Privacy Act of 1974; System of Records, 64543-64546 [06-9026]

Agencies

• Office of the Secretary
• DEPARTMENT OF HOMELAND SECURITY

[Federal Register Volume 71, Number 212 (Thursday, November 2, 2006)]
[Notices]
[Pages 64543-64546]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-9026]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

[DHS-2006-0060]


Privacy Act of 1974; System of Records

AGENCY: Privacy Office, Department of Homeland Security.

ACTION: Notice of Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: To provide expanded notice and transparency to the public, the 
Department of Homeland Security, U.S. Customs and Border Protection 
gives notice regarding the Automated Targeting System, which is the 
enforcement screening module associated with the Treasury Enforcement 
Communications System and was previously covered by the Treasury 
Enforcement Communications System ``System of Records Notice.'' This 
system of records is subject to the Privacy Act of 1974, as amended (5 
U.S.C. 552a).
    The Treasury Enforcement Communications System is established as an 
overarching law enforcement information collection, targeting, and 
sharing environment. This environment is comprised of several modules 
designed to collect, maintain, and screen data, conduct targeting, and 
share information. Among these modules, the Automated Targeting System 
performs screening of both inbound and outbound cargo, travelers, and 
conveyances. As part of this screening function, the Automated 
Targeting System compares information obtained from the public with a 
set series of queries designed to permit targeting of conveyances, 
goods, cargo, or persons to facilitate DHS's border enforcement 
mission.
    The risk assessment and links to information upon which the 
assessment is based, which are stored in the Automated Targeting 
System, are created from existing information in a number of sources, 
including, but not limited to: the trade community through the 
Automated Commercial System or its successor; the Automated Commercial 
Environment system; the traveling public through information submitted 
by their carrier to the Advance Passenger Information System; persons 
crossing the United States land border by automobile or on foot; the 
Treasury Enforcement Communications System, or its successor; or law 
enforcement information maintained in other parts of the Treasury 
Enforcement Communications System that pertain to persons, goods, or 
conveyances.
    As part of the information it accesses for screening, Passenger 
Name Record (PNR) information, which is currently collected pursuant to 
an existing CBP regulation (19 CFR 122.49d) from both inbound and 
outbound travelers through the carrier upon which travel occurs, is 
stored in the Automated Targeting System. PNR is comprised of data 
which carriers collect as a matter of their usual business practice in 
negotiating and arranging the travel transaction.
    As noted above, this system of records notice does not identify or 
create any new collection of information, rather DHS is providing 
additional notice and transparency of the functionality of these 
systems.

DATES: The new system of records will be effective December 4, 2006, 
unless comments are received that result in a contrary determination.

ADDRESSES: You may submit comments, identified by docket number, by one 
of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments via docket number DH6-
2006-0060.
     Fax: 202-572-8727.
     Mail: Comments by mail are to be addressed to the Border 
Security Regulations Branch, Office of Regulations and Rulings, Bureau 
of Customs and Border Protection, 1300 Pennsylvania Avenue, NW. (Mint 
Annex), Washington, DC 20229. Comments by mail may also be submitted to 
Hugo Teufel III, Chief Privacy Officer, Department of Homeland 
Security, 601 S. 12th Street, Arlington, VA 22202-4220.
     Instructions: All submissions received must include the 
agency name and docket number for this rulemaking. All comments 
received will be posted without change to https://www.regulations.gov, 
including any personal information provided.
     Docket: For access to the docket to read background 
documents or comments received go to https://www.regulations.gov. 
Submitted comments may also be inspected during regular business days 
between the hours of 9 a.m. and 4:30 p.m. at the Regulations Branch, 
Office of Regulations and Rulings, Bureau of Customs and Border 
Protection, 799 9th Street, NW., 5th Floor, Washington, DC. 
Arrangements to inspect submitted comments should be made in advance by 
calling Mr. Joseph Clark at (202) 572-8768.

[[Page 64544]]


FOR FURTHER INFORMATION CONTACT: For general questions please contact: 
Laurence E. Castelli (202-572-8790), Chief, Privacy Act Policy and 
Procedures Branch, Bureau of Customs and Border Protection, Office of 
Regulations & Rulings, Mint Annex, 1300 Pennsylvania Ave., NW., 
Washington, DC 20229. For privacy issues please contact: Hugo Teufel 
III (571-227-3813), Chief Privacy Officer, Privacy Office, U.S. 
Department of Homeland Security, Washington, DC 20528.

SUPPLEMENTARY INFORMATION: Bureau of Customs and Border Protection 
(CBP), Department of Homeland Security (DHS), has traditionally relied 
on computerized cargo screening processes to aid the CBP inspection 
workforce in the cargo release process. Separately, CBP has used the 
advance submission of traveler information to aid in screening 
travelers to facilitate its border enforcement mission. The Automated 
Targeting System (ATS) associates information obtained from CBP's 
cargo, travelers, and border enforcement systems with a level of risk 
posed by each item and person as determined through the rule based 
query of the cargo or personal information accessed by ATS.
    The Privacy Act embodies fair information principles in a statutory 
framework governing the means by which the United States Government 
collects, maintains, uses, and disseminates personally identifiable 
information. The Privacy Act applies to information that is maintained 
in a ``system of records.'' A ``system of records'' is a group of any 
records under the control of an agency from which information is 
retrieved by the name of the individual or by some identifying number, 
symbol, or other identifying particular assigned to the individual. In 
the Privacy Act, an individual is defined to encompass United States 
citizens and legal permanent residents. ATS involves the collection and 
creation of information that is maintained in a system of records.
    Previously, this information was covered by the Treasury 
Enforcement Communications System (TECS) system of records notice, as 
ATS is a functional module associated with the environment of TECS. ATS 
is employed as an analytical tool to enhance CBP screening and 
targeting capabilities by permitting query-based comparisons of 
different data modules associated with the TECS system, as well as 
comparisons with data sets from sources outside of TECS. As part of 
DHS's updating of its system of records notices and in an effort to 
provide more detailed information to the traveling public and trade 
community, CBP has determined that ATS should be noticed as a separate 
system of records, giving greater visibility into its targeting and 
screening efforts.
    The Privacy Act requires each agency to publish in the Federal 
Register a description denoting the type and character of each system 
of records that the agency maintains, and the routine uses that are 
contained in each system in order to make agency recordkeeping 
practices transparent, to notify individuals regarding the uses to 
which personally identifiable information is put, and to assist the 
individual to more easily find such files within the agency.
    DHS is hereby publishing a description of the system of records 
referred to as the Automated Targeting System. In accordance with 5 
U.S.C. 552a(r), a report concerning this record system has been sent to 
the Office of Management and Budget and to the Congress.
DHS/CBP-006

SYSTEM NAME:
    Automated Targeting System (ATS)--DHS/CBP.

SYSTEM LOCATION:
    This computer database is located at the Bureau of Customs and 
Border Protection (CBP) National Data Center in Washington, DC. 
Computer terminals are located at customhouses, border ports of entry, 
airport inspection facilities under the jurisdiction of the Department 
of Homeland Security (DHS) and other locations at which DHS authorized 
personnel may be posted to facilitate DHS's mission.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    A. Persons seeking to enter or exit the United States;
    B. Persons who engage in any form of trade or other commercial 
transaction related to the importation or exportation of merchandise;
    C. Persons who are employed in any capacity related to the transit 
of merchandise intended to cross the United States border; and
    D. Persons who serve as operators, crew, or passengers on any 
vessel, vehicle, aircraft, or train who enters or exits the United 
States.

CATEGORIES OF RECORDS IN THE SYSTEM:
    ATS builds a risk assessment for cargo, conveyances, and travelers 
based on criteria and rules developed by CBP. ATS maintains the 
resulting assessment together with a record of which rules were used to 
develop the assessment. With the exception of PNR information, 
discussed below, ATS maintains a pointer or reference to the underlying 
records from other systems that resulted in a particular assessment. 
This assessment and related rules history associated with developing a 
risk assessment for an individual are maintained for up to forty years 
to support ongoing targeting requirements.
    ATS--P (Automated Targeting System--Passenger), a component of ATS, 
maintains the PNR information obtained from commercial carriers for 
purposes of assessing the risk of international travelers. PNR may 
include such items as:
     PNR record locator code,
     Date of reservation,
     Date(s) of intended travel,
     Name,
     Other names on PNR,
     Number of travelers on PNR,
     Seat information,
     Address,
     All forms of payment information,
     Billing address,
     Contact telephone numbers,
     All travel itinerary for specific PNR,
     Frequent flyer information,
     Travel agency,
     Travel agent,
     Code share PNR information,
     Travel status of passenger,
     Split/Divided PNR information,
     Identifiers for free tickets,
     One-way tickets,
     E-mail address,
     Ticketing field information,
     Automated Ticketing Fare Quote (ATFQ) fields,
     General remarks,
     Ticket number,
     Seat number,
     Date of ticket issuance,
     Any collected APIS information,
     No show history,
     Number of bags,
     Bag tag numbers,
     Go show information,
     Number of bags on each segment,
     Other Supplementary information (OSI),
     Special Services information (SSI),
     Special Services Request (SSR),
     Voluntary/involuntary upgrades,
     Received from information, and
     All historical changes to the PNR
    Not all carriers maintain the same sets of information for PNR.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    19 U.S.C. 482, 1461, 1496, and 1581-1582, 8 U.S.C. 1357, Title VII 
of Public Law 104-208, and 49 U.S.C. 44909.

Purpose(s):
    (a) To perform targeting of individuals, including passengers and

[[Page 64545]]

crew, focusing CBP resources by identifying persons who may pose a risk 
to border security, may be a terrorist or suspected terrorist, or may 
otherwise be engaged in activity in violation of U.S. law;
    (b) To perform targeting of conveyances and cargo to focus CBP's 
resources for inspection and examination and enhance CBP's ability to 
identify potential violations of U.S. law, possible terrorist threats, 
and other threats to border security; and
    (c) To assist in the enforcement of the laws enforced or 
administered by DHS, including those related to counterterrorism.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DHS as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    A. To appropriate Federal, state, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations 
responsible for investigating or prosecuting the violations of, or for 
enforcing or implementing, a statute, rule, regulation, order, or 
license, where CBP believes the information would assist enforcement of 
civil or criminal laws;
    B. To appropriate Federal, state, local, tribal, or foreign 
governmental agencies maintaining civil, criminal, or other relevant 
enforcement information or other pertinent information, which has 
requested information relevant or necessary to the requesting agency's 
hiring or retention of an individual, or issuance of a security 
clearance, license, contract, grant, or other benefit and disclosure is 
appropriate to the proper performance of the official duties of the 
person making the disclosure;
    C. To a court, magistrate, or administrative tribunal in the course 
of presenting evidence, including disclosures to opposing counsel or 
witnesses in the course of civil discovery, litigation, or settlement 
negotiations, or in response to a subpoena, or in connection with 
criminal law proceedings;
    D. To third parties during the course of a law enforcement 
investigation to the extent necessary to obtain information pertinent 
to the investigation, provided disclosure is appropriate to the proper 
performance of the official duties of the officer making the 
disclosure;
    E. To an agency, organization, or individual for the purposes of 
performing audit or oversight operations as authorized by law;
    F. To a Congressional office, for the record of an individual in 
response to an inquiry from that Congressional office made at the 
request of the individual to whom the record pertains;
    G. To contractors, grantees, experts, consultants, students, and 
others performing or working on a contract, service, grant, cooperative 
agreement, or other assignment for the Federal government, when 
necessary to accomplish an agency function related to this system of 
records, in compliance with the Privacy Act of 1974, as amended;
    H. To an organization or individual in either the public or private 
sector, either foreign or domestic, where there is a reason to believe 
that the recipient is or could become the target of a particular 
terrorist activity or conspiracy, to the extent the information is 
relevant to the protection of life or property and disclosure is 
appropriate to the proper performance of the official duties of the 
person making the disclosure;
    I. To the United States Department of Justice (including United 
States Attorney offices) or other Federal agency conducting litigation 
or in proceedings before any court, adjudicative or administrative 
body, when it is necessary to the litigation and one of the following 
is a party to the litigation or has an interest in such litigation: (a) 
DHS, or (b) any employee of DHS in his/her official capacity, or (c) 
any employee of DHS in his/her individual capacity where DOJ or DHS has 
agreed to represent said employee, or (d) the United States or any 
agency thereof;
    J. To the National Archives and Records Administration or other 
Federal government agencies pursuant to records management inspections 
being conducted under the authority of 44 U.S.C. 2904 and 2906;
    K. To appropriate Federal, state, local, tribal, or foreign 
governmental agencies, if necessary to obtain information relevant to a 
DHS decision concerning the hiring or retention of an employee, the 
issuance of a security clearance, the reporting of an investigation of 
an employee, the letting of a contract, or the issuance of a license, 
grant or other benefit and disclosure is appropriate to the proper 
performance of the official duties of the individual making the 
disclosure;
    L. To appropriate Federal, State, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations, for 
purposes of assisting such agencies or organizations in preventing 
exposure to or transmission of a communicable or quarantinable disease 
or for combatting other significant public health threats;
    M. To Federal and foreign government intelligence or 
counterterrorism agencies or components where CBP becomes aware of an 
indication of a threat or potential threat to national or international 
security, or where such use is to assist in anti-terrorism efforts and 
disclosure is appropriate to the proper performance of the official 
duties of the person making the disclosure;
    N. To appropriate Federal, State, local, tribal, or foreign 
governmental agencies or multilateral governmental organizations where 
CBP is aware of a need to utilize relevant data for purposes of testing 
new technology and systems designed to enhance border security or 
identify other violations of law;
    O. To appropriate agencies, entities, and persons when (1) it is 
suspected or confirmed that the security or confidentiality of 
information in the system of records has been compromised; (2) CBP has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of harm to economic or property interests, identity 
theft or fraud, or harm to the security or integrity of this system or 
other systems or programs (whether maintained by CBP or another agency 
or entity) that rely upon the compromised information; and (3) the 
disclosure is made to such agencies, entities, and persons when 
reasonably necessary to assist in connection with the CBP's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    The data is stored electronically at the National Data Center for 
current data and offsite at an alternative data storage facility for 
historical logs and system backups.

RETRIEVABILITY:
    The data is retrievable by name or personal identifier from an 
electronic database.

SAFEGUARDS:
    All records are protected from unauthorized access through 
appropriate administrative, physical, and technical safeguards. These 
safeguards include all of the following: restricting access to those 
with a ``need to know''; using locks, alarm devices,

[[Page 64546]]

and passwords; compartmentalizing databases; auditing software; and 
encrypting data communications.
    ATS also monitors source systems for changes to the source data. 
The system manager, in addition, has the capability to maintain system 
back-ups for the purpose of supporting continuity of operations and the 
discrete need to isolate and copy specific data access transactions for 
the purpose of conducting security incident investigations. ATS 
information is secured in full compliance with the requirements of the 
DHS IT Security Program Handbook. This handbook establishes a 
comprehensive information security program.
    Access to the risk assessment results and related rules is 
restricted to a limited number of authorized government personnel who 
have gone through extensive training on the appropriate use of this 
information and CBP policies, including for security and privacy. These 
individuals are trained to review the risk assessments and background 
information to identify individuals who may likely pose a risk. To 
ensure that ATS is being accessed and used appropriately, audit logs 
are created and reviewed routinely by CBP's Office of Internal Affairs.

RETENTION AND DISPOSAL:
    The information initially collected in ATS is used for entry 
screening purposes. Records in this system will be retained and 
disposed of in accordance with a records schedule to be approved by the 
National Archives and Records Administration. ATS both collects 
information directly, and derives other information from various 
systems. To the extent information is collected from other systems, 
data is retained in accordance with the record retention requirements 
of those systems.
    The retention period for data specifically maintained in ATS will 
not exceed forty years at which time it will be deleted from ATS. Up to 
forty years of data retention may be required to cover the potentially 
active lifespan of individuals associated with terrorism or other 
criminal activities. The touchstone for data retention, however, is its 
relevance and utility. Accordingly, CBP will regularly review the data 
maintained in ATS to ensure its continued relevance and usefulness. If 
no longer relevant and useful, CBP will delete the information. All 
risk assessments need to be maintained because the risk assessment for 
individuals who are deemed low risk will be relevant if their risk 
profile changes in the future, for example, if terrorist associations 
are identified. Additionally, certain data collected directly by ATS 
may be subject to shorter retention limitations pursuant to separate 
arrangements. The adoption of shorter retention periods may not be 
publicly disclosed if DHS concludes that disclosure would affect 
operational security, for example by giving terrorism suspects the 
certainty that their past travel patterns would no longer be known to 
U.S. authorities.

SYSTEM MANAGER(S) AND ADDRESS:
    Executive Director, National Targeting and Security, Office of 
Field Operations, U.S. Customs and Border Protection, Ronald Reagan 
Building and Director, Targeting and Analysis, Systems Program Office, 
Office of Information Technology, U.S. Customs and Border Protection.

NOTIFICATION PROCEDURE:
    Generally, this system of records may not be accessed for purposes 
of determining if the system is a record pertaining to a particular 
individual. (See 5 U.S.C. 552a(e)(4)(G) and (f)(1)).
    General inquiries regarding ATS may be directed to the Customer 
Satisfaction Unit, Office of Field Operations, U.S. Customs and Border 
Protection, Room 5.5-C, 1300 Pennsylvania Avenue, NW., Washington, DC 
20229 (phone: (202) 344-1850 and fax: (202) 344-2791).

RECORD ACCESS PROCEDURES:
    Generally, this system of records may not be accessed under the 
Privacy Act for the purpose of inspection. The majority of this system 
is exempted from this requirement pursuant to 5 U.S.C. 552a(j)(2) and 
(k)(2).
    General inquiries regarding ATS may be directed to the Customer 
Satisfaction Unit, Office of Field Operations, U.S. Customs and Border 
Protection, Room 5.5-C, 1300 Pennsylvania Avenue, NW., Washington, DC 
20229.
    Requests should conform to the requirements of 6 CFR Part 5, 
Subpart B, which provides the rules for requesting access to Privacy 
Act records maintained by DHS. The envelope and letter should be 
clearly marked ``Privacy Act Access Request.'' The request should 
include a general description of the records sought and must include 
the requester's full name, current address, and date and place of 
birth. The request must be signed and either notarized or submitted 
under penalty of perjury.

CONTESTING RECORD PROCEDURES:
    Since this system of records may not be accessed, generally, for 
purposes of determining if the system contains a record pertaining to a 
particular individual and those records, if any, cannot be inspected, 
the system may not be accessed under the Privacy Act for the purpose of 
contesting the content of the record.

RECORD SOURCE CATEGORIES:
    The system contains information derived from other law enforcement 
systems operated by DHS and other government agencies, which collected 
the underlying data from individuals and public entities directly.
    In addition, the system contains information collected from 
carriers that operate vessels, vehicles, aircraft, and/or trains that 
enter or exit the United States.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    Pursuant to 31 CFR 1.36 pertaining to the Treasury Enforcement 
Communications System, the Automated Targeting System, which was 
previously covered by the Treasury Enforcement Communications System 
(TECS) system of records notice and associated with the below 
exemptions, records and information in this system are exempt from 5 
U.S.C. 552a(c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (e)(1), (e)(4)(G), 
(H), and (I), and (f) of the Privacy Act pursuant to 5 U.S.C. 
552a(j)(2) and (k)(2). DHS intends to review these exemptions and, if 
warranted, issue a new set of exemptions specific to ATS within ninety 
(90) days of the publication of this notice.

    Dated: October 27, 2006.
Hugo Teufel III,
Chief Privacy Officer.
[FR Doc. 06-9026 Filed 10-30-06; 3:31 pm]
BILLING CODE 4410-10-P