DHS R&D arm gets new privacy guidelines
The primary research and development arm of the Department of Homeland Security will operate under a fresh set of privacy principles for research projects, as per a report delivered to Congress this month.
DHS presented Congress with its "Data Mining: Technology and Policy" summation in December, explaining how it handles the sensitive aspects of data mining. The main body of the report covered progress or lack of it for the Automated Targeting System (ATS), best known as the group that gifted America with the no-fly list; the Data Analysis and Research for Trade Transparency System, which looks into money laundering and the like; and the Freight Assessment System (FAS), TSA's watch-the-ports endeavor.
Findings from a July conference on privacy protections for government data-mining endeavors were also included.
The new principles for the DHS Science and Technology (S&T) Directorate, though brief and included at the end of the 47-page report (PDF available here), are instructive. S&T works not only with DHS's privacy officials but with other agencies and the private sector.
After the July conference, S&T and the DHS Privacy Office began hammering out principles of good privacy practices. Those have evolved into "Principles for Implementing Privacy Protections in S&T Research," to be followed by S&T and its various partners and contractors. There are ten principles, in addition to those followed by DHS at large.
The new principles build privacy earlier into the process of DHS research efforts, and look to address "mission creep" by working to keep projects' research activities within the scope of each project's articulated purpose. Other principles echo generally well-regarded privacy policies: Use only data considered accurate and appropriate to a project's purpose, use as little personally identifiable information as possible; and secure the data and audit the security procedures.
Hoping to perhaps improve public perceptions of DHS's trustworthiness with sensitive data, the new principles also make initial provision for redress for individuals who believe a S&T program has harmed their privacy. The redress program, which remains to be developed, would provide a forum for raising concerns and, perhaps even relief when warranted (or possible).
The prospect of building privacy protection into the research process should prove interesting for those in the privacy community who have followed DHS's checkered data-mining career. The Homeland Security Act of 2002 gave DHS the explicit go-ahead to mine data for its purposes.
Since then, the Department has repeatedly found itself managing public-relations disasters as snafus in its data-mining stylings came to light -- Total Information Awareness (TIA), the CAPPS II passenger-screening project, MATRIX (Multi-state Anti-Terrorism Information Exchange), and the disastrous attempts to build the no-fly list from data sources such as credit bureaus and airline manifests, to name but a few.