Protecting Privacy and Other Legal Rights in the Sharing of Information

Protecting the rights of Americans is a core facet of our information sharing efforts. While we must zealously protect our Nation from the real and continuing threat of terrorist attacks, we must just as zealously protect the information privacy rights and other legal rights of Americans. With proper planning we can have both enhanced privacy protections and increased information sharing - and in fact, we must achieve this balance at all levels of government, in order to maintain the trust of the American people. The President reaffirmed this in his December 16, 2005, Memorandum to the Heads of Executive Departments and Agencies.

At the direction of the President, the Attorney General and the Director of National Intelligence developed a set of Privacy Guidelines to ensure the information privacy and other legal rights of Americans are protected in the development and use of the ISE. The Privacy Guidelines provide a consistent framework for identifying information that is subject to privacy protection, assessing applicable privacy rules, implementing appropriate protections, and ensuring compliance. An array of laws, directives, and policies provide substantive privacy protections for personally identifiable information. The parameters of those protections vary depending on the rules that apply to particular agencies and the information they are proposing to share. As described below, however, the Guidelines demand more than mere compliance with the laws; they require executive departments and agencies to take pro-active and explicit actions to ensure the balance between information privacy and security is maintained, as called for by the National Commission on Terrorist Attacks Upon the United States. The full text of the ISE Privacy Guidelines can be found at www.ise.gov.

The Privacy Guidelines build on a set of core principles that Federal departments and agencies must follow. Those principles require specific, uniform action and reflect basic privacy protections and best practices. Agencies must:

• Share protected information only to the extent it is terrorism information, homeland security information, or law enforcement information related to terrorism;

• Identify and review the protected information to be shared within the ISE;

• Enable ISE participants to determine the nature of the protected information to be shared and its legal restrictions (e.g., this record contains individually identifiable information about a U.S. citizen.);

• Assess, document, and comply with all applicable laws and policies;

• Establish data accuracy, quality, and retention procedures;

• Deploy adequate security measures to safeguard protected information;

• Implement adequate accountability, enforcement, and audit mechanisms to verify compliance;

• Establish a redress process consistent with legal authorities and mission requirements;

• Implement the guidelines through appropriate changes to business processes and systems, training, and technology;

• Make the public aware of the agency's policies and procedures as appropriate;

• Ensure agencies disclose protected information to non-Federal entities - including State, local, tribal, and foreign governments - only if the non-Federal entities provide comparable protections; and

• State, local, and tribal governments are required to designate a senior official account able for implementation.

Successful implementation of the Privacy Guidelines requires a governance structure to monitor compliance and to revise the Guidelines as we gain more experience. The President, therefore, directed the Program Manager to establish the ISE Privacy Guidelines Committee. The Committee is chaired by representatives of the Attorney General and the Director of National Intelligence, and consists of the Privacy Officials of the departments and agencies of the Information Sharing Council. The Committee seeks to ensure consistency and standardization, as well as serve as a forum to share best practices and resolve agency concerns.