through IDENT, which would provide an electronic notification to ATS UPAX when derogatory information resulting from a recent law enforcement encounter is received on an eBadge program enrolled member. eBadge program applicants initially submit their fingerprints into TSA TVS via the TSA SIDA process. The fingerprints are gathered through TSA TVS and electronically submitted to CBP’s TWP via a web service interface. CBP’s TWP receives the fingerprint information (i.e., fingerprint binary capture date, fingerprint binary format ID, and fingerprint binary base 64 object), transfers the data into ATS UPAX, and ATS UPAX sends the information to IDENT. IDENT biometrically searches the identity and provides an automated identification response to ATS UPAX that includes all encounters, dates, and locations of encounters (criminal, or noncriminal from state, local or federal law enforcement agencies), along with the following: name, date of birth, citizenship, encounter ID, date, activity (location site of encounter), watchlist status, and Fingerprint Identification Number (FIN). IDENT stores all biometric information on the approved eBadge program applicant. In the event that the eBadge program applicant and/or member is encountered by law enforcement (e.g., a warrant is issued on the eBadge applicant or member), additional biometrics may be captured from state, local, or federal law enforcement agencies and submitted to IDENT for search against IDENT data holdings through DHS interoperability with the Federal Bureau of Investigations (FBI) Next Generation Identification (NGI) biometric system.25 IDENT matches the eBadge member previously captured biometrics to the new encounter, linking the event and triggering a derogatory update notification message for submission back to ATS UPAX for the purpose of eBadge CBP Officers reviewing the recurrent vetting eBadge hotlist in ATS UPAX will receive a notification indicating an update to derogatory information has occurred on an individual enrolled in the eBadge program. IDENT then sends CBP a notification message of “new encounter” through ATS UPAX. Officers will subsequently retrieve the identity data from IDENT to review the derogatory information and determine continued program eligibility. 24 See DHS/OBIM/PIA-001 Automated Biometric Identification System, available at: www.dhs.gov/privacy. See Federal Bureau of Investigation (FBI) Privacy Impact Assessment (PIA), Integrated Automated Fingerprint Identification System (IAFIS)/Next Generation Identification (NGI) Biometric Interoperability https://www.fbi.gov/services/information-management/foipa/privacy-impact-assessments/iafis-ngi-biometricinteroperability and JUSTICE/FBI-009, The Next Generation Identification (NGI) System, Systems of Records Notification (SORN) available at https://www.federalregister.gov/documents/2019/10/09/2019-21585/privacy-actof-1974-system-of-records. 25 Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 10 Section 1.0 Authorities and Other Requirements 1.1 What specific legal authorities and/or agreements permit and define the collection of information by the project in question? CBP operates the eBadge program, which provides screening and vetting services for TSAcleared airport employees seeking access to CBP-controlled Federal Inspection Service (FIS)restricted areas. eBadge applicants complete Form 3078, and the principal purpose for collecting the information is to enable CBP to conduct a background investigation and thereby determine whether the applicant meets the criteria for issuance of an identification card. The authority to collect information on CBP Form 3078 is pursuant to 5 U.S.C. § 301; 19 U.S.C. §§ 1551, 1565, 1624, 1641; and 19 CFR § 112.42. CBP operates the Bonded Worker program, which provides warehouse proprietors, Foreign Trade Zone (FTZ) operators, officers, and recordkeeping employees of a corporation that have been granted the right to operate a bonded facility, access to locations where bonded warehouses, facilities, or designated areas operate under CBP supervision. Bonded Worker applicants complete Form 3078, and the principal purpose for collecting the information is to enable CBP to conduct a background investigation and thereby determine whether the applicant meets the criteria for issuance of an identification card. The authority to collect information on CBP Form 3078 is pursuant to 5 U.S.C. 301; 19 U.S.C. §§ 1551, 1565, 1624, 1641; and 19 CFR § 112.42. CBP operates the Broker’s License program, which provides customs brokers (i.e., private individuals, partnerships, associations, or corporations licensed, regulated, and empowered by CBP to assist importers and exporters in meeting federal requirements governing imports and exports) a valid Customs broker license. Custom broker applicants are vetted through TWP and must pass a background investigation in order to be qualified for a broker’s license. The authority to collect information on CBP Form 3124 is pursuant to 19 U.S.C. § 1641; 5 U.S.C. 301; Revised, as amended; and 19 CFR § 111. 1.2 What Privacy Act System of Records Notice(s) (SORN(s)) apply to the information? DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities26 provides SORN coverage for individuals applying for access to the FIS, bonded workers, and broker’s licenses. 26 DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities, 73 FR 77753 (December 19, 2008). Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 11 DHS/CBP-006 Automated Targeting System27 provides SORN coverage for information retained by ATS UPAX and permits the collection of information from individuals applying for access to the FIS, bonded workers, and broker’s licenses. 1.3 Has a system security plan been completed for the information system(s) supporting the project? Yes, CBP completed a system security plan. The Authority to Operate (ATO) date for eBusiness Cloud, of which TWP is a subsystem, was signed on June 14, 2019. 1.4 Does a records retention schedule approved by the National Archives and Records Administration (NARA) exist? CBP is working with the U.S. National Archives and Records Administration (NARA) to develop a retention schedule for these records that will be more closely aligned with program requirements. CBP is proposing that all TWP data be retained for six years after an individual’s membership is no longer active, whether due to expiration without renewal at the end of the membership validity, abandonment, or CBP termination. Data is retained after membership becomes inactive so that CBP can more easily vet an individual who chooses to reapply, as well as to provide a record for redress purposes. Bonded Worker membership expires after five years; eBadge, and Brokers License have different renewal periods, and each renewal period has been listed below: For eBadge, each approved CBP Seal will remain valid for 2 years from the date of issuance. Retention of an approved CBP Seal beyond the applicable 2-year period will be subject to the reapplication provisions of paragraph (c)(2) of 19 CFR 122.182.28 For Broker’s License, each broker must file a written status report with CBP every three years, starting from 1985. The next triennial status report will be due in 2021.29 The report must be accompanied by the fee prescribed in 19 CFR 111.96(d) and must be addressed to the director of the port through which the license30 was delivered to the licensee (see 19 CFR 111.15).31 A report received during the month of February will be considered filed timely. No form or particular format is required. Additionally, fingerprints are retained in IDENT. NARA approved records retention schedule for the IDENT system requires OBIM to maintain IDENT records in custody for 75 years or when no longer needed for legal or business purposes, whichever is later (DAA-0563-201327 DHS/CBP-006 Automated Targeting System, 77 FR 30297 (May 22, 2012). 19 CFR § 122.182, Customs Duties; Part 122. Air Commerce Regulations, Subpart S. Access to Customs Security Areas. 29 19 CFR § 111.30 (d)(1), Customs Brokers; Subpart C. Duties and Responsibilities of Customs Brokers. 30 19 CFR § 111.96 (b)(1), Customs Brokers; Subpart E. Monetary Penalty and Payment of Fees. 31 19 CFR § 111.15, Customs Brokers; Issuance of License. 28 Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 12 0001-0006). CBP is re-evaluating the current retention period to determine whether a new retention period or combination of retention periods is appropriate. CBP will publish a PIA update for any change in the retention period. 1.5 If the information is covered by the Paperwork Reduction Act (PRA), provide the OMB Control number and the agency number for the collection. If there are multiple forms, include a list in an appendix. Some of the information collected in this system is covered by the PRA with OMB Control Numbers 1651-0008 (CBP Form 3078) and 1651-0034 (CBP Form 3124). Section 2.0 Characterization of the Information 2.1 Identify the information the project collects, uses, disseminates, or maintains. The following data elements are captured by TSA via the SIDA application process and transmitted to CBP TWP: • Application Data: application ID; airport code; airport category; SIDA badge access level; SIDA badge status; SIDA badge issue date; SIDA badge document identification number; SIDA badge expiration date; SIDA badge document file name (conditional); SIDA badge document format (conditional). • Applicant Biographic Data: first name; last name; gender; birth date; place of birth (country); present address type (main residence and mailing address); address street; address city; address state; address country; organization name; organizational postal code (conditional); country of citizenship; passport number (conditional); passport country (conditional). • Applicant Biometric data: fingerprint binary capture date; fingerprint binary format ID; and fingerprint binary base 64 object. The applicant’s employer must submit a letter of intent to CBP. The letter of intent does not have a standard format and varies from port to port. The below information is a sample of what is provided from the employer of the eBadge applicant in the letter of intent.32 32 19 CFR 122.182, Customs Duties; Part 122. Air Commerce Regulations, Subpart S. Access to Customs Security Areas, available at: https://www.ecfr.gov/cgibin/retrieveECFR?gp=1&SID=17a4277dd9c6449feb252c542701bd87&ty=HTML&h=L&mc=true&r=PART&n=pt 19.1.122. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 13 • Name of applicant requiring access to CBP security area (first, last); • Proof of applicant citizenship, if interviewed (i.e., a passport or other form of photo ID); • Applicant email address; • Applicant job title; • Position description; • First time applicant, and new SIDA badge number (if applicable); • Renewal applicant, current SIDA badge number, and SIDA badge expiration date (if applicable); • Access level requested (zone 1 or zone 2); • Bond number; • Employer printed name and signature; and • Employer contact information (email address, phone number); Information collected from the eBadge applicant on the CBP Form 3078 and entered into TWP: o Type of Activity Requiring an ID Card; o Date of this application; o Name (last, first, middle); o Social Security number (SSN); o Other names the individual has been known by (nicknames, aliases, etc.); o Date of birth; o Home address (number, street, city, state, and zip code); o Name and address of present employer; o Phone number (applicant); o Business phone number (applicant); o Place of birth (city, county, state, country); o Height; o Weight; Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 14 o Color hair; o Color eyes; o Visible scars or marks; o Photograph of applicant (voluntary, and attached to form);33 o Whether the individual has ever applied for a U.S. Coast Guard or Merchant Marine card (Y/N); o Has application for a U.S Coast Guard or Merchant Marine card been denied (Y/N); o Explanation of application denial (if applicable); o U.S. Coast Guard or U.S. Merchant Marine Card Number (if applicable); o List all residences during the last 5 years (dates, number and street, city, state); o Previous U.S. Military Service (if applicable); o Branch of Service (if applicable); o Military Service Serial Number (if applicable); o Type of Military Discharge (if applicable); o If discharge was other than honorable, explain in full detail (if applicable); o Whether the individual has ever applied for an identification card with U.S. Customs and Border Protection; o Previous employment, list over last 10 years (dates, employer name and address, occupation); o Whether the individual has ever been convicted of any crime or offense (Y/N); o If yes, explain all convictions (date, place, charge, court, final disposition); and o Whether the individual uses or has ever used narcotic drugs (Y/N). Information collected from candidates for Bonded Worker and entered into TWP: 33 • Employment location; • The applicant must complete the CBP Form 3078 (entered manually into TWP by CBP). The CBP Form 3078 data elements listed in the eBadge section also apply to the bonded worker program. The photo is not electronically entered into TWP; the form itself is scanned and uploaded into TWP. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 15 Additionally, the port director may require an individual applicant to submit fingerprints on form FD 258 or electronically at the time of filing the application, or in the case of applications from a business entity, the port director may require the fingerprints on form FD 258 or electronically of all employees of the business entity. Information collected from candidates for a Broker’s License: The applicant must complete the CBP Form 3124 (entered manually into TWP by CBP). The CBP Form 3124 data elements are listed below: • Name (and other names used); • Date of birth; • SSN; • Type of license applied for; • CBP Port; • Whether the individual has ever applied for a customs broker’s license; • License suspension/revocation information (if applicable); • Whether the applicant is an officer or employee of the United States; • Place of birth; • U.S. Citizenship status (i.e., natural-born or naturalized); • Date and place of naturalization (if applicable); • Home phone number; • Business phone number; • Home address; • List of criminal convictions or offenses; • Bankruptcy, tax lien, debt legal judgement status; • Name, addresses, and phone number of references (applicant must list 6); and • Name, addresses, dates of birth, place of birth of all Corporate Officers or Principals (if applicable). Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 16 2.2 What are the sources of the information and how is the information collected for the project? Individuals applying to the eBadge and Bonded Worker programs complete the CBP Form 3078 and submit it to CBP. The applicant’s employer can also complete the form on behalf of the applicant. Individuals applying to the Broker’s License program complete the CBP Form 3214 and submit the form to CBP. The applicant, or employer of the applicant, can be complete the CBP Form 3214. The applicant’s employer can potentially complete the form on behalf of the applicant. Additionally, applicants applying to the eBadge program must first apply to the TSA SIDA badge process and submit the following fingerprint information to TSA: fingerprint binary capture date; fingerprint binary format ID; and fingerprint binary base 64 object. The TSA Transportation Vetting System (TVS) transmits the fingerprint data to CBP’s TWP via a web-service interface. The fingerprint information is received by TWP and transmitted to ATS. 2.3 Does the project use information from commercial sources or publicly available data? If so, explain why and how this information is used. This system does not use commercial sources or publicly available information. 2.4 Discuss how accuracy of the data is ensured. CBP uses the ATS UPAX system to vet Trusted Worker program applicants and determine if applicants match to any derogatory information. If there is a discrepancy or if CBP has reason to believe an application is incomplete or inaccurate, CBP may require the Trusted Worker program applicant to participate in a personal interview where a CBP Officer can verify the information provided and the applicant can clarify any inaccuracies. 2.5 Privacy Impact Analysis: Related to Characterization of the Information Privacy Risk: There is a risk that, due to the need to manually enter information from CBP Form 3078 and CBP Form 3124, inaccurate data could be entered into TWP by the CBPO, which may result in an erroneous decision to approve or disapprove enrollment in a particular program. Mitigation: There is always a risk of a typographical error when an individual manually enters information into a system. If there are any doubts concerning whether the individual applying for the Trusted Worker program is the same individual of record in a law enforcement database, or if that database record raised accuracy concerns, CBP may conduct a personal interview and use the application data to verify the information. CBP offers the applicant an Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 17 opportunity to reapply and clarify potential inaccuracy. In addition to reapplying, eBadge applicants can appeal CBP's denial or revocation and may note that they believe CBP is using incorrect information. Privacy Risk: There is a risk that the letter of interest submitted from the employer, on behalf of the employee, may contain inaccurate information about the employee requesting access to a trusted worker program (eBadge, Bonded Worker, and Brokers License). The inaccurate information may result in an erroneous decision to approve or disapprove enrollment of the applicant in a particular program. Mitigation: There is always a risk of error when employers create the letter of interest. If there are any doubts concerning whether the individual in the letter of interest is the same individual of record in a law enforcement database, or if that database record raised accuracy concerns, CBP may conduct a personal interview and use the application data to verify the information. CBP offers the applicant an opportunity to reapply and clarify potential inaccuracy. Section 3.0 Uses of the Information 3.1 Describe how and why the project uses the information. CBP collects voluntary information from applicants in order to assess their eligibility for enrollment in the eBadge, Bonded Worker, or Broker’s License programs supported by TWP. CBP vets these individuals to ensure they either meet or remain eligible for program participation. CBP conducts recurrent vetting on program applicants and enrollees to ensure that they do not pose threats to law enforcement or national security. The recurrent vetting in TWP determines the applicant’s eligibility and grants them continued access to CBP-controlled areas. For Broker’s License, Form 3124, the principal purpose for collecting the information is to enable CBP to conduct a background investigation on the applicant and thereby determine whether the applicant meets the criteria established for the issuance of a Customs broker's license. A broker’s license is necessary for an individual to engage in “customs business.” CBP uses the SSN as an identifier when conducting a background investigation, and as an identifier throughout the career of the Customs broker. For eBadge and Bonded Worker, Form 3078, the principal purpose for collecting the information is to enable CBP to conduct a background investigation and thereby determine whether the applicant meets the criteria for issuance of an identification card allowing him or her access to work in an FIS. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 18 3.2 Does the project use technology to conduct electronic searches, queries, or analyses in an electronic database to discover or locate a predictive pattern or an anomaly? If so, state how DHS plans to use such results. The TWP system does not conduct data mining. However, CBP may conduct data mining on information CBP submits to ATS UPAX as explained in the ATS PIA.34 3.3 Are there other components with assigned roles and responsibilities within the system? CBP is creating a link between TSA’s Transportation Vetting System and TWP that allows TSA to transfer eBadge applications to CBP. TSA will not have any access to TWP other than to push eligible applications into TWP from TVS. 3.4 Privacy Impact Analysis: Related to the Uses of Information Privacy Risk: There is a risk that information used to enroll individuals in trusted worker programs will be used for a purpose inconsistent with the original collection. Mitigation: All system users are trained to use information strictly for determining program eligibility. Access to TWP is granted to users by a limited number of system administrators and access level varies based on a need to know and the user’s role. Users are also required to take annual privacy training to ensure that they know and understand the importance of managing sensitive PII. Section 4.0 Notice 4.1 How does the project provide individuals notice prior to the collection of information? If notice is not provided, explain why not. CBP is providing notice of a new privacy sensitive system by publishing this PIA. In addition, DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities35 and DHS/CBP-006 Automated Targeting System36 discuss the information collected as part of the Trusted Worker program and provide notice. 34 See DHS/CBP/PIA-006 Automated Targeting System, available at: www.dhs.gov/privacy. DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities System of Records Notice, 73 FR 77753 (December 19, 2008). 36 DHS/CBP-006 Automated Targeting System, 77 FR 30297 (May 22, 2012). 35 Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 19 Additionally, CBP provides a Privacy Act Statement on the CBP Form 3078 and CBP Form 3124. 4.2 What opportunities are available for individuals to consent to uses, decline to provide information, or opt out of the project? CBP does not require anyone to participate in the programs. Consent is implied when an applicant applies to a Trusted Worker program. Applicants must certify that they understand any information they provide, including any supporting documentation, biometric data, and statements made during interviews, may be shared among law enforcement and other government agencies as necessary to conduct a background investigation. TWP uses data collected only for the purpose defined, including border and immigration management, national security, and law enforcement. Once enrolled, individuals have no opportunity to “opt out” of the use of their data for any of these stated purposes. 4.3 Privacy Impact Analysis: Related to Notice Privacy Risk: There is a risk that applicants and enrollees may not know how CBP may use the information they submitted to TWP. Mitigation: CBP mitigates this risk by providing Privacy Act Statements stating the purpose for the data collection on the CBP Form 3078 and CBP Form 3124, provided to applicants for the Bonded Worker and Broker’s License programs. CBP also mitigates the risk by publishing this PIA, the DHS/CBP-010 SORN, and the DHS/CBP-006 SORN. Privacy Risk: There is a risk that an employer, submitting an application on behalf of an applicant, may not provide the applicant notice of how CBP intends to use the information submitted into TWP. Mitigation: This risk is partially mitigated through publishing this PIA, the DHS/CBP010 SORN, and the DHS/CBP-006 SORN. Additionally, because CBP access is needed to do their job employees have constructive notice that CBP has approved of their access by reviewing information about them. Privacy Risk: There is a risk that the references whose names, addresses, and telephone numbers are submitted on CBP Form 3124 by the applicant may not be provided notice of collection and use of their information. Mitigation: This risk is partially mitigated through publishing this PIA. Additionally, some applicant references are contacted by CBP, and upon contact, are notified that their information was provided by the applicant on CBP Form 3124 and entered into TWP and will only be used to perform a character check on the applicant. Other references may never be Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 20 contacted, but reference information will not be put into any other system and being a reference will have no impact on CBP vetting of the reference if they travel or apply for a benefit. Section 5.0 Data Retention by the project 5.1 Explain how long and for what reason the information is retained. CBP is proposing that all TWP data be retained for six years after an individual’s membership is no longer active, whether due to expiration without renewal at the end of five years, abandonment, or CBP termination. Data is not deleted immediately after membership becomes inactive so that CBP can more easily vet an individual who chooses to reapply, as well as to provide a record for redress purposes. The historical record can also be useful for other vetting purposes when an individual has been found ineligible for a TW program. For eBadge, each approved CBP Seal will remain valid for 2 years from January 1, 2002, in the case of a CBP Seal issued prior to the date, and for 2 years from the date of issuance in all other cases. Retention of an approved CBP Seal beyond the applicable 2-year period will be subject to the reapplication provisions of paragraph (c)(2) of 19 CFR 122.182.37 For Broker’s License, each broker must file a written status report with CBP every three years, starting from 1985. The next triennial status report will be due in 2021.38 The report must be accompanied by the fee prescribed in 19 CFR 111.96(d) and must be addressed to the director of the port through which the license was delivered to the licensee (see 19 CFR 111.15).39 A report received during the month of February will be considered filed timely. No form or particular format is required. Additionally, fingerprints captured for the eBadge, Bonded Worker, and Brokers License programs are retained in IDENT. NARA approved records retention schedule for the IDENT system requires OBIM to maintain IDENT records in custody for 75 years or when no longer needed for legal or business purposes, whichever is later (N1-563-08-34). DHS is re-evaluating the current retention period to determine whether a new retention period or combination of retention periods is appropriate. DHS will publish a PIA update for any change in the retention period. 37 19 CFR 122.182, Customs Duties; Part 122. Air Commerce Regulations, Subpart S. Access to Customs Security Areas. 38 19 CFR 111.30 (d)(1), Customs Brokers; Subpart C. Duties and Responsibilities of Customs Brokers. 39 19 CFR 111.96 (b)(1), Customs Brokers; Subpart E. Monetary Penalty and Payment of Fees. 19 CFR 111.15, Customs Brokers; Issuance of License. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 21 5.2 Privacy Impact Analysis: Related to Retention Privacy Risk: There is a risk CBP will retain information about trusted worker program applicants for longer than necessary. Mitigation: This risk is mitigated. Approved applications are stored for the duration of the individual’s membership in the program and then for six additional years. Bonded Worker membership expires after five years. For eBadge, approved CBP Seals remain valid for 2 years. For Broker’s License, each broker must file a written status report with CBP every three years. CBP stores information for longer than expiration dates in order to more easily vet individuals who reapply. A denied application is stored for 6 years. If CBP revokes a credential prior to expiration then the records are stored for 6 years after revocation. The same is true for credentials that are abandoned before membership expires, in which case TWP retains the information for 6 years after abandonment date. If information provided by applicants is linked to a law enforcement record CBP will maintain that information in ATS UPAX for 75 years. Section 6.0 Information Sharing 6.1 Is information shared outside of DHS as part of the normal agency operations? If so, identify the organization(s) and how the information is accessed and how it is to be used. CBP may share information related to an eBadge applicant with the applicant’s employer. CBP may share eBadge information for airport workers with airport authorities through commercial service providers as part of the background checks process. CBP does not share bonded worker or broker’s license program information outside of DHS. CBP does not share TWP information with any non-DHS agencies. 6.2 Describe how the external sharing noted in 6.1 is compatible with the SORN noted in 1.2. Sharing of information with employers and airport authorities is done pursuant to Routine Use J of DHS/CBP-010 Persons Engaged in International Trade in Customs and Border Protection Licensed/Regulated Activities, which permits the sharing of information to third parties during the course of a background check in order to obtain pertinent information about the applicant. CBP does not share bonded worker or broker’s license program information outside of DHS. 6.3 Does the project place limitations on re-dissemination? CBP does not permit re-dissemination of information shared out of TWP. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 22 6.4 Describe how the project maintains a record of any disclosures outside of the Department. CBP employees are required to complete DHS Form 191 for all information disclosures out of TWP. 6.5 Privacy Impact Analysis: Related to Information Sharing Privacy Risk: There is a risk that information shared with employers and the airport authority will be disseminated further. Mitigation: This risk is partially mitigated. CBP uses a disclosure letter to inform employers and airport authorities that the information they receive may not be further disseminated. Section 7.0 Redress 7.1 What are the procedures that allow individuals to access their information? To gain access to TWP information, an enrollee may request information about his or her records contained in TWP through procedures provided by the Freedom of Information Act (FOIA) (5 U.S.C. § 552) and the access provisions of the Privacy Act of 1974 (5 U.S.C. § 552a(d)) by writing to: CBP FOIA Headquarters Office U.S. Customs and Border Protection FOIA Division 90 K Street NE, 9th Floor Washington, DC 20002 Fax Number: (202) 325-0230 When seeking records from TWP or any other CBP system of records, the request must conform to Part 5, Title 6 of the Code of Federal Regulations. An individual must provide his or her full name, current address, and date and place of birth. He or she must also provide: • An explanation of why the individual believes DHS would have information on him or her; • Details outlining when her or she believes the records would have been created; Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 23 • And if the request is seeking records pertaining to another living individual, it must include a statement from that individual certifying his/her agreement for access to his/her records. The request must include a notarized signature or be submitted pursuant to 28 U.S.C. § 1746, which permits statements to be made under penalty of perjury as a substitute for notarization. Without this information, CBP may not be able to conduct and effective search and the request may be denied due to lack of specificity or lack of compliance with applicable regulations. Although CBP does not require a specific form, guidance for filing a request for information is available on the DHS website at http://www.dhs.gov/file-privacy-act-request and at http://www.dhs.gov/file-foia-overview. 7.2 What procedures are in place to allow the subject individual to correct inaccurate or erroneous information? Individuals wishing to correct inaccurate information may submit a Privacy Act Amendment request through the same access process explained above. 7.3 How does the project notify individuals about the procedures for correcting their information? CBP sends a denial letter to denied applicants that explains the redress process and how applicants can request a record change. CBP provides notice to the individual on how to correct his or her information in this PIA, the DHS/CBP-010 SORN, and the DHS/CBP-006 SORN. eBadge and Bonded Worker applicants submitting the CBP Form 3078, or Broker’s License applicants submitting the CBP Form 3124, must certify the information is accurate and provide a signature and date. On the CBP Form 3078, a signature and date of either the individual (applicant) or association, corporation, or partnership are required in question 35. On the CBP Form 3124, a signature and date are required in section 3. 7.4 Privacy Impact Analysis: Related to Redress Privacy Risk: There is a risk that individuals may not know that their denial was based upon erroneous information. Mitigation: The risk is mitigated by the denial letter that lists the name and address of the applicant and a clear and concise statement of why the application was denied. For example, if the denial is due to criminal conviction or arrest, the type of offense, year, and state in which the incident occurred will be revealed. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 24 Section 8.0 Auditing and Accountability 8.1 How does the project ensure that the information is used in accordance with stated practices in this PIA? TWP is protected through a multi-layer security approach. The protective strategies are physical, technical, administrative, and environmental in nature and provide access control to sensitive data, physical access control to DHS facilities, confidentiality of communications, authentication of sending parties, and personnel screening to ensure all personnel with access to data are screened through background investigations commensurate with the level of access required to perform their duties. All TWP access and activities are monitored by security and application logs, and regular audits are conducted according to the CBP audit and accountability policy and procedures as stated in the CBP Information Systems Security Policy and Procedures Handbook to ensure compliance. CBP employees found to have engaged in unauthorized access to CBP systems are subject to disciplinary action that could result in criminal penalties or dismissal. The user base for TWP is CBPOs trained in the input of biographic information from travelers, the correct capture and storage of their biometric information, and in traveler vetting processes. They will access the system through CBP-standard workstations, with appropriate peripheral equipment, and the operation of the system will take place solely within CBP controlled space at designated Ports of Entry and the CBP Risk Assessment Center. 8.2 Describe what privacy training is provided to users either generally or specifically relevant to the project. All CBP personnel with access to TWP must complete the DHS Security Awareness Training Course, which includes privacy training. Additionally, all CBP users must keep their TECS access up to date, which requires completion of the TECS Privacy Awareness (TPA) course every two years. 8.3 What procedures are in place to determine which users may access the information and how does the project determine who has access? All users are assigned a role in TWP. There are basic user roles (e.g., CBPO, Technician), supervisory user roles (e.g., supervisor and risk assessor supervisor) and support roles for Office of Field Operations HQ, such as for running reports. The privileged user roles are the supervisory roles. These roles have the ability to create the basic user roles for CBPOs at the POE. Privacy Impact Assessment CBP/PIA-062 Trusted Worker Program System (TWP) Page 25 8.4 How does the project review and approve information sharing agreements, MOUs, new uses of the information, new access to the system by organizations within DHS and outside? All business requirements, Memoranda of Understanding, and Information Sharing Agreements are reviewed by the respective CBP program manager within the CBP Office of Field Operations, in consultation with the Office of Information Technology. Agreements involving PII are also generally approved by the CBP Privacy Officer, the Office of Chief Counsel, and DHS in accordance with procedures developed by the DHS Information Sharing Governance Board. Responsible Officials John A. Maulella Director Traveler Entry Programs Admissibility and Passenger Programs Office of Field Operations U.S. Customs and Border Protection Department of Homeland Security (202) 344-2605 Debra L. Danisek CBP Privacy Officer Office of Privacy and Diversity U.S. Customs and Border Protection Department of Homeland Security (202) 344-1610 Approval Signature [Original signed and on file with the DHS Privacy Office] Jonathan R. Cantor Acting Chief Privacy Officer Department of Homeland Security