CBP Says C-TPAT Privacy Actions Designed to Guarantee, Not Decrease, Privacy

Instead, "a SORN describes actions incumbent on the government to protect information in the system of records and provides information to assist an individual in accessing his or her records,"CBP said: "CBP, as a matter of long standing policy, affords the same protections to business confidential information maintained in a SORN as it does to the PII [personally identifiable information] stored there."

Industry officials had expressed some concerns about the Privacy Act actions since the Department of Homeland Security issued an NPRM to implement the act (see ITT's Online Archives 13031225). DHS was seeking to exempt information learned through the C-TPAT process that relates to official DHS national security, law enforcement, and intelligence activities, the notice said.

Among other things, the CBP FAQ said:

• A SORN is required anytime the government collects and maintains PII about U.S. citizens and lawful permanent residents. A SORN is a standardized federal register notice that provides the legal Who (Categories of Individuals), What (Categories of Records), How (Record Source Categories), When (Retention and Disposal), Where (System Location) and Why (Purposes) of a collection of records about individuals.
• A Privacy Act NPRM gives the public an opportunity to comment on the proposed exemptions to the Privacy Act for a given system of records. Similar to provisions in the Freedom of Information Act, exemptions are typically asserted to protect law enforcement sensitive information so that an individual may not frustrate legitimate law enforcement activities.
• A Privacy Act NPRM is required whenever the government intends to exempt itself from certain provisions of the Privacy Act, including provisions permitting an individual to access or amend records about himself or herself. The Privacy Act requires the government to publish a list of all exempt systems and their exemptions in an agency's Privacy Act regulations.
• The NPRM and Final Rule don't give the government the authority to share the data in the system of records, but they do allow the government to withhold the fact that your information was shared for law enforcement purposes from you. DHS is seeking to withhold the fact that a law enforcement agency has sought or received particular records, because it may affect an ongoing law enforcement activity.
• A Privacy Impact Assessment is a decision-making tool to identify and mitigate privacy risks in a program or system. It helps the public understand what PII the government is collecting, why it is being collected, and how it will be used, shared, accessed, and stored. Because the PIA is a more narrative document than the SORN, it explores the program or system in greater detail.PIAs are required whenever the government develops or procures information technology that collects, maintains, or disseminates PII about members of the public.

CBP noted that "several" concerns have been raised about the publication of the C-TPAT SORNs, NPRMs and PIAs. CBP said it published the SORN, NPRM, and PIA to ensure that the personally identifiable information in C-TPAT "is properly safeguarded and complies with all applicable privacy laws and policy." It said SORN, the NPRMs and PIAs do not fundamentally change the C-TPAT program.

"Businesses that participate in C-TPAT will not experience any changes as a result of the publication of these documents or the subsequent Final Rule," CBP said. "These documents and the rulemaking process are used to reaffirm and provide notice to the public that PII associated with C-TPAT businesses is protected under the Privacy Act of 1974 and will not be improperly collected, used, or disseminated."

It said C-TPAT information for businesses and individuals is "still protected to the same degree as before the publication of these documents. C-TPAT information concerning businesses is still protected under the Trade Secrets Act. The publication of the SORN, Privacy Act NPRM, and PIA are to ensure that information about individuals is protected under the Privacy Act as well."

The SORN does list a series of Routine Uses, which permit the official sharing of individual PII and business information without consent. "These Routine Uses provide the outermost boundaries of information sharing, and define for the public the existing restrictions on sharing C-TPAT information," CBP said. It said information may not be shared from C-TPAT outside of DHS unless (1) consent is provided to the sharing, (2) a statutory requirement compels the sharing, or (3) the sharing conforms to one of the listed Routine Uses and the receiving party has an official need to know the specific information being sought.

Many of the Routine Uses follow statutory requirements pertaining to the Bureau of the Census, for statistical research, to the National Archives, pursuant to a law enforcement request, to protect the health or safety of an individual, pursuant to a request from Congress, to the General Accounting Office for audit purposes, pursuant to a court order, and pursuant to the Debt Collection Act, the FAQ said.

As to sharing of information with the media, the language is specifically limited to those situations where it "is necessary to preserve confidence in the integrity of DHS or is necessary to demonstrate the accountability of DHS's officers, employees, or individuals covered by the system, except to the extent it is determined that release of the specific information in the context of a particular case would constitute an unwarranted invasion of personal privacy," CBP said.