TSA Demands More Air Passenger Data

24 September 2004. The first three TSA notices below were published in the Federal Register today, along with a fourth which was not offered with them on the TSA web site on September 22.

22 September 2004. Thanks to J.

Airlines Told to Turn Over Passenger Data

Updated: Tuesday, Sep. 21, 2004 - 4:30 PM

By LESLIE MILLER

Associated Press Writer

WASHINGTON (AP) - The Transportation Security Administration announced on Tuesday that it will order domestic airlines to turn over personal information about passengers to test a system that will compare their names to those on terrorist watch lists.

The system, called Secure Flight, replaces a previous plan that would have checked passenger names against commercial databases and assigned a risk level to each. That plan, which cost $103 million, was abandoned because of privacy concerns and technological issues.

The airlines will have 30 days to comment on the proposed order, which Congress gave the TSA authority to issue. Air carriers will then have 10 days to turn over data that it gathered in June, called passenger name records.

The amount of data in passenger name records varies by airline, but it typically includes name, flight origin, flight destination, flight time, duration of flight and form of payment. It can also include credit card numbers, address, telephone number and meal requests, which can indicate a person's ethnicity.

Justin Oberman, who heads the office that's developing Secure Flight, said he hopes that the program can be implemented by mid to late spring. He said he expects the airlines to cooperate.

"We are going to work very closely with them," Oberman said.

The TSA will also conduct a limited test in which they'll compare passenger names with information from commercial databases to see if they can be used to detect fraud or identity theft.

http://www.tsa.gov/public/display?theme=44&content=09000519800cf2f3

TSA Readies Secure Flight for Testing

U. S. DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration

FOR IMMEDIATE RELEASE September 21, 2004
TSA Press Office: (571) 227-2829

Latest Moves Include Posting of Privacy Assessment and Draft Order to Airlines

WASHINGTON, D.C. The Transportation Security Administration (TSA) today announced the release of the Privacy Impact Assessment (PIA) for the testing phase of the Secure Flight program along with a proposed order to airlines to provide one month's worth of Passenger Name Records (PNR) data to be used for program testing. The PIA (below) includes details of TSA's privacy policy for the testing phase of the program and the system methodology for Secure Flight.

"This is an important moment in aviation security; we are advancing a vital tool to combat terrorism and checking off another recommendation from the 9-11 Commission," said Rear Admiral David M. Stone, USN (Ret.), Assistant Secretary of Homeland Security for TSA.

â€œAlthough not required by law, the posting of the proposed order to domestic airlines and the solicitation of public comment is evidence of TSA's commitment to maintaining an open and transparent environment for the development of this important security tool,â€ said Admiral Stone.

The proposed order directs domestic airlines to provide historic PNR (below)data that they collected from passengers who flew in the month of June 2004. This 30-day pool of records will be used to test the Secure Flight computer platform at full load and full speed. The comment period will remain open for 30 days and following TSA's review and incorporation of changes the final order will be issued in late October.

The PIA explains in detail the handling and flow of personal information and the protocols and privacy protections built into Secure Flight to protect passengers. The system is designed around a core of privacy statutes, regulations and DHS policy.

With today's significant steps, domestic airlines should begin the transfer of data in late October, allowing testing of Secure Flight to begin in November of this year. The testing phase is important to determine system capabilities, capacity and selection rates.

Also, released today are the System of Records Notice (below) and public notice of the Information Collection Request. These documents cover TSA statutory authority for activities during testing phase only.

# # #

http://www.tsa.gov/public/interweb/assetlibrary/Secure_Flight_PIA_Notice_9.21.04.pdf

[4910-62-P]

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

[Docket No. TSA-2004-19160]

Privacy Impact Assessment; Secure Flight Test Phase

AGENCY: Transportation Security Administration (TSA), Department of Homeland Security (DHS).

ACTION: Notice.

SUMMARY: This notice sets forth the Transportation Security Administration’s (TSA) Privacy Impact Assessment (PIA) prepared for the testing phase of the Secure Flight program. After a lengthy review of the initial plans for a successor system to Computer Assisted Passenger Prescreening System (CAPPS), and consistent with a recommendation of the National Commission on Terrorist Attacks upon the United States (9/11 Commission), the Department of Homeland Security is moving forward with a next generation system of domestic passenger prescreening, called “Secure Flight”, which will prescreen airline passengers using information maintained by the Federal Government about individuals known or suspected to be engaged in terrorist activity and certain other information related to passengers’ itineraries-specifically, passenger name record (PNR) data. On a limited basis, TSA will also test the use of commercial data to identify instances in which passengers’ identifying passenger information is inaccurate or incorrect.

Elsewhere in this edition of the Federal Register, TSA is publishing notice of a new system of records under the Privacy Act, known as “Secure Flight Test Records,” which TSA will use for records related to the testing of the program. Also in this edition of the Federal Register, TSA is publishing a notice announcing its request for approval by the Office of Management and Budget of TSA’s collection of a limited set of historical PNR from domestic airlines for purposes of testing the Secure Flight program.

DATES: This notice is effective [Insert date of publication in the Federal Register].

FOR FURTHER INFORMATION CONTACT:

Lisa S. Dean, Privacy Officer, Transportation Security Administration, Arlington, VA 22202; Nuala O'Connor Kelly, Chief Privacy Officer, U.S. Department of Homeland Security, Washington, DC, 20528.

SUPPLEMENTARY INFORMATION:

Availability of Notice

You can get an electronic copy using the Internet by--

(1) Searching the Department of Transportation's electronic Docket Management System (DMS) web page (http://dms.dot.gov/search);
(2) Accessing the Government Printing Office’s web page at http://www.access.gpo.gov/su_docs/aces/aces140.html; or
(3) Visiting TSA’s Law and Policy web page at http://www.tsa.dot.gov/public/index.jsp.

In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this notice.

Secure Flight

Test Phase Privacy Impact Assessment

I. Introduction

Pursuant to the authority granted it by the Aviation and Transportation Security Act of 2001 (ATSA), TSA has developed a new program for screening domestic airline passengers in order to enhance the security and safety of domestic airline travel. Under this new program, Secure Flight, TSA will compare PNR information against expanded and consolidated watch lists held in the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center (TSC)¹ to identify known or suspected terrorists who would use the airways to inflict catastrophic damage on the United States. TSA plans to test the efficacy of the Secure Flight program after issuing an order to domestic air carriers to compel the collection of historic passenger name record (PNR) information for testing purposes. TSA will also conduct a separate test to determine if commercial data is effective in identifying passenger information that is incorrect or inaccurate. TSA does not assume that the result of comparison of passenger information to commercial data is determinative of information accuracy or the intent of the person who provided the passenger information.

____________________

1 The Terrorist Screening Center (TSC), established in December 2003, maintains a consolidated, comprehensive watch list of known or suspected terrorists. This database can be used by government agencies in screening processes to identify individuals known to pose or are suspected of posing a risk to the security of the United States.

Earlier this year, the Department of Homeland Security ordered a thorough review of the next generation passenger prescreening program under development by TSA. That review, which reflected helpful input to DHS from Congress, the public, privacy and civil liberties groups, airline passengers and the airline industry, and our international partners, has now been completed. Based on the results, TSA has developed a new program, Secure Flight, described above, which it intends to test prior to actual implementation.

The new program will allow DHS to add a critical piece to its layered strategy for securing the nation’s commercial air transportation system and is consistent with the 9/11 Commission recommendation: (1) that the Federal Government take over the responsibility for checking airline passengers' names against expanded “no-fly” and “automatic selectee” lists (this function is currently performed by individual airlines); and (2) that air carriers be required to supply data to test and implement this new system.

Because existing watch lists that are being consolidated and expanded in the TSC will be used to test the prescreening of airline passengers by TSA using the TSDB, the EGovernment Act of 2002 requires that a Privacy Impact Assessment (PIA) be conducted.

That assessment follows. After the test has been concluded and the results analyzed, TSA will update the PIA as necessary prior to actual implementation of the Secure Flight program.

System Overview

• What information is to be collected and used for this passenger pre-screening system?

The information to be collected will be used for a test of the Secure Flight program to ensure its accuracy, efficacy and reliability. In order to conduct the test, TSA will require domestic air carriers to submit historic PNR about individuals who have completed domestic flight segments during the month of June, 2004. PNR varies according to airline, but includes the following information fields which TSA will need for testing purposes: full name, contact phone number, mailing address and travel itinerary limited to domestic flight segments that were completed prior to June 30, 2004. Upon completion of testing and before implementation of the Secure Flight program, TSA will publish an amended Privacy Impact Assessment and Privacy Act Notice reflecting changes to the program based on knowledge gained from testing as well as constructive feedback from the public.

• Why is the information being collected and who will be affected by the collection of the data?

TSA is collecting information to test the Secure Flight program, the purpose of which is to enhance the security of domestic air travel by identifying only those passengers who warrant further scrutiny. The PNR to be collected will be compared with data maintained in the TSDB regarding individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism. Individuals subject to the data collection requirements and processes of Secure Flight are persons who traveled within the United States during June 2004, the pre-selected 30-day period.

This same historic PNR data also will be used to conduct a limited test to determine if the use of commercial data is effective in identifying passengers' information that is incorrect or inaccurate. This test will involve commercial data aggregators who currently provide services to the banking, home mortgage and credit industries. Testing will be governed by strict privacy and data security protections. TSA will not store the commercially available data that would be accessed by commercial data aggregators. TSA will use this test of commercial data to determine whether such use: (1) could accurately identify passenger information that is incorrect or inaccurate; (2) would not result in inappropriate differences in treatment of any protected category of persons; (3) could be governed by data security safeguards and privacy protections that are sufficiently robust to ensure that commercial entities or other unauthorized entities do not gain access to passenger personal information, or to ensure that the federal government does not gain access inappropriately to certain types of personally sensitive data held by commercial entities.

TSA will defer any decision on how commercial data might be used in its prescreening programs, as Secure Flight, until the completion of the test period, assessment of the test results and publication of a subsequent System of Records Notice under the Privacy Act announcing the intended use of such commercial data.

• What notice or opportunities for consent are provided to individuals regarding the information that is collected and shared?

The Privacy Act System of Records Notice being published at this time – as well as this Privacy Impact Assessment – provide notice that TSA intends to collect historic PNR to test the Secure Flight program. Because the test phase will rely on historical PNR from the month of June 2004 for flights that were completed by the end of that month, the notice given by this Privacy Impact Assessment and the publication of a Privacy Act System of Records Notice for these records does not afford the opportunity for a passenger to provide consent in advance of this collection. Nevertheless, airline passengers are aware that by engaging in air travel they have consented to certain screening protocols since passenger prescreening is already in place. Additionally, Secure Flight has now been the subject of numerous media reports that convey additional notice, including information that appears on the TSA website at http://www.tsa.gov/public/.

The information to be collected will be shared with TSA employees and contractors who have a “need to know” in order to conduct the required test comparisons. All TSA contractors involved in the testing of Secure Flight are contractually and legally obligated to comply with the Privacy Act in their handling, use and dissemination of personal information in the same manner as TSA employees.

If a comparison using the test data indicates that an individual is suspected of terrorism, TSA will refer the information to appropriate law enforcement personnel for further action. Referrals will only occur, however, in this limited circumstance because the basic purpose of this information collection is to test the Secure Flight program.

• What security protocols are in place to protect the information?

Information in TSA’s record systems is safeguarded in accordance with the Federal Information Security Management Act of 2002 (Pub.L.107-347), which established government-wide computer security and training standards for all persons associated with the management and operation of Federal computer systems. The systems on which the tests will be conducted have been assessed for security risks, have implemented security policies and plans consistent with statutory, regulatory and internal DHS guidance, and are certified and accredited.

TSA will maintain the data to be collected for this test in a secure facility on electronic media and in hard copy format. The information will be protected in accordance with rules and policies established by both TSA and DHS for automated systems and for hard copy storage, including password protection and secure file cabinets. Moreover, access will be strictly controlled; only TSA employees and contractors with proper security credentials and passwords will have permission to use this information to conduct the required tests. Additionally, a real time audit function will be part of this record system to track who accesses the information, and any infractions of information security rules will be dealt with severely. All TSA and assigned contractor staff receive DHS-mandated privacy training on the use and disclosure of personal data. The procedures and policies that are in place are intended to ensure that no unauthorized access to records occurs and that operational safeguards are firmly in place to prevent system abuses.

• Does this program create a new system of records under the Privacy Act.

Yes. The Secure Flight Test Records system of records, DHS/TSA 017, is being published concurrently in today’s Federal Register.

• What is the intended use of the information?

The information collected by TSA will be used solely for the purpose of testing the Secure Flight program and will be maintained in a Privacy Act system of records in accordance with the published system of records notice for DHS/TSA 017.

• Will the information be retained and, if so, for what period of time?

TSA will retain these records for a sufficient period of time to conduct and review the Secure Flight test and in the event where a request for redress must be resolved. TSA does not yet have a record retention schedule approved by the National Archives and Records Administration (NARA) for records pertaining to this program and must retain these records until such schedule is approved. TSA is in the process of developing a records retention schedule that will dictate the retention period for these records and allow TSA to dispose of them within an appropriate timeframe.

• How will the passenger be able to seek redress?

During the test phase individuals may request access to information about themselves contained in the PNR subject to Secure Flight test phase by sending a written request to TSA. To the greatest extent possible and consistent with national security and homeland security requirements, access will be granted. If an individual wishes to contest or amend the records received in this manner, he or she may do so by sending that request to TSA. The request should conform to DHS requirements for contesting or amending Privacy Act records, and should be sent TSA Privacy Officer, Transportation Security Administration (TSA-9), 601 South 12th Street, Arlington, VA 22202. Before implementing a final program, however, TSA will create a robust redress mechanism to resolve disputes concerning the Secure Flight program.

• What databases will the names be run against?

TSA will run the names against the TSDB, which is a consolidated, comprehensive watch list of known or suspected terrorists. This database can be used by government agencies in screening processes to identify individuals known to pose or are suspected of posing a risk to the security of the United States. This consolidated database contains information contributed by the Departments of Homeland Security, Justice, and State and by the intelligence community. Because information related to terrorists is consolidated in the TSDB, TSA believes that the TSDB provides the most effective and secure system against which to run airline passenger names for purposes of identifying whether or not they are known or reasonably suspected to be engaged in terrorism or terrorist activity.

• Privacy Effects and Mitigation Measures

The decision to initiate Secure Flight follows completion of a thorough review of the TSA’s next generation passenger prescreening program, and is consistent with recommendations of the National Commission on Terrorist Attacks Upon the United States (9/11 Commission) that “improved use of ‘no-fly’ and ‘automatic selectee’ lists should not be delayed while the argument about a successor to CAPPS continues.” Moreover, by focusing solely on potential terrorism and not other law enforcement purposes, Secure Flight addresses concerns raised by privacy groups and others about the potential for "mission creep" by TSA.

TSA appreciates the privacy risk inherent in any airline prescreening program in which passenger name record information is provided to the Federal Government for use in conducting the prescreening. However, TSA also recognizes that the risk is necessary for ensuring the security of our air transportation system. TSA believes it has taken action to mitigate any privacy risk by designing its next generation passenger prescreening program to accommodate concerns expressed by privacy advocates, foreign counterparts and others.

First, under the Secure Flight testing phase, TSA will not require air carriers to collect any additional information from their passengers than is already collected by such carriers and maintained in passenger name records. Testing of the Secure Flight program will compare only existing PNR record information against names in the TSDB in order to determine how effectively existing PNR information can be compared against such names, how many instances of false positive matches occur, and what, if any additional limited data, would be most effective in reducing the number of such false positive hits.

TSA envisions that carriers may be required to collect full passenger name and possibly one other element of information under a fully implemented operational Secure Flight program. However, TSA will not make such determination until the initial test phase results can be assessed and an additional Privacy Impact Assessment is published.

Second, the Secure Flight program will permit TSA to take on sole responsibility for conducting passenger name comparisons against a consolidated TSDB watch list, rather than continuing to require multiple individual air carriers to conduct such comparisons. TSA will be able to apply improved prescreening procedures, including more consistent analytical procedures, for identifying actual name matches and for resolving false positive name matches prior to a passengers’ arrival at an airport, than can currently be applied by the individual air carriers that currently administer the watch list comparisons. TSA expects that the number of individuals currently subjected to automatic secondary screening will be reduced under an implemented Secure Flight program.

Third, Secure Flight will mitigate impact on personal privacy because of its limited purpose and anticipated limited retention period. Secure Flight will focus screening efforts only on identifying individuals known or reasonably suspected to be terrorists or engaged in terrorist activity, rather than on other law enforcement purposes. In addition, Secure Flight will only be applied to passengers on U.S. domestic flights. Passengers on international flights will continue to be prescreened using APIS (Advanced Passenger Information System data – information from the machine readable portion of an individual’s passport) provided to U.S. Customs and Border Protection for this purpose. Passengers on international flights will not be subject to duplicative information provision requirements or overlapping screening procedures. TSA also anticipates that passenger information will be held for a relatively limited amount of time after completion of a passenger’s itinerary. TSA's prescreening efforts will be as narrow as reasonable to accommodate privacy concerns, including access to redress mechanisms, but as robust as necessary to accomplish its security mission.

TSA believes that the Secure Flight program will represent a vast improvement in security by permitting TSA to identify individuals known or reasonably suspected to be engaged in terrorism or terrorism related activity. However, because Secure Flight may be rendered less effective if passenger-provided information is not accurate or correct, TSA does seek to identify the most appropriate means to identify when passenger information is incorrect or inaccurate. For this reason, TSA will use PNR information obtained for testing of the Secure Flight program to conduct a separate test of the use of commercial data to identify such inaccurate or incorrect passenger information. TSA recognizes that this may raise privacy and civil liberties concerns. TSA’s testing of commercial data use will therefore involve the following:

a) TSA will only test the use of commercial data
b) TSA does not assume that the result of comparison of passenger information to commercial data is determinative of information accuracy or the intent of the person who provided the passenger information.
c) Such testing of commercial data will be governed by stringent data security and privacy protections, including contractual prohibitions on commercial entities’ maintenance or use of airline-provided PNR information for any purposes other than testing under TSA parameters; strict firewalls between the government and commercial data providers; real-time auditing procedures to determine when data within the Secure Flights system has been accessed and by whom; strict rules prohibiting the accessing or use of commercially held personal data by TSA;
d) Assessment of test results prior to any operational use of commercial data in TSA programs and determination that its use is effective in identifying incorrect or inaccurate information does not result in disparate treatment of any class of individuals, and that data security protections and privacy protections are robust and effective.

TSA also recognizes that there is a privacy risk inherent in the design of any new system which could result from design mistakes. By testing the proposed Secure Flight program, TSA will have the opportunity to correct any privacy-related design mistakes before the program becomes fully operational, ensuring a better program. TSA is purposely testing the Secure Flight system, in fact, and will be carefully scrutinizing the performance of the system during the test phase -- and conducting further analysis upon completion -- to determine the effectiveness of Secure Flight both for passenger prescreening as well as for protecting the privacy of the data on which the program is based. By layering on top of the program design strict rules for oversight and training of personnel handling the data as well as strong system auditing to detect potential abuse and a carefully planned and executed redress process, TSA intends to make sure that privacy is an integral part of this overall effort. TSA's efforts will not only be thoroughly examined internally, including review by the TSA Privacy Officer, but also will be reviewed by the DHS Chief Privacy Officer before a final program is designed. In this process, TSA will carefully review constructive feedback it receives from the public on this important program.

Issued in Arlington, VA, on [blank]

Lisa S. Dean
Privacy Officer.

http://www.tsa.gov/public/interweb/assetlibrary/Secure_Flight_PRA_Notice_9.21.04.pdf

[4910-62-P]

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

[Docket No. TSA-2004-19160]

Reports, Forms, and Record Keeping Requirements: Agency Information

Collection Activity Under OMB Review; Secure Flight Test Phase

AGENCY: Transportation Security Administration (TSA), Department of Homeland Security (DHS).

ACTION: Notice of emergency clearance request.

SUMMARY: TSA has submitted a request for emergency processing of a new public information collection to the Office of Management and Budget (OMB) for review and clearance under the Paperwork Reduction Act of 1995 (Pub. L. 104-13, 44 U.S.C. 3501, et seq.). This notice announces that the Information Collection Request (ICR) abstracted below has been forwarded to OMB for review and comment. The purpose of the ICR is to facilitate testing of TSA’s Secure Flight program, which will prescreen airline passengers using information maintained by the Federal Government about individuals known or suspected to be engaged in terrorist activity and certain other information related to passengers’ itineraries--specifically, passenger name record (PNR) data. On a limited basis, TSA will also test the use of commercial data to identify instances in which passenger information is incorrect or inaccurate. TSA does not assume that the result of comparison of passenger information to commercial data is determinative of information accuracy or the intent of the person who provided the passenger information.

In order to test the Secure Flight program, TSA is proposing to issue an order to all domestic aircraft operators directing them to submit a limited set of historical passenger name records to TSA. The ICR describes the nature of the information collection and its expected burden.

DATES: Send your comments by [Insert date 30 days after date of publication in the Federal Register]. A comment to OMB is most effective if OMB receives it within 30 days of publication.

ADDRESSES: Comments may be faxed to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: DHS-TSA Desk Officer, at (202) 395-5806.

FOR FURTHER INFORMATION CONTACT: Conrad Huygen, Office of Transportation Security Policy, TSA-9, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202-4220; telephone (571) 227-3250; facsimile (571) 227-1954; e-mail conrad.huygen@dhs.gov.

SUPPLEMENTARY INFORMATION:

Background

TSA currently performs passenger and baggage screening with screening personnel and equipment at the nation’s airports. This screening is supplemented by a system of computer-based passenger screening known as the Computer-Assisted Passenger Prescreening System (CAPPS), which is operated by U.S. aircraft operators. CAPPS analyzes information in passenger name records (PNRs) using certain evaluation criteria in order to determine whether a passenger or his property should receive a higher level of security screening prior to boarding an aircraft. A PNR is a record that contains detailed information about an individual’s travel on a particular flight, including information provided by the passenger when making the flight reservation. Though the content of PNRs varies among airlines, PNRs may include, among other information: (1) passenger name; (2) reservation date; (3) travel agency or agent; (4) travel itinerary information; (5) form of payment; (6) flight number; and (7) seating location. Operationally, CAPPS is not a single system. CAPPS is programmed into the separate computer systems through which airline passenger reservations are made. Passenger prescreening also involves the comparison of identifying information of airline passengers against lists of individuals known to pose or suspected of posing a threat to civil aviation or national security. Aircraft operators currently carry out this function, using lists provided by TSA. Because the lists are provided in an unclassified form, the amount of information that they include is limited.

After a lengthy review of the initial plans for a successor system to CAPPS, and consistent with a recommendation of the National Commission on Terrorist Attacks upon the United States (9/11 Commission), the Department of Homeland Security is moving forward with a next-generation system of domestic passenger prescreening, called “Secure Flight,” that meets the following goals: (1) identifying, in advance of flight, passengers known or suspected to be engaged in terrorist activity; (2) moving passengers through airport screening more quickly and reducing the number of individuals unnecessarily selected for secondary screening; and (3) fully protecting passengers’ privacy and civil liberties.

Secure Flight Description

Secure Flight will involve the comparison of information in PNRs for domestic flights to names in the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center (TSC), including the expanded TSA No-Fly and Selectee Lists, in order to identify individuals known or suspected to be engaged in terrorist activity. TSA will apply, within the Secure Flight system, a streamlined version of the existing CAPPS rule set related to suspicious indicators associated with travel behavior, as identified in passengers’ itinerary-specific PNR. This should provide a security benefit, while at the same time improving the efficiency of the pre-screening process and reducing the number of persons selected for secondary screening. TSA will also build a “random” element into the new program to protect against those who might seek to reverse-engineer the system.

The Secure Flight program is fully consistent with the recommendation in the final report of the 9/11 Commission, which states at page 392:

“[I]mproved use of “no-fly” and “automatic selectee” lists should not be delayed while the argument about a successor to CAPPS continues. This screening function should be performed by TSA and it should utilize the larger set of watch lists maintained by the Federal Government. Air carriers should be required to supply the information needed to test and implement this new system.”

Expansion of these lists to include information not previously included for security reasons will be possible as integration and consolidation of the information related to individuals known or suspected to be engaged in terrorist activity maintained by TSC is completed and the U.S. Government assumes the responsibility for administering the watch list comparisons. Secure Flight will automate the vast majority of watch list comparisons; will allow TSA to apply more consistent procedures where automated resolution of potential matches is not possible; and will allow for more consistent response procedures at airports for those passengers identified as potential matches.

Secure Flight Testing Phase

Secure Flight represents a significant step in securing domestic air travel and safeguarding terrorism related national security information. It will dramatically improve the administration of comparisons of passenger information with data maintained by TSC and will reduce the long-term costs to air carriers and passengers associated with maintaining the present system, which is operated individually by each air carrier that flies in the United States.

However, such comparisons will not permit TSA to identify passenger information that is incorrect or inaccurate. For this reason and on a very limited basis, in addition to testing TSA’s ability to compare passenger information with data maintained by TSC, TSA will separately test the use of commercial data to determine if use of such data is effective in identifying passenger information that is incorrect or inaccurate. This test will involve commercial data aggregators who provide services to the banking, home mortgage and credit industries. These procedures will be governed by strict privacy and data security protections. TSA will not store the commercially available data that would be used by commercial data aggregators. TSA will use this test of commercial data to determine whether such use: (1) could accurately identify when passengers’ information is inaccurate or incorrect; (2) would not result in inappropriate differences in treatment of any protected category of persons; and (3) could be governed by data security safeguards and privacy protections that are sufficiently robust to ensure that commercial entities or other unauthorized entities do not gain access to passenger personal information and to ensure that the government does not gain inappropriate access to sensitive personal information. TSA will defer any decision of whether commercial data will be used in its prescreening programs, such as Secure Flight, until a thorough assessment of test results is completed and until the agency publishes a new System of Records Notice announcing how commercial data might be used and individuals’ privacy will be protected.

In order to obtain the passenger information necessary to test the Secure Flight program, TSA proposes to issue an order to all domestic aircraft operators directing them to submit a limited set of historical PNRs to TSA that cover commercial scheduled domestic flights. The order covers PNRs with domestic flight segments completed in the month of June 2004. However, the order will exclude those PNRs with flight segments that occurred after June 30, 2004. The purpose of this limitation is to ensure that during the test phase, TSA does not obtain any information about future travel plans of passengers on domestic flights. The order also proposes to exclude PNR flight segments to or from the United States. TSA requests comments from all interested parties on this proposed order. The text of the proposed order is set forth below:

“TRANSPORTATION SECURITY ADMINISTRATION ORDER
Pursuant to the authority vested in me as Assistant Secretary of Homeland Security (Transportation Security Administration) (TSA) by delegation from the Secretary of Homeland Security, 49 U.S.C. 40113(a), and other authorities described below, I hereby direct [U.S. aircraft operator] to provide passenger name records (PNRs) to TSA in accordance with the terms of this order.
Background and Authority
1. The Secretary of Homeland Security has delegated to the Assistant Secretary of Homeland Security (TSA), subject to the Secretary’s guidance and control, the authority vested in the Secretary by section 403(2) of the Homeland Security Act (HSA) respecting TSA, including that related to civil aviation security under the Aviation and Transportation Security Act (ATSA).
2. Under 49 U.S.C. 114(e)(1) and 44901(a), TSA is responsible for, among other things, providing for the screening of passengers traveling in air transportation and intrastate air transportation.
3. One component of passenger screening is the Computer-Assisted Passenger Prescreening System (CAPPS), an automated screening system developed by the Federal Aviation Administration (FAA) in cooperation with U.S. aircraft operators. U.S. aircraft operators implemented CAPPS in 1997.
4. CAPPS analyzes information in PNRs using certain evaluation criteria in order to determine whether a passenger will be selected for a higher level of security screening prior to boarding. A PNR is a record that contains detailed information about an individual’s travel on a particular flight, including information provided by the individual when making the flight reservation. While the Federal Government established the CAPPS selection criteria, CAPPS is operated entirely by U.S. aircraft operators.
5. Passenger prescreening also involves the comparison of identifying information of airline passengers against lists of individuals known to pose or suspected of posing a threat to civil aviation or national security. Aircraft operators currently carry out this function, using lists provided by TSA. Because the lists are provided in an unclassified form, the amount of information they include is limited. For this reason, TSA will take over from aircraft operators the function of screening passengers against such lists and use a larger set of data maintained by the Federal Government for this purpose. This is consistent with the recommendation by the National Commission on Terrorist Attacks upon the United States (9/11 Commission) related to the use of expanded “No-Fly” and “Automatic Selectee” lists, and the 9/11 Commission recommendation that aircraft operators be required to supply the information needed to test and implement such a system.
6. Under 49 U.S.C. 114(f)(8), TSA has authority to identify and undertake research and development activities necessary to enhance transportation security.
7. In accordance with the authority in 49 U.S.C. 44903(j)(2), TSA is in the process of developing a successor system to CAPPS that will be operated entirely by TSA and will incorporate the screening of passengers against data maintained by the Terrorist Screening Center (TSC) about individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism.
8. In order to test such a system, TSA must have access to information contained in the PNRs for domestic passenger flights.
9. TSA has broad authority under 49 U.S.C. 40113(a) to issue orders necessary to carry out its functions, including its responsibility to provide for the security screening of passengers under 49 U.S.C. 114(e)(1) and 44901(a), as well as its power to identify and undertake research and development activities necessary to enhance transportation security under 49 U.S.C. 114(f)(8).
Findings
10. The security pre-screening of passengers, as mandated by Congress, is vital to aviation security and the national security.
11. After a lengthy review of the initial plans for a successor system to CAPPS, and consistent with the recommendation of the 9/11 Commission, the Department of Homeland Security is moving forward with a next generation system of domestic passenger prescreening that meets the following goals: (1) identifying, in advance of flight, passengers known or suspected to be engaged in terrorist activity; (2) moving of passengers through airport screening more quickly and reducing the number of individuals unnecessarily selected for secondary screening; and (3) fully protecting passengers’ privacy and civil liberties.
12. In the revised program, known as Secure Flight, TSA will compare information in airline PNRs for domestic flights to information in the Terrorist Screening Database (TSDB) at TSC, including expanded TSA No-Fly and Selectee lists, in order to identify individuals known or suspected to be engaged in terrorist activity. The Secure Flight program also will analyze information in PNRs using a streamlined version of the existing CAPPS evaluation criteria. TSA will use the PNRs obtained under this order to test these aspects of the program.
13. TSA also will test whether comparing passenger information to other commercially available data can help identify passenger information that is inaccurate or incorrect.
14. In order to develop and test such a system, TSA must obtain PNRs from aircraft operators.
15. Therefore, TSA is issuing this order to aircraft operators directing them to provide PNRs for testing of a new passenger prescreening system.
Action Ordered
16. On October 29, 2004, the aircraft operator must submit to its Principal Security Inspector (PSI) all PNRs with flight segments flown during the month of June 2004 that reflect itineraries of passengers for transport by the aircraft operator on a scheduled flight within the United States, in operations subject to a full security program under 49 CFR 1544.101(a).
17. Within seven days of the date of this order, the aircraft operator must submit to the PSI a plan for meeting the requirement in paragraph 16.
18. The aircraft operator must exclude the following from the set of PNRs submitted to its PSI:
a. Any PNR reflecting an itinerary that includes one or more flight segments that have not been completed on or before June 30, 2004;
b. Any flight segment from a PNR that represents one or more flight segments to or from the United States; and
c. Information related to changes in the PNR prior to completion of the flight itinerary (PNR history).

19. The aircraft operator must include in the set of PNRs submitted to its PSI:
a. Any PNRs reflecting itineraries that were cancelled in whole or in part; and
b. All active fields from each PNR.

20. For purposes of this order, the term United States includes U.S. territories and possessions.
21. For purposes of this order, the term “PNR” means the electronic record maintained by the aircraft operator detailing information about an individual’s travel on a particular flight and any other information contained in that record.
22. The aircraft operator must provide the PNRs to the PSI on optical media in an unpacked or uncompressed form, in a structured data format or XML, if available.
23. The aircraft operator must provide to the PSI information about the aircraft operator’s PNR data schema and layout, such as a PNR format book and a data dictionary that includes all acronyms and codes used in the PNRs, including any acronyms or codes not standard to the International Air Transport Association.”

Information Collection

Transportation Security Administration (TSA)

Title: Secure Flight Testing Phase

Type of Request: Emergency processing request of new collection.

OMB Control Number: Not yet assigned.

Forms(s): None.

Affected Public: Business or other-for-profit; each aircraft operator conducting scheduled flights within the United States in operations subject to a full security program under 49 CFR 1544.101(a).

Abstract: In order to test the Secure Flight concept, TSA will collect from the aircraft operators historical PNR data for all flights completed during the month of June 2004 that reflect itineraries of passengers for transport by the aircraft operator on a scheduled flight within the United States in operations subject to a full security program under 49 CFR 1544.101(a).

TSA will compare passengers’ identifying information in the PNRs for domestic flights to data maintained in the Terrorist Screening Database (TSDB), including expanded TSA No-Fly and Selectee lists, in order to test the ability to identify individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism. On a limited basis, TSA also will use the information in PNRs to test the use of commercial data to determine if it is effective in identifying passengers’ information that is incorrect or inaccurate.

Number of Respondents: 77.

Estimated Annual Burden Hours: 10,850.

Estimated Annual Cost: $810,000.

TSA is soliciting comments to--

(1) Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to be collected; and
(4) Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Issued in Arlington, Virginia, on [BLANK].

Lisa S. Dean,
Privacy Officer.

http://www.tsa.gov/public/interweb/assetlibrary/Secure_Flight_SORN_9.21.04.pdf

[4910-62-P]

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

[Docket No. TSA-2004-19160]

Privacy Act of 1974: System of Records; Secure Flight Test Records

AGENCY: Transportation Security Administration (TSA), Department of Homeland Security (DHS).

ACTION: Notice to establish system of records; request for comments.

SUMMARY: TSA is establishing one new system of records under the Privacy Act of 1974, known as “Secure Flight Test Records.” TSA will use information in the system to test the new Secure Flight program, which has been designed to assist TSA in preventing individuals known or suspected to be engaged in terrorist activity from boarding domestic passenger flights. Under this new program, TSA will compare the identifying information of airline passengers contained in passenger name records (PNRs) to the identifying information of individuals in the Terrorist Screening Database of the Terrorist Screening Center (TSC).

During the testing period for the new Secure Flight program, TSA will also conduct a separate test of the use of commercial data to determine its effectiveness in identifying passenger information that is inaccurate or incorrect. TSA does not assume that the result of comparison of passenger information to commercial data is determinative of information accuracy or the intent of the person who provided the passenger information.

For purposes of testing both the new Secure Flight program and the use of commercial data to validate the accuracy of passenger-provided information, TSA will collect a limited set of historical PNRs from domestic airlines.

TSA invites comments on this notice. A further Privacy Act notice will be published in advance of any active implementation of the Secure Flight program.

DATES: This notice is effective [Insert date of publication in the Federal Register]. The routine uses described in this notice are effective [Insert 30 days after date of publication in the Federal Register]. Comments are due by [Insert date 30 days after publication in the Federal Register].

ADDRESSES: You may submit comments, identified by TSA docket number to this document, using any one of the following methods:

Comments Filed Electronically: You may submit comments through the docket web site at http://dms.dot.gov. Please be aware that anyone is able to search the electronic form of all comments received into any of our dockets by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review the applicable Privacy Act Statement published in the Federal Register on April 11, 2000 (65 FR 19477), or you may visit http://dms.dot.gov. You also may submit comments through the Federal eRulemaking portal at http://www.regulations.gov.

Comments Submitted by Mail, Fax, or In Person: Address or deliver your written, signed comments to the Docket Management System, U.S. Department of Transportation, Room Plaza 401, 400 Seventh Street, SW., Washington, DC 20590-0001; Fax: 202-493-2251.

Comments that include trade secrets, confidential commercial or financial information, or sensitive security information (SSI) should not be submitted to the public regulatory docket.¹ Please submit such comments separately from other comments on the document. Comments containing trade secrets, confidential commercial or financial information, or SSI should be appropriately marked as containing such information and submitted by mail to Marisa Mullen, Senior Rulemaking Analyst, Office of the Chief Counsel, TSA-2, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202-4220.

____________________

1 See 49 CFR 1520.5 for a description of SSI material.

Reviewing Comments in the Docket: You may review the public docket containing comments in person in the Dockets Office between 9:00 a.m. and 5:00 p.m., Monday through Friday, except Federal holidays. The Dockets Office is located on the plaza level of the NASSIF Building at the Department of Transportation address above. Also, you may review public dockets on the Internet at http://dms.dot.gov.

FOR FURTHER INFORMATION CONTACT: Privacy Office, Department of Homeland Security, Washington, DC 20528; Phone: 202-282-8000, Fax: 202-772-5036.

SUPPLEMENTARY INFORMATION:

Availability of Notice

You can get an electronic copy using the Internet by--

(1) Searching the Department of Transportation's electronic Docket Management System (DMS) web page (http://dms.dot.gov/search);
(2) Accessing the Government Printing Office’s web page at http://www.access.gpo.gov/su_docs/aces/aces140.html; or
(3) Visiting TSA’s Law and Policy web page at http://www.tsa.dot.gov/public/index.jsp.

In addition, copies are available by writing or calling the individual in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this notice.

Background

Passenger prescreening also involves the comparison of identifying information of airline passengers against lists of individuals known or suspected of posing a threat to civil aviation or national security. Aircraft operators currently carry out this function, using lists provided by TSA. Because the lists are provided in an unclassified form, the amount of information they include is limited.

(1) identifying, in advance of flight, passengers known or suspected to be engaged in terrorist activity; (2) moving passengers through airport screening more quickly and reducing the number of individuals unnecessarily selected for secondary screening; and (3) protecting passengers’ privacy and civil liberties fully.

Secure Flight Description

Secure Flight will involve the comparison of information in PNRs for domestic flights to names in the Terrorist Screening Database (TSDB) maintained by the Terrorist Screening Center (TSC), to include the expanded TSA No-Fly and Selectee Lists, in order to identify individuals known or reasonably suspected to be engaged in terrorist activity. TSA will apply, within the Secure Flight system, a streamlined version of the existing CAPPS rule set related to suspicious indicators associated with travel behavior, as identified in passengers’ itinerary-specific PNR. This should provide a security benefit, while at the same time improving the efficiency of the pre-screening process and reducing the number of persons selected for secondary screening. TSA will also build a “random” element into the new program to protect against those who might seek to reverse engineer the system.

The Secure Flight program is fully consistent with the recommendation in the final report of the 9/11 Commission, which states at page 392:

“[I]mproved use of “no-fly” and “automatic selectee” lists should not be delayed while the argument about a successor to CAPPS continues. This screening function should be performed by TSA and it should utilize the larger set of watch lists maintained by the Federal Government. Air carriers should be required to supply the information needed to test and implement this new system.”

Expansion of these lists to include information not previously included for security reasons will be possible as integration and consolidation of various data maintained by the TSC is completed and the U.S. Government assumes the responsibility for administering the watch list comparisons. Secure Flight will automate the vast majority of watch list comparisons; will allow TSA to apply more consistent procedures where automated resolution of potential matches is not possible; and will allow for more consistent response procedures at airports for those passengers identified as potential matches.

Secure Flight Testing Phase

Secure Flight represents a significant step in securing domestic air travel and safeguarding critical terrorism-related national security information. It will dramatically improve the administration of comparisons of passenger information with data maintained by TSC and will reduce the long-term costs to air carriers and passengers associated with maintaining the present system, which is operated individually by each air carrier that flies in the United States.

However, such comparisons will not permit TSA to identify passenger information that is incorrect or inaccurate. For this reason and on a very limited basis, in addition to testing its ability to compare passenger information with data maintained by TSC, TSA will also test the use of commercial data to determine if this approach is effective in identifying passenger information that is incorrect or inaccurate. This test will involve commercial data aggregators who provide services to the banking, home mortgage and credit industries. Testing of these procedures will be governed by strict privacy and data security protections. TSA will not store the commercially available data that would be accessed by commercial data aggregators. TSA will use this test of commercial data to determine whether such use: (1) could accurately identify when passenger information is inaccurate or incorrect; (2) would not result in inappropriate differences in treatment of any protected category of persons; and (3) could be governed by data security safeguards and privacy protections that are sufficiently robust to ensure that commercial entities or other unauthorized entities do not gain access to passenger personal information, or to ensure that the Federal Government does not gain access inappropriately to certain types of sensitive commercial data.

Furthermore, TSA will defer any decision on how commercial data might be used in its prescreening programs, such as Secure Flight, until the completion of the test period, assessment of the test results, and publication of a subsequent System of Records Notice under the Privacy Act announcing the intended use of such commercial data.

Sources of Information Contained in the Secure Flight System

In order to obtain the passenger information necessary to test the Secure Flight program, TSA proposes to issue an order to all domestic aircraft operators directing them to submit a limited set of historical PNRs to TSA that cover commercial scheduled domestic flights. The order covers PNRs with domestic flight segments completed in the month of June 2004. However, the order will exclude those PNRs with flight segments occurring after June 30, 2004. The purpose of this limitation is to ensure that during the test phase, TSA does not obtain any information about future travel plans of passengers on domestic flights. The order also excludes flight segments of PNRs for travel to or from the United States.

Privacy Practices; Secure Flight Testing Phase

Testing and the eventual implementation of the Secure Flight program will be governed by stringent privacy protections, including data security mechanisms and limitations on use, strict firewalls, and data access limitations between the government and commercial entities. These can be reviewed in TSA’s Privacy Impact Statement on Secure Flight (found at the DHS Privacy Office website at www.dhs.gov) and also published in today’s Federal Register. It is anticipated that the test duration may be as long as 30 days. Data from the test will not be transmitted to airport screeners or used for screening purposes.

Upon completion of the testing phase, and before Secure Flight is operational, TSA will establish comprehensive passenger redress procedures and personal data and civil liberties protections for the Secure Flight program. TSA is firmly committed to protecting individuals’ privacy, both on a policy level and in keeping with applicable legal requirements. TSA is committed to providing access to the information that is contained in the Secure Flight Test Records system to the greatest extent feasible consistent with national security concerns. As detailed below, passengers can request a copy of most information contained about them in the system from TSA. TSA is working with the National Archives and Records Administration to obtain approval of a records retention and disposal schedule to cover records in the Secure Flight system. TSA will propose to establish a short retention schedule for records in the Secure Flight Test Records system.

Impact on Traveling Public

At this point, the Secure Flight program is in a developmental and testing stage. TSA will not use the results of its testing for any purpose other than analysis of the efficacy of the program. Therefore, during this test phase, Secure Flight is expected to have no impact on the traveling public. However, if an indication of terrorist or possible terrorist activity is revealed during the test phase, appropriate action will be taken, to include possibly providing information in the system of records to relevant law enforcement agencies.

System of Records

DHS/TSA 017

System name:

Secure Flight Test Records

Security Classification:

Classified, sensitive

System Location:

Records are maintained at the Office of National Risk Assessment, Transportation Security Administration (TSA), Department of Homeland Security, P.O. Box 597, Annapolis Junction, MD 20701-0597, and at the Office of National Risk Assessment facility in Colorado Springs, Colorado.

Categories of Individuals Covered by the System:

Individuals traveling within the United States by passenger air transportation; and individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism.

Categories of Records in the System:

(a) Passenger Name Records (PNRs) obtained from aircraft operators, the specific contents of which often vary by aircraft operator;
(b) Information obtained from the Terrorist Screening Center about individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism;
(c) Authentication scores and codes obtained from commercial data providers; and
(d) Results of comparisons of individuals to data obtained from the Terrorist Screening Center.

Authority for Maintenance of the System:

49 U.S.C. 114, 44901, and 44903.

Purpose(s):

The system will be used to test the Secure Flight program. The purpose of the program is to enhance the security of domestic air travel by identifying passengers who warrant further scrutiny prior to boarding an aircraft. To identify those passengers, TSA will compare PNR data with information obtained from the Terrorist Screening Center about individuals known or reasonably suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism.

The Secure Flight test also will involve the use of a streamlined version of the rule set related to suspicious indicators associated with travel behavior, as identified in passengers’ itinerary-specific PNR under the existing computer-assisted passenger prescreening system (CAPPS) currently used by aircraft operators.

The System of Records will also be used to perform limited and separate testing of the efficacy of using commercial data to identify passenger information that is incorrect or inaccurate.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

(1) To the Federal Bureau of Investigation where TSA becomes aware of information that may be related to an individual identified in the Terrorist Screening Database as known or reasonably suspected to be or having been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism.
(2) To contractors, grantees, experts, consultants, or other like persons when necessary to perform a function or service related to the Secure Flight program or the system of records for which they have been engaged. Such recipients are required to comply with the Privacy Act, 5 U.S.C. 552a, as amended.
(3) To the Department of Justice (DOJ) or other Federal agency in the review, settlement, defense, and prosecution of claims, complaints, and lawsuits involving matters over which TSA exercises jurisdiction or when conducting litigation or in proceedings before any court, adjudicative or administrative body, when: (a) TSA; or (b) any employee of TSA in his/her official capacity; or (c) any employee of TSA in his/her individual capacity, where DOJ or TSA has agreed to represent the employee; or (d) the United States or any agency thereof, is a party to the litigation or has an interest in such litigation, and TSA determines that the records are both relevant and necessary to the litigation and the use of such records is compatible with the purpose for which TSA collected the records.
(4) To the National Archives and Records Administration (NARA) or other federal agencies pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.
(5) To a Congressional office from the record of an individual in response to an inquiry from that congressional office made at the request of the individual.
(6) To an agency, organization, or individual for the purposes of performing authorized audit or oversight operations.

Disclosure to consumer reporting agencies:

None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining and Disposing of Records in the System:

Storage:

Records are stored electronically at the TSA Office of National Risk Assessment (ONRA) in a secure facility. The records are stored on magnetic disc, tape, digital media, and CD-ROM, and may also be retained in hard copy format in secure file folders.

Retrievability:

Data are retrievable by the individual’s name or other identifier, as well as nonidentifying information.

Safeguards:

Information in this system is safeguarded in accordance with applicable rules and policies, including any applicable ONRA, TSA, and DHS automated systems security and access policies. Access to the computer system containing the records in this system of records is limited and can be accessed only by those individuals who require it to perform their official duties. The system also maintains a real-time auditing function of individuals who access the system. Classified information is appropriately stored in a secured facility, in secured databases and containers, and in accordance with other applicable requirements, including those pertaining to classified Information.

Retention and Disposal:

TSA is working with the National Archives and Records Administration to obtain approval of a records retention and disposal schedule to cover records in the Secure Flight system. TSA will propose to establish a short retention schedule for records in the Secure Flight Test Records system.

System Manager(s) and Address:

Director, Office of National Risk Assessment, Transportation Security Administration, P.O. Box 597, Annapolis Junction, MD 20701-0597.

Notification Procedures:

Pursuant to 5 U.S.C. 552a(k), this system of records may not be accessed for purposes of determining if the system contains a record pertaining to a particular individual.

Record Access Procedures:

Although the system is exempt from record access procedures pursuant to 5 U.S.C. 552a(k), DHS has determined that all persons may request access to information about them contained in a PNR by sending a written request to the TSA Privacy Officer, Transportation Security Administration (TSA-9), 601 South 12th Street, Arlington, VA 22202.

To the greatest extent possible and consistent with national security requirements, such access will be granted. Individuals requesting access must comply with the Department of Homeland Security Privacy Act regulations on verification of identity (6 CFR 5.21(d)). Individuals must submit their full name, current address, and date and place of birth. You must sign your request and your signature must either be notarized or submitted by you under 28 U.S.C. 1746, a law that permits statements to be made under penalty of perjury as a substitute for notarization.

Contesting Record Procedures:

A passenger who, having accessed his or her records in this system, wishes to contest or seek amendment of those records should direct a written request to the TSA Privacy Officer, Transportation Security Administration (TSA-9), 601 South 12th Street, Arlington, VA 22202. The request should include the requestor’s full name, current address, and date and place of birth, as well as a copy of the record in question, and a detailed explanation of the change sought. If the TSA Privacy Officer cannot resolve the matter, further appeal for resolution may be made to the DHS Privacy Officer. While the Privacy Act does not cover non-U.S. persons, such persons will still be afforded the same access and redress remedies.

Record Source Categories:

Information contained in the system is obtained from U.S. aircraft operators, other Federal agencies, including Federal law enforcement and intelligence agencies, and commercial data providers.

Exemptions Claimed for the System:

Portions of this system are exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G) and (H), and (f) pursuant to 5 U.S.C. 552a(k)(1) and (k)(2).

Issued in Arlington, VA, on [blank]

Lisa S. Dean
Privacy Officer

[Federal Register: September 24, 2004 (Volume 69, Number 185)]
[Notices]
[Page 57348-57352]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr24se04-117]

-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Transportation Security Administration

[Docket No. TSA-2004-19166]


Privacy Act of 1974: Systems of Records; Transportation Security
Threat Assessment System (T-STAS); Transportation Worker Identification
Credentialing (TWIC) System

AGENCY: Transportation Security Administration (TSA), DHS.

ACTION: Notice to alter two existing systems of records; request for
comments.

-----------------------------------------------------------------------

SUMMARY: TSA is altering two existing systems of records under the
Privacy Act of 1974.

DATES: Comments due on October 25, 2004.

ADDRESSES: Address your comments to the Docket Management System, U.S.
Department of Transportation (DOT), Room Plaza 401, 400 Seventh Street,
SW., Washington, DC 20590-0001. You must identify the docket number
TSA-2004-19166 at the beginning of your comments, and you should submit
two copies of your comments. If you wish to receive confirmation that
TSA received your comments, include a self-addressed, stamped postcard.
    You may also submit comments through the Internet at http://dms.dot.gov.
 Please be aware that anyone is able to search the

electronic form of all comments received into any of these dockets by
the name of the individual submitting the comment (or signing the
comment, if submitted on behalf of an association, business, labor
union, etc.). You may review DOT's complete Privacy Act Statement in
the Federal Register published on April 11, 2000 (Volume 65, Number 70;
Pages 19477-78) or you may visit http://dms.dot.gov. You may also

review the public docket containing comments in person at the Dockets
Office between 9 a.m. and 5 p.m., Monday through Friday, except Federal
holidays. The Dockets Office is on the plaza level of the NASSIF
Building at the Department of Transportation at the above address.

FOR FURTHER INFORMATION CONTACT: Conrad Huygen, Privacy Act Officer,
Office of Information Management Programs, TSA Headquarters, TSA-17,
601 S. 12th Street, Arlington, VA 22202-4220; telephone (571) 227-1954;
facsimile (571) 227-2906.

SUPPLEMENTARY INFORMATION: TSA is altering two existing systems of
records under the Privacy Act of 1974. The first system, the
Transportation Security

[[Page 57349]]

Threat Assessment System (DHS/TSA 002), facilitates the performance of
threat assessments and employment investigations on individuals who
require special access to the transportation system and was published
in the Federal Register on August 18, 2003, as the Transportation
Workers Employment Investigations System. See 68 FR 49496, 49498. The
system name has been changed and the categories of individuals,
categories of records, and purposes of the system expanded to cover
threat assessments performed on individuals seeking flight training,
temporary flight restriction waivers, and access to cargo-related
infrastructure and other transportation-related activities. The routine
uses have also been amended to allow for the disclosure of records
related to these new activities, to include state and local
transportation agencies, when compatible with the purposes for which
the information was collected. TSA may now also share information with
the appropriate agency when individuals pose or are suspected of posing
a risk to transportation or national security. Records may also be
retrieved using biometric identifiers.
    The second system, the Transportation Worker Identification
Credentialing (TWIC) System (DHS/TSA 012), facilitates the testing and
evaluation of certain technologies and business processes associated
with access control for transportation workers requiring unescorted
access to secure areas of transportation facilities and was first
published in the Federal Register on August 18, 2003. See 68 FR 49496,
49507. The system notice is being changed to reflect the expanded
location of the records in the TWIC Prototype Phase and the routine
uses have been amended to allow for the disclosure of records to state
and local transportation agencies when compatible with the purposes for
which the information was collected. TSA may now also share information
with the appropriate agency when individuals pose or are suspected of
posing a risk to transportation or national security. The complete
revised notices of both systems of records follow.
TRANSPORTATION AND SECURITY ADMINISTRATION
DHS/TSA 002

System name:
    Transportation Security Threat Assessment System (T-STAS).

Security classification:
    Classified, Sensitive.

System location:
    Records are maintained at the offices of the Transportation
Security Administration (TSA) Headquarters in Arlington, Virginia. Some
records may also be maintained at the offices of TSA contractors, or in
TSA field offices.

Categories of individuals covered by the system:
    Individuals who are required to undergo a security threat
assessment or employment investigation in order to obtain access to the
following: Transportation infrastructure or assets, such as terminals,
facilities, pipelines, railways, mass transit, vessels, aircraft, or
vehicles; restricted airspace; passenger baggage; cargo; or
transportation-related instruction or training (such as flight
training). This includes but is not limited to the following
individuals:
    (a) Individuals who require or seek access to airport secured,
sterile, or a Security Identification Display Area (SIDA); have or seek
unescorted access authority to these areas; have or seek authority to
grant others unescorted access to these areas; have or seek regular
escorted access to these areas; or are seeking identification that is
evidence of employment at the airport.
    (b) Individuals who have or are seeking responsibility for
screening passengers or carry-on baggage, and those persons serving as
immediate supervisors and the next supervisory level to those
individuals, other than employees of the TSA who perform or seek to
perform these functions.
    (c) Individuals who have or are seeking responsibility for
screening checked baggage or cargo, and their immediate supervisors,
and the next supervisory level to those individuals, other than
employees of the TSA who perform or seek to perform these functions.
    (d) Individuals who have or are seeking the authority to accept
checked baggage for transport on behalf of an aircraft operator that is
required to screen passengers.
    (e) Pilots, copilots, flight engineers, flight navigators, airline
personnel authorized to fly in the cockpit, relief or deadheading
crewmembers, cabin crew, and other flight crew for an aircraft operator
or foreign air carrier that is required to adopt and carry out a
security program.
    (f) Flight crews and passengers who request waivers of temporary
flight restrictions (TFRs) or other restrictions pertaining to
airspace.
    (g) Other individuals who are connected to the transportation
industry for whom TSA conducts security threat assessments to ensure
transportation security.
    (h) Individuals who have or are seeking unescorted access to cargo
in the transportation system.
    (i) Individuals who are owners, officers, or directors of an
indirect air carrier or a business seeking to become an indirect air
carrier.
    (j) Aliens or other individuals designated by TSA who apply for
flight training or recurrent training.
    (k) Individuals transported on all-cargo aircraft, including
aircraft operator or foreign air carrier employees and their family
members and persons transported for the flight.

Categories of records in the system:
    TSA's system may contain any or all of the following information
regarding individuals covered by this system: (a) Full name (including
aliases or variations of spelling); (b) gender; (c) current and
historical contact information (including but not limited to address
information, telephone number, e-mail); (d) government issued licensing
or identification information (including but not limited to social
security number, pilot certificate information, including number and
country of issuance, and other licensing information for modes of
transportation); (e) date and place of birth; (f) name and information
including contact information and identifying number (if any) of the
airport, aircraft operator, indirect air carrier, maritime or land
transportation operator, or other employer or entity that is employing
the individual or submitting the individual's information or sponsoring
the individual's background check/threat assessment; (g) physical
description, fingerprint and/or other biometric identifier and
photograph; (h) date, place, and type of flight training or other
instruction; (i) control number or other unique identification number
assigned to an individual or credential; (j) information necessary to
assist in tracking submissions, payments, and transmission of records;
(k) results of any analysis performed for security threat assessments
and adjudications; (l) other data as required by Form FD 258
(fingerprint card) or other standard fingerprint cards used by the
Federal government; (m) information provided by individuals covered by
this system in support of their application for an appeal or waiver;
(n) flight information, including crew status on board; (o) travel
document information (including but not limited to passport
information, including number and country of issuance, and current and
past

[[Page 57350]]

citizenship information and immigration status, any alien registration
numbers, and any visa information); (p) identification records obtained
from the Federal Bureau of Investigation (FBI), which are compilations
of criminal history record information pertaining to individuals who
have criminal fingerprints maintained in the FBI's Fingerprint
Identification Records System (FIRS); (q) data gathered from foreign
governments or entities that is necessary to address security concerns
in the aviation, maritime, or land transportation systems; (r) other
information provided by Federal, State, and local government agencies
or private entities; (s) the individual's level of access at an
airport.

Authority for maintenance of the system:
    49 U.S.C. 114, 5103a, 40103(b)(3), 40113(a), 44903(b), 44936,
44939, 46105.

Purpose(s):
    (a) Performance of security threat assessments and employment
investigations that Federal statutes and/or TSA regulations authorize
for the individuals identified in ``Categories of individuals covered
by the system,'' above.
    (b) To assist in the management and tracking of the status of
security threat assessments and employment investigations.
    (c) To permit the retrieval of the results of security threat
assessments and employment investigations, including criminal history
records checks and searches in other governmental, commercial, and
private data systems, performed on the individuals covered by this
system.
    (d) To permit the retrieval of information from other terrorist-
related, law enforcement and Intelligence databases on the individuals
covered by this system.
    (e) To track the fees incurred and payment of those fees by the
airport operators, aircraft operators, maritime and land transportation
operators, flight students, and others where appropriate for services
related to security threat assessments and employment investigations.
    (f) To facilitate the performance of security threat assessments
and other investigations that TSA may conduct to ensure transportation
security.

Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
    (1) To the United States Department of Transportation, its
operating administrations, or the appropriate state or local agency
when relevant or necessary to: (a) Ensure safety and security in any
mode of transportation; (b) enforce safety- and security-related
regulations and requirements; (c) assess and distribute intelligence or
law enforcement information related to transportation security; (d)
assess and respond to threats to transportation; (e) oversee the
implementation and ensure the adequacy of security measures at airports
and other transportation facilities; (f) plan and coordinate any
actions or activities that may affect transportation safety and
security or the operations of transportation operators; or (g) the
issuance, maintenance, or renewal of a license, endorsement,
certificate, contract, grant, or other benefit.
    (2) To the appropriate Federal, State, local, tribal, territorial,
foreign, or international agency responsible for investigating,
prosecuting, enforcing, or implementing a statute, rule, regulation, or
order, where TSA becomes aware of an indication of a violation or
potential violation of civil or criminal law or regulation.
    (3) To the appropriate Federal, State, local, tribal, territorial,
foreign, or international agency regarding individuals who pose or are
suspected of posing a risk to transportation or national security.
    (4) To contractors, grantees, experts, consultants, volunteers, or
other like persons when necessary to perform a function or service
related to this system of records for which they have been engaged.
Such recipients are required to comply with the Privacy Act, 5 U.S.C.
552a, as amended.
    (5) To a Federal, State, local, tribal, territorial, foreign, or
international agency, where such agency has requested information
relevant or necessary for the hiring or retention of an individual, or
the issuance of a security clearance, license, endorsement, contract,
grant, waiver, credential, or other benefit.
    (6) To a Federal, State, local, tribal, territorial, foreign, or
international agency, if necessary to obtain information relevant to a
TSA decision concerning the hiring or retention of an employee, the
issuance of a security clearance, license, endorsement, contract,
grant, waiver, credential, or other benefit.
    (7) To international and foreign governmental authorities in
accordance with law and formal or informal international agreement.
    (8) To third parties during the course of a security threat
assessment, employment investigation, or adjudication of a waiver or
appeal request, to the extent necessary to obtain information pertinent
to the assessment, investigation, or adjudication.
    (9) To airport operators, indirect air carriers, aircraft
operators, flight school operators, and maritime and land
transportation operators or contractors about individuals who are their
employees, job applicants, or contractors, or persons to whom they
issue identification credentials or grant clearances to secured areas
in transportation facilities, or provide flight training, when relevant
to such employment, application, contract, or the issuance of such
credentials, clearances, or acceptance for flight training.
    (10) To a Federal, State, local, tribal, territorial, foreign, or
international agency so that TSA may obtain information to conduct
security threat assessments or employment investigations and to
facilitate any associated payment and accounting.
    (11) To the Department of Justice (DOJ) or other Federal agency in
the review, settlement, defense, and prosecution of claims, complaints,
and lawsuits involving matters over which TSA exercises jurisdiction or
when conducting litigation or in proceedings before any court,
adjudicative or administrative body, when: (a) TSA, or (b) any employee
of TSA in his/her official capacity, or (c) any employee of TSA in his/
her individual capacity where DOJ or TSA has agreed to represent the
employee, or (d) the United States or any agency thereof, is a party to
the litigation or has an interest in such litigation, and TSA
determines that the records are both relevant and necessary to the
litigation and the use of such records is compatible with the purpose
for which TSA collected the records.
    (12) To a congressional office from the record of an individual in
response to an inquiry from that congressional office made at the
request of the individual.
    (13) To the National Archives and Records Administration or other
appropriate Federal agency pursuant to records management inspections
being conducted under the authority of 44 U.S.C. 2904 and 2906.

Disclosure to consumer reporting agencies:
    None.

Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
    In electronic storage media and hard copy.

[[Page 57351]]

Retrievability:
    Information can be retrieved by name, social security number,
identifying number of the submitting or sponsoring entity, other case
number assigned by TSA or other entity/agency, biometric, or a unique
identification number or any other identifying particular assigned or
belonging to the individual.

Safeguards:
    All records are protected from unauthorized access through
appropriate administrative, physical, and technical safeguards. These
safeguards include some or all of the following: restricting access to
those authorized with a need-to-know; using locks, alarm devices, and
passwords; compartmentalizing databases; auditing software; and
encrypting data communications.

Retention and disposal:
    National Archives and Records Administration approval is pending
for the records in this system.

System manager(s) and address:
    Assistant Director for Compliance, Credentialing Program Office,
TSA-19, 601 S. 12th Street, Arlington, VA 22202-4220.

Notification procedure:
    To determine whether this system contains records relating to you,
write to the System Manager identified above.

Record access procedure:
    Same as ``Notification Procedure'' above. Provide your full name
and a description of information that you seek, including the time
frame during which the record(s) may have been generated. Individuals
requesting access must comply with the Department of Homeland Security
Privacy Act regulations on verification of identity (6 CFR 5.21(d)).

Contesting record procedure:
    Same as ``Notification Procedure'' and ``Record Access Procedure''
above.

Record source categories:
    Information is collected from individuals subject to a security
threat assessment or employment investigation; from aviation, maritime,
and land transportation operators, flight schools, or other persons
sponsoring the individual; and any other persons, including commercial
entities, that may have information that is relevant or necessary to
the assessment or investigation. Information about individuals is also
used or collected from domestic and international intelligence sources
and other governmental, private, and public databases. The sources of
information in the criminal history records obtained from the FBI are
set forth in the Privacy Act system of records notice ``JUSTICE/FBI-
009.''

Exemptions claimed for the system:
    Portions of this system are exempt under 5 U.S.C. 552a(k)(1) and
(k)(2).
DHS/TSA 012

System name:
    Transportation Worker Identification Credentialing (TWIC) System.

Security classification:
    Unclassified.

System locations:
    Records will be maintained in a secure, centralized location for
selected transportation facilities within three geographic regions:
Delaware River and Bay, Los Angeles/Long Beach, California, and the
State of Florida. Locations within the Los Angeles/Long Beach region
include Carson, CA; Terminal Island, CA; Oakland, CA; San Pedro, CA;
Long Beach, CA; and Los Angeles, CA. Locations within the Delaware
River and Bay area include Philadelphia, PA; Islip, NY; Camden, NJ; and
Wilmington, DE. Locations within Florida include Pensacola, Panama
City, St. Joe, Amelia Island, Jacksonville, Tampa, St. Petersburg,
Palmetto, Cape Canaveral, Ft. Pierce, Riviera Beach, Fort Lauderdale,
Miami, and Key West.

Categories of individuals covered by the system:
    Transportation workers and individuals, and/or authorized visitors,
participating in the Prototype Phase of the Transportation Worker
Identification Credential (TWIC) Program who are authorized unescorted
entry to secure transportation areas.

Categories of records in the system:
    This system will contain a minimum amount of information during the
TWIC Prototype Phase and may include: (1) Individual's name; (2) other
demographic data to include: address, phone number, social security
number, date of birth, and place of birth; (3) administrative
identification codes and unique card serial number; (4) systems
identification codes; (5) company/organization or affiliation; (6)
issue date; (7) biometric data and digital photograph; (8) access level
information; (9) copies of documents that verify address and identity,
such as birth certificates, government photo identification, drivers
licenses and the like, and (10) expiration date.

Authority for maintenance of the system:
    49 U.S.C. 114; 49 U.S.C. 44903(g); 46 U.S.C. 70105.

Purpose(s):
    In cooperation with transportation facility operators, the records
are maintained to evaluate and test certain technologies and business
processes in the Prototype Phase of TSA's pilot project to develop a
TWIC to improve identity management and access control for
transportation workers requiring unescorted access to secure areas of
transportation facilities. Additionally, TSA will use certain data
elements to support the development and operation of site specific
security plans at local transportation facilities. This system is not
intended to cover security threat assessments that will be conducted on
individuals who seek to obtain a TWIC. Records pertaining to security
threat assessments conducted on volunteers of this pilot are maintained
in DHS/TSA 002, the Transportation Security Threat Assessment System
(T-STAS).

Routine uses of records maintained in the system, including categories
of users and the purposes of such uses:
    (1) To the appropriate Federal, State, local, tribal, territorial,
foreign, or international agency responsible for investigating,
prosecuting, enforcing, or implementing a statute, rule, regulation, or
order, where TSA becomes aware of an indication of a violation or
potential violation of civil or criminal law or regulation.
    (2) To a Federal, State, local, tribal, territorial, foreign, or
international agency, where such agency has requested information
relevant or necessary for the hiring or retention of an individual as
an employee or a contractor, or the issuance of a security clearance or
license.
    (3) To a Federal, State, local, tribal, territorial, foreign, or
international agency, if necessary to obtain information relevant to a
TSA decision concerning the hiring or retention of an employee, the
issuance of a security clearance, license, contract, grant, or other
benefit.
    (4) To a congressional office from the record of an individual in
response to an inquiry from that congressional office made at the
request of the individual.
    (5) To international and foreign governmental authorities in
accordance with law and formal or informal international agreement.
    (6) To the Department of Justice (DOJ) or other Federal agency in
the review, settlement, defense, and prosecution of claims, complaints,
and lawsuits involving matters over which TSA

[[Page 57352]]

exercises jurisdiction or when conducting litigation or in proceedings
before any court, adjudicative or administrative body, when: (a) TSA,
or (b) any employee of TSA in his/her official capacity, or (c) any
employee of TSA in his/her individual capacity where DOJ or TSA has
agreed to represent the employee, or (d) the United States or any
agency thereof, is a party to the litigation or has an interest in such
litigation, and TSA determines that the records are both relevant and
necessary to the litigation and the use of such records is compatible
with the purpose for which TSA collected the records.
    (7) To the National Archives and Records Administration or other
appropriate Federal agency pursuant to records management inspections
being conducted under the authority of 44 U.S.C. 2904 and 2906.
    (8) To the United States Department of Transportation, its
operating administrations, or the appropriate state or local agency
when relevant or necessary to: (a) Ensure safety and security in any
mode of transportation; (b) enforce safety- and security-related
regulations and requirements; (c) assess and distribute intelligence or
law enforcement information related to transportation security; (d)
assess and respond to threats to transportation; (e) oversee the
implementation and ensure the adequacy of security measures at airports
and other transportation facilities; (f) plan and coordinate any
actions or activities that may affect transportation safety and
security or the operations of transportation operators; or (g) the
issuance, maintenance, or renewal of a license, certificate, contract,
grant, or other benefit.
    (9) To TSA contractors, agents, grantees, experts, consultants, or
other like persons when necessary to perform a function or service
related to this system of records for which they have been engaged.
Such recipients are required to comply with the Privacy Act, 5 U.S.C.
552a, as amended.
    (10) To third parties during the course of an investigation into
violations or potential violations of transportation security laws to
the extent necessary to obtain information pertinent to the
investigation.
    (11) To airport operators, aircraft operators, and maritime and
land transportation operators and contractors about individuals who are
their employees, job applicants, or contractors, or persons to whom
they issue identification credentials or grant clearances or access to
secured areas in transportation facilities when relevant to such
employment, application, contract, the issuance of such credentials or
clearances, or access to such secure areas.
    (12) To the appropriate Federal, State, local, tribal, territorial,
foreign, or international agency regarding individuals who pose or are
suspected of posing a risk to transportation or national security.

Policies and practices for storing, retrieving, accessing, retaining,
and disposing of records in the system:
Storage:
    Paper, bar code, magnetic stripe, optical memory, disk, integrated
circuit chip (ICC), and electronic media.

Retrievability:
    Data records contained within bar codes, magnetic stripe, optical
memory stripe, disk, ICC, and/or electronic media may be retrieved by
the individuals' name, unique card number, or organization; paper
records, where applicable, are retrieved alphabetically by name.

Safeguards:
    Unauthorized personnel are denied physical access to the location
where records are stored. For computerized records, safeguards
established in accordance with generally acceptable information
security guidelines via use of security codes, passwords, Personal
Identification Numbers (PINs), etc. Data security and integrity
safeguards will be observed during data transmission to the database
using strong encryption and digital signing methodologies.

Retention and disposal:
    Record disposition authority for these records is pending at the
National Archives and Records Administration.

System manager(s) and address:
    Assistant Director for Compliance, Credentialing Program Office,
TSA Headquarters, TSA-19, 601 S. 12th Street, Arlington, VA 22202-4220.

Notification procedure:
    To determine if this system contains a record relating to you,
write to the system manager at the address indicated above and provide
your full name, current address, date of birth, place of birth, and a
description of information that you seek, including the time frame
during which the record(s) may have been generated. You may also
provide your Social Security Number or other unique identifier(s) but
you are not required to do so. Individuals requesting access must
comply with the Department of Homeland Security's Privacy Act
regulations on verification of identity (6 CFR 5.21(d)).

Record access procedure:
    Same as ``notification procedure,'' above.

Contesting record procedure:
    Same as ``notification procedure,'' above.

Record source categories:
    TSA obtains information in this system from the individuals who are
covered by the system, their employers, or their transportation
facility.

Exemptions claimed for the system:
    None.

    Issued in Arlington, Virginia, on September 20, 2004.
Susan T. Tracey,
Chief Administrative Officer.
[FR Doc. 04-21481 Filed 9-23-04; 8:45 am]

BILLING CODE 4910-62-P