[Federal Register Volume 79, Number 1 (Thursday, January 2, 2014)]
[Rules and Regulations]
[Pages 2-5]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-31183]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

6 CFR Part 5

[Docket No. DHS-2013-0041]


Privacy Act of 1974: Implementation of Exemptions; Department of 
Homeland Security Transportation Security Administration, DHS/TSA-021, 
TSA Pre[check]TM Application Program System of Records

AGENCY: Department of Homeland Security.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security is issuing a final rule to 
amend its regulations to exempt portions of a newly established system 
of records titled, ``Department of Homeland Security/Transportation 
Security Administration-021, TSA Pre[check]TM Application 
Program System of Records,'' from one or more provisions of the Privacy 
Act because of criminal, civil, and administrative enforcement 
requirements.

DATES: Effective January 2, 2014.

FOR FURTHER INFORMATION CONTACT: For general questions please contact: 
Peter Pietra, TSA Privacy Officer, TSA-036, 601 South 12th Street, 
Arlington, VA 20598-6036; or email at TSAprivacy@dhs.gov. For privacy 
questions, please contact: Karen L. Neuman, (202) 343-1717, Chief 
Privacy Officer, Privacy Office, Department of Homeland Security, 
Washington, DC 20528.

SUPPLEMENTARY INFORMATION:

Background

    The Department of Homeland Security (DHS)/Transportation Security 
Administration (TSA) published a Notice of Proposed Rulemaking (NPRM) 
in the Federal Register, 78 FR 55657 (Sept. 11, 2013), proposing to 
exempt portions of the newly established ``DHS/TSA-021, TSA 
Pre[check]TM Application Program System of Records'' from 
one or more provisions of the Privacy Act

[[Page 3]]

because of criminal, civil, and administrative enforcement 
requirements. The DHS/TSA-021 TSA Pre[check]TM Application 
Program System of Records Notice (SORN) was published in the Federal 
Register, 78 FR 55274 (Sept. 10, 2013), and comments were invited on 
both the NPRM and SORN.

Public Comments

    DHS received 12 comments on the NPRM and five comments on the SORN.

NPRM

    Several comments exceeded the scope of the exemption rulemaking and 
chose instead to comment on TSA security measures. DHS/TSA will not 
respond to those comments.
    DHS/TSA received a few comments that objected to the proposal to 
claim any exemptions from the Privacy Act for the release of 
information collected pursuant to the SORN. As stated in the NPRM, no 
exemption will be asserted regarding information in the system that is 
submitted by a person if that person, or his or her agent, seeks access 
to or amendment of such information. However, this system may contain 
records or information created or recompiled from information contained 
in other systems of records that are exempt from certain provisions of 
the Privacy Act, such as law enforcement or national security 
investigation or encounter records, or terrorist screening records. 
Disclosure of these records from other systems, as noted in the NPRM, 
could compromise investigatory material compiled for law enforcement or 
national security purposes. DHS will examine each request on a case-by-
case basis and, after conferring with the appropriate component or 
agency, may waive applicable exemptions in appropriate circumstances 
and when it would not appear to interfere with or adversely affect the 
investigatory purposes of the systems from which the information is 
recompiled or in which it is contained.\1\
---------------------------------------------------------------------------

    \1\ The TSA Pre[check]TM Application Program performs 
checks that are very similar to those performed for populations such 
as TSA Transportation Worker Identification Credential (TWIC) and 
Hazardous Material Endorsement (HME) programs. Accordingly, TSA 
proposed most of the same Privacy Act exemptions for the TSA 
Pre[check]TM Application Program that are claimed for the 
applicable System of Records Notice for the TWIC and HME programs. 
The Privacy Act exemptions claimed from the Transportation Security 
Threat Assessment System of Records strike the right balance of 
permitting TWIC and HME applicants to correct errors or incomplete 
information in other systems of records that may affect their 
ability to receive one of these credentials, while also protecting 
sensitive law enforcement or national security information that may 
be included in other systems of records.
---------------------------------------------------------------------------

    DHS/TSA received one comment from a private individual recommending 
that foreign service employees and their families be automatically 
included this program. The comment misapprehends the program for which 
the NPRM was published. The NPRM was published in association with the 
SORN for the TSA Pre[check]TM Application program, which is 
designed to allow individuals to apply to be included in the program. 
Separately, DHS/TSA continues to evaluate populations that may 
otherwise be eligible for TSA Pre[check]TM screening.
    DHS/TSA received one comment from a private individual concerned 
that exemptions under the Privacy Act would allow TSA to engage in 
discriminatory conduct based on race and appearance, and that an 
individual whose application is denied would have limited recourse 
because TSA would not provide enough information. The security threat 
assessment involves recurrent checks against law enforcement, 
immigration, and intelligence databases. TSA does not make decisions 
regarding eligibility for the TSA Pre[check]TM Application 
Program based on race or appearance. Eligibility for the TSA 
Pre[check]TM Application Program is within the sole 
discretion of TSA, which will notify individuals who are denied 
eligibility in writing of the reasons for the denial. If initially 
deemed ineligible, applicants will have an opportunity to correct cases 
of misidentification or inaccurate criminal or immigration records. 
Individuals whom TSA determines are ineligible for the TSA 
Pre[check]TM Application Program will continue to be 
screened at airport security checkpoints according to TSA standard 
screening protocols.
    DHS/TSA received one comment from a public interest research center 
that asserting Privacy Act exemptions contravenes the intent of the 
Privacy Act. DHS does not agree that asserting exemptions provided 
within the Privacy Act contravenes the Privacy Act. As reflected in the 
OMB Privacy Act Implementation Guidelines, ``the drafters of the Act 
recognized that application of all the requirements of the Act to 
certain categories of records would have had undesirable and often 
unacceptable effects upon agencies in the conduct of necessary public 
business.'' 40 FR 28948, 28971 (July 9, 1975).
    The same commenter recognized the need to withhold information 
pursuant to Privacy Act exemptions during the period of the 
investigation, but also stated that individuals should be able to 
receive such information after an investigation is completed or made 
public, with appropriate redactions to protect the identities of 
witnesses and informants. This commenter stated that such post-
investigation disclosures would provide individuals with the ability to 
address potential inaccuracies in these records, and noted that the TSA 
Pre[check]TM Application Program will provide applicants an 
opportunity to correct inaccurate or incomplete criminal records or 
immigration records.
    As stated above, DHS will consider requests on a case-by-case 
basis, and in certain instances may waive applicable exemptions and 
release material that otherwise would be withheld. However, certain 
information gathered in the course of law enforcement or national 
security investigations or encounters, and created or recompiled from 
information contained in other exempt systems of records, will continue 
to be exempted from disclosure. Some of these records would reveal 
investigative techniques, sensitive security information, and 
classified information, or permit the subjects of investigations to 
interfere with related investigations. Continuing to exempt these 
sensitive records from disclosure is consistent with the intent and 
spirit of the Privacy Act. This information contained in a document 
qualifying for exemption does not lose its exempt status when 
recompiled in another record if the purposes underlying the exemption 
of the original document pertain to the recompilation as well.
    While access under the Privacy Act may be withheld under an 
appropriate exemption, the DHS Traveler Redress Inquiry Program (DHS 
TRIP) is a single point of contact for individuals who have inquiries 
or seek resolution regarding difficulties they experienced during their 
travel screening at transportation hubs, and has been used by 
individuals whose names are the same or similar to those of individuals 
on watch lists. See http://www.dhs.gov/dhs-trip.

SORN

    DHS/TSA received five comments on the SORN. One commenter asked if 
TSA Pre[check]TM Application Program applicants would be 
advised as to the reasons for a denial of that application. As 
explained in the SORN and NPRM, TSA will notify applicants who are 
denied eligibility in writing of the reasons for the denial. If 
initially deemed ineligible, applicants will have an opportunity to 
correct cases of misidentification or inaccurate criminal or 
immigration records.
    Consistent with 28 CFR 50.12 in cases involving criminal records, 
and before making a final eligibility decision, TSA will advise the 
applicant that the FBI

[[Page 4]]

criminal record discloses information that would disqualify him or her 
from the TSA [check]TM Application Program. Within 30 days 
after being advised that the criminal record received from the FBI 
discloses a disqualifying criminal offense, the applicant must notify 
TSA in writing of his or her intent to correct any information he or 
she believes to be inaccurate. The applicant must provide a certified 
revised record, or the appropriate court must forward a certified true 
copy of the information, prior to TSA approving eligibility of the 
applicant for the TSA [check]TM Application Program. With 
respect to immigration records, within 30 days after being advised that 
the immigration records indicate that the applicant is ineligible for 
the TSA Pre[check]TM Application Program, the applicant must 
notify TSA in writing of his or her intent to correct any information 
believed to be inaccurate. TSA will review any information submitted 
and make a final decision. If neither notification nor a corrected 
record is received by TSA, TSA may make a final determination to deny 
eligibility.
    One advocacy group stated that records of travel itineraries should 
be expunged because, as the commenter claimed, they are records of how 
individuals exercise their First Amendment rights. The TSA 
Pre[check]TM Application Program neither requests nor 
maintains applicant travel itinerary records, so this comment is 
inapplicable.
    Contrary to some commenters' assertion that the TSA 
Pre[check]TM Application Program infringes upon an 
individual's right to travel, this program will provide an added 
convenience to the majority of the traveling public.
    A public interest research center noted that according to the SORN, 
Known Traveler Numbers (KTNs) will be granted to individuals who pose a 
``low'' risk to transportation security, while the Secure Flight 
regulation (see 49 CFR 1560.3) provides that when a known traveler 
program is instituted, individuals for whom the Federal government has 
conducted a security threat assessment and who do ``not pose a security 
threat'' will be provided a KTN. This commenter stated that DHS thus 
used the SORN to amend the Secure Flight regulation. DHS disagrees that 
the use of these two phrases constitutes a change in the Secure Flight 
regulation for who may receive a KTN. In response to comments on the 
Secure Flight proposed rule, TSA stated that it intended ``to develop 
and implement the Known Traveler Number as part of the Secure Flight 
program. . . .'' and that a KTN will be assigned to individuals ``for 
whom the Federal government has already conducted a terrorist security 
threat assessment and has determined does not pose a terrorist security 
threat.'' See 73 FR 64018, 64034 (Oct. 28, 2008).
    TSA will compare TSA Pre[check]TM Application Program 
applicants to terrorist watch lists to determine whether the 
individuals pose a terrorist threat, but its threat assessment also 
will include law enforcement records checks to determine whether 
applicants in other ways pose a security threat.\2\ Applicants who are 
found to present a low risk to security, i.e., they do not pose either 
a terrorist security threat nor a more general security threat, will be 
provided a KTN.\3\
---------------------------------------------------------------------------

    \2\ As TSA developed its known traveler program under the Secure 
Flight rule, it determined that it would require a security threat 
assessment similar to the threat assessment used for the TWIC and 
HME programs. The threat assessments for the TWIC and HME programs 
compare applicant names to watch lists and to law enforcement 
records to determine whether applicants pose a terrorist threat or 
other security threat. As part of this assessment, certain criminal 
convictions (e.g., espionage) are determined to be permanent bars to 
receiving a TWIC or HME, while other convictions (e.g., smuggling) 
require a period of time to have passed post-conviction or post-
imprisonment before the applicant will be considered for the 
program. See 49 CFR 1572.103. The TWIC and HME programs thus 
consider not only whether an applicant poses a terrorist threat, but 
also whether the applicant otherwise poses a security threat.
    \3\ In developing its known traveler program, TSA relied on its 
expertise in aviation security to determine that a ``threat'' 
includes a declaration of intent to cause harm, or something likely 
to cause harm. Furthermore, TSA determined that a ``risk'' only 
represents a chance of something going wrong or a possibility of 
danger. Therefore, TSA deemed that ``low risk'' individuals ``do not 
pose a security threat'' to aviation security.
---------------------------------------------------------------------------

    The use of the phrase ``low risk'' is neither an expansion nor a 
contraction of the population that was anticipated to receive KTNs 
under the Secure Flight rule; rather, as the TSA 
Pre[check]TM program was developed, the use of the term 
``low risk'' was employed to more accurately describe who will receive 
a KTN. The TSA Pre[check]TM Application Program is a trusted 
traveler program, not a program open to all except those who present a 
terrorist threat. This standard also is consistent with the statutory 
authorization TSA received from the Congress to ``[e]stablish 
requirements to implement trusted passenger programs and use available 
technologies to expedite security screening of passengers who 
participate in such programs, thereby allowing security screening 
personnel to focus on those passengers who should be subject to more 
extensive screening.'' See sec. 109(a)(3) of the Aviation and 
Transportation Security Act (ATSA), Public Law 107-71 (115 Stat. 597, 
613, Nov. 19, 2001, codified at 49 U.S.C. 114 note).
    TSA promulgated the Secure Flight rule under the Administrative 
Procedure Act (APA), 5 U.S.C. 553, and clearly indicated that TSA was 
still developing its KTN program. The method that TSA selected to 
determine who receives KTNs under the TSA Pre[check]TM 
Application Program does not substantively affect the public to a 
degree sufficient to implicate the policy interests underlying notice-
and-comment rulemaking requirements. As noted in the SORN, the TSA 
Pre[check]TM Application Program does not impose any 
impediment on any individual traveler that is different from that 
experienced by the general traveling public, and individuals who TSA 
determines to be ineligible for the program will continue to be 
screened at airport security checkpoints according to TSA standard 
screening protocols. See 78 FR 55274, 55275. Specifically, a traveler 
denied admission into a TSA Pre[check]TM lane because he or 
she does not have a KTN will face no greater screening impediment than 
anyone in the standard screening lane. Thus, notice-and-comment 
rulemaking is not required because the Secure Flight regulation 
notified the public that TSA would retain the ability to determine who 
might receive a KTN, and also because no new substantive burden or 
impediment for any traveler has been created. As such, the use of the 
phrase ``low risk'' does not constitute an amendment to the Secure 
Flight regulation.
    The same commenter also suggested that TSA should make public its 
algorithms or thresholds for determining which TSA 
Pre[check]TM; Application Program applicants are approved. 
If TSA were to make its algorithms public, it would be possible for 
individuals who seek to disrupt civil aviation to circumvent the 
algorithms. Such disclosure would be contrary to TSA's mission and 
might endanger the flying public.
    Other commenters suggested that applicant information should be 
destroyed immediately after providing eligible individuals a KTN. For 
those individuals granted KTNs, TSA will maintain the application data 
while the KTN is valid and for one additional year to ensure that the 
security mission of the agency is properly protected. Without the 
application data, TSA would be unable to identify instances of fraud, 
identity theft, evolving risks, and other security issues. Moreover, 
destruction of the underlying application information will hinder TSA's 
ability to assist KTN holders who

[[Page 5]]

have lost their numbers and could cause them to have to reapply for the 
program. TSA also will retain application data to protect applicants' 
right to correct underlying information in the case of an initial 
denial.
    Two commenters questioned whether applicant information should be 
shared both within and outside DHS. TSA follows standard information-
sharing principles among DHS components in accordance with the Privacy 
Act. In addition, TSA has narrowly tailored the routine uses that it 
has proposed to serve its mission and promote efficiency within the 
Federal Government.
    A public interest research center objected to three of the routine 
uses proposed for the system of records, arguing that the routine uses 
would result in blanket sharing with law enforcement agencies, foreign 
entities, and the public for other purposes. DHS has considered the 
comment but disagrees. The exercise of any routine use is subject to 
the requirement that sharing be compatible with the purposes for which 
the information was collected.
    Several commenters objected that the TSA Pre[check]TM 
Application Program violates the U.S. Constitution or international 
treaty. DHS disagrees with the commenters as to the Constitutionality 
of the program, and notes that the treaty cited by an advocacy group 
expressly contradicts the position taken by the commenter by excluding 
requirements provided by law or necessary for national security from 
the treaty's proscription.
    After careful consideration of public comments, the Department will 
implement the rulemaking as proposed.

List of Subjects in 6 CFR Part 5

    Freedom of information; Privacy.

    For the reasons stated in the preamble, DHS amends Chapter I of 
Title 6, Code of Federal Regulations, as follows:

PART 5--DISCLOSURE OF RECORDS AND INFORMATION

0
1. The authority citation for Part 5 continues to read as follows:

    Authority:  6 U.S.C. 101 et seq.; Pub. L. 107-296, 116 Stat. 
2135; 5 U.S.C. 301. Subpart A also issued under 5 U.S.C. 552. 
Subpart B also issued under 5 U.S.C. 552a.


0
2. Add new paragraph 71 to Appendix C to Part 5 to read as follows:

Appendix C to Part 5--DHS Systems of Records Exempt From the Privacy 
Act

* * * * *
    71. The Department of Homeland Security (DHS)/Transportation 
Security Administration (TSA)-021 TSA Pre[check]TM 
Application Program System of Records consists of electronic and 
paper records and will be used by DHS/TSA. The DHS/TSA-021 
Pre[check]TM Application Program System of Records is a 
repository of information held by DHS/TSA on individuals who 
voluntarily provide personally identifiable information (PII) to TSA 
in return for enrollment in a program that will make them eligible 
for expedited security screening at designated airports. This System 
of Records contains PII in biographic application data, biometric 
information, pointer information to law enforcement databases, 
payment tracking, and U.S. application membership decisions that 
support the TSA Pre[check]TM Application Program 
membership decisions. The DHS/TSA-021 TSA Pre[check]TM 
Application Program System of Records contains information that is 
collected by, on behalf of, in support of, or in cooperation with 
DHS and its components and may contain PII collected by other 
federal, state, local, tribal, territorial, or foreign government 
agencies. The Secretary of Homeland Security, pursuant to 5 U.S.C. 
552a(k)(1) and (k)(2), has exempted this system from the following 
provisions of the Privacy Act: 5 U.S.C. 552a(c)(3); (d); (e)(1); 
(e)(4)(G), (H), and (I); and (f). Where a record received from 
another system has been exempted in that source system under 5 
U.S.C. 552a(k)(1) and (k)(2), DHS will claim the same exemptions for 
those records that are claimed for the original primary systems of 
records from which they originated and claims any additional 
exemptions set forth here. Exemptions from these particular 
subsections are justified, on a case-by-case basis to be determined 
at the time a request is made, for the following reasons:
    (a) From subsection (c)(3) (Accounting for Disclosures) because 
release of the accounting of disclosures could alert the subject of 
an investigation of an actual or potential criminal, civil, or 
regulatory violation to the existence of that investigation and 
reveal investigative interest on the part of DHS as well as the 
recipient agency. Disclosure of the accounting would therefore 
present a serious impediment to law enforcement efforts and/or 
efforts to preserve national security. Disclosure of the accounting 
also would permit the individual who is the subject of a record to 
impede the investigation, to tamper with witnesses or evidence, and 
to avoid detection or apprehension, which would undermine the entire 
investigative process.
    (b) From subsection (d) (Access to Records) because access to 
the records contained in this system of records could inform the 
subject of an investigation of an actual or potential criminal, 
civil, or regulatory violation to the existence of that 
investigation and reveal investigative interest on the part of DHS 
or another agency. Access to the records could permit the individual 
who is the subject of a record to impede the investigation, to 
tamper with witnesses or evidence, and to avoid detection or 
apprehension. Amendment of the records could interfere with ongoing 
investigations and law enforcement activities and would impose an 
unreasonable administrative burden by requiring investigations to be 
continually reinvestigated. In addition, permitting access and 
amendment to such information could disclose security-sensitive 
information that could be detrimental to homeland security.
    (c) From subsection (e)(1) (Relevancy and Necessity of 
Information) because in the course of investigations into potential 
violations of federal law, the accuracy of information obtained or 
introduced occasionally may be unclear, or the information may not 
be strictly relevant or necessary to a specific investigation. In 
the interests of effective law enforcement, it is appropriate to 
retain all information that may aid in establishing patterns of 
unlawful activity.
    (d) From subsections (e)(4)(G), (H), and (I) (Agency 
Requirements) and (f) (Agency Rules), because portions of this 
system are exempt from the individual access provisions of 
subsection (d) for the reasons noted above, and therefore DHS is not 
required to establish requirements, rules, or procedures with 
respect to such access. Providing notice to individuals with respect 
to the existence of records pertaining to them in the system of 
records or otherwise setting up procedures pursuant to which 
individuals may access and view records pertaining to themselves in 
the system would undermine investigative efforts and reveal the 
identities of witnesses, potential witnesses, and confidential 
informants.

    Dated: December 20, 2013.
Karen L. Neuman,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2013-31183 Filed 12-31-13; 8:45 am]
BILLING CODE 9110-9M-P