(2) What are the Chief Privacy and Civil Liberties Officer and the Office of Privacy and Civil Liberties' Statutory and Administrative Authorities?
OPCL supports the duties and responsibilities of the Department’s Chief Privacy and Civil Liberties Officer (CPCLO). The CPCLO, who is part of the Office of the Deputy Attorney General (ODAG), is the principal advisor to the Attorney General on privacy and civil liberties matters affecting the Department’s missions and operations. The Director of OPCL reports directly to the CPCLO in ODAG.
In accordance with DOJ Order 0601, Privacy and Civil Liberties (May 14, 2020), Department components are required to identify a Senior Component Official for Privacy (SCOP) to manage―at the component level―the implementation of privacy rules, regulations, policies, and laws, and to serve as the CPCLO’s and OPCL’s main point of contact. OPCL coordinates privacy compliance with Departmental components through designated SCOPs.
(2) What are the Chief Privacy and Civil Liberties Officer and the Office Privacy and Civil Liberties’ Statutory and Administrative Authorities?
(a) Privacy Act of 1974, as amended
The Privacy Act of 1974, as amended, 5 U.S.C. § 552a ("Privacy Act"), governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual, or by some identifier assigned to the individual. The Privacy Act sets forth various agency record-keeping requirements. The Privacy Act requires that agencies give public notice of their systems of records by publication in the Federal Register. The disclosure of a record about an individual from a system of records is prohibited under the Privacy Act absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. Through the Privacy Act, individuals are able to seek access to, as well as amend, their records.
(b) Section 208 of the E-Government Act of 2002
The E-Government Act of 2002, 44 U.S.C. § 3501, was enacted in recognition of technological changes in computers, digitized networks, internet access, and the creation of new electronically available information. These changes increase the availability of both personal and public information, and have important ramifications for the protection of PII contained in government records and systems. Section 208 requires all federal government agencies to assess privacy risks and determine risk mitigation measures, documented in a Privacy Impact Assessment (PIA) upon the development or procurement of new information technology involving the collection, maintenance, or dissemination of information in identifiable form (IFF) (also referred to as PII) or once substantial changes are made to existing information technology that manages IIF. The Act requires an agency to make PIAs publicly available, except when an agency, using its discretion, determines that publication of the PIA would raise security concerns, reveal classified (i.e., national security) information or sensitive information (e.g., the assessment contains information potentially damaging to a national interest, law enforcement effort, or competitive business interest).
(c) Other Statutes and Legal Requirements
The CPCLO’s responsibilities are set forth in dozens of laws, regulations, guidelines, and policies, including the Federal Information Security Modernization Act (FISMA), Pub. L. No. 113-283, 44 U.S.C. §§ 3551-3558, Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource (2016), OMB Memorandum 16-24, Role and Designation of Senior Agency Official for Privacy (2016), and other statutes, guidelines, standards, and OMB memoranda. See generally Federal Privacy Council, https://www.fpc.gov/ (listing on its “Law” and “Resources” pages some of the laws, regulations, guidelines, and policies that apply to federal agencies).
The CPCLO also bears certain responsibilities specific to the Department of Justice and duties that apply to privacy and civil liberties officers of certain agencies involved in law enforcement and national security matters. See Section 1174 of the Violence Against Women and DOJ Reauthorization Act of 2005, Pub. L. No. 109-162 (Jan. 5, 2006) (codified at 28 U.S.C. § 509 note); Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. No. 110-53 (Aug. 3, 2007) (codified at 42 U.S.C. § 2000ee-1), as amended by Section 109 of the FISA Amendments Reauthorization Act of 2017, Pub. L. No. 115-118 (Jan. 19, 2018) (codified at 42 U.S.C. § 2000ee-1). Department of Justice Order 0601 further outlines these responsibilities.
(a) Initial Privacy Assessment (IPA)
The privacy compliance process begins when the Department first determines it needs to collect, maintain, disseminate, or otherwise use PII. The Department has established the IPA template, which consolidates various privacy compliance requirements in to a single, unified, and comprehensive process. The IPA template consists of questions designed to help components and OPCL determine whether a particular information system: contains and maintains PII; requires further privacy risk assessments and documentation (e.g., a Privacy Impact Assessment or a System of Records Notice); or raises other privacy issues or concerns. In particular, the IPA bridges information technology (IT) security and privacy assessment processes, and assists in identifying information assets requiring appropriate privacy security controls.
An IPA must be completed prior to the development of an information system, including before the initiation of any testing or piloting of an information system. This enables components to identify steps to mitigate any potential adverse impact on privacy at the outset of the information collection or program. For example, an IPA may help a component determine that the collection and use of Social Security Numbers (SSNs) or other sensitive PII within a system is not necessary, and decide to forego the collection of such PII.
The DOJ IPA template can be found here.
(b) Privacy Impact Assessment (PIA)
OPCL may determine, based on an IPA, that a component must conduct further privacy assessments and documentation, including a PIA. PIAs analyze how electronic collections of information and information in systems or technologies are handled by components to ensure compliance with applicable legal, regulatory, and policy requirements regarding privacy. Through the PIA process, the Department outline the risks and effects of collecting, maintaining, and disseminating information in an information technology. Additionally, the Department examines and evaluates protections and alternatives processes for handling information to mitigate potential privacy risks.
A PIA must be completed either before developing or procuring IT systems or projects that collect, maintain, or disseminate IIF about members of the public, or before initiating a new electronic collection of IIF for 10 or more persons. By conducting a PIA at this time, components should consider the privacy impact from the beginning of a system’s development through the system’s lifecycle to ensure that system developers and owners have made technology choices that incorporate privacy protections into the underlying architecture of the system.
A list of, and links to, published DOJ PIAs can be found here.
(c) System of Record Notice (SORN)
The Privacy Act requires agencies to provide notice to the public by, among other requirements, publishing a SORN if a component maintains, collects, uses, or disseminates records about an individual and retrieves them by a personal identifier. A SORN provides the public with details about a system of records, including its purpose for collection and maintenance, the categories of individuals serving as the subject of such records, the categories of information to be used and collected by the agency, the location where the agency maintains the information, the means of access and correction available to the individual, the safeguards that will protect the information, and the parties with whom and under what conditions the agency will share the information in the system.
A system of records must be covered by a SORN published in the Federal Register before the system of records may be used. Thus, the Department must determine whether records are covered by an already existing SORN, or require the publication of a new SORN. OPCL advises the Department’s components on whether a particular information system qualifies as a system of records, and whether it is necessary to draft a new SORN, or to modify an existing SORN and any accompanying exemption regulation.
A list of, and links to, completed DOJ SORNs can be found here.
(d) Privacy Risk Management Framework
In accordance with Appendix I of OMB Circular A-130, the CPCLO and OPCL now have explicit responsibilities for developing a Department-wide Privacy Risk Management Framework. The DOJ Privacy Risk Management Framework supplements the Department's information security risk management processes, and is required prior to the authorization of certain DOJ information systems. The Department requires component senior management to develop and manage information systems based on a thorough examination of any identified privacy risks and the impact the information system has on DOJ operations. Components are also required to ensure that implementation of the DOJ Privacy Risk Management Framework fully integrates the privacy requirements, discussed above, or as otherwise required by the CPCLO, including, but not limited to, the selection, implementation, and assessment of appropriate privacy controls.
As part of the DOJ Risk Management Framework, components are required to conduct an ongoing assessment of the privacy risks and privacy controls associated with their information systems. To implement ongoing assessments within the Department, the CPCLO and DOJ CIO have developed a Department-wide Security and Privacy Continuous Monitoring Strategy that calls for the Department to continue maintaining an ongoing awareness of our information security and privacy posture using tools that allow for automated asset management, secure configuration management, and vulnerability management.
(e) Privacy Advice
In addition to assisting Department components in assessing privacy risk, determining risk mitigation measures, and drafting the above-mentioned privacy documentation, OPCL also advises components and the Department’s senior leadership on a variety of privacy issues. For example, OPCL regularly provides guidance to components regarding permitted disclosures of information located in a system of records.
In addition, OPCL advises components on preparing other Privacy Act documents, such as Privacy Act consent forms and Privacy Act notice statements, which provide actual notice to an individual about an agency’s collection authority and the possible uses of information collected from individuals.
OPCL assists the CPCLO in addressing international privacy issues that arise in various contexts, including litigation matters and multilateral or bilateral agreements, as well as advises on international privacy legislation, guidance, working documents, reports, and policies that may affect personal information collected, maintained, used, and disseminated by the Department or the United States Government.
Finally, OPCL assists the CPCLO carries out the following programmatic, operational, and policy-related privacy and civil liberties responsibilities:
- Evaluating for potential privacy and civil liberties impacts, all Department-wide programs and initiatives, as well as programs and initiatives with which the Department may participate with other agencies;
- Advising Department leadership and components on implementing privacy and civil liberties protections for Department-wide programs and initiatives, as well as programs and initiatives with which the Department may participate with other agencies; and
- Reviewing policies, procedures, or programs to ensure that concerns about privacy and civil liberties have been appropriately addressed in connection with the design and operation of such policies, procedures, or programs in conjunction with the National Security Division, the Federal Bureau of Investigation, or other appropriate components.
(a) Privacy Act Amendment Requests and Appeals
Under subsection (d)(2) of the Privacy Act, a member of the public may request that the Department amend records pertaining to him/her that are kept in a DOJ system of records. Most initial amendment requests are sent directly to the Department component that owns the relevant system of records. If a component denies an amendment request, OPCL will adjudicate any appeal of such denial. In addition, OPCL also adjudicates initial requests to amend records received by the Department’s senior management offices.
The process for submitting a Privacy Act amendment request can be found at here.
(b) Privacy and Civil Liberties Inquiries and Complaints
Members of the public may also contact OPCL directly through its email inbox and main phone number if they have other inquiries and complaints, separate and apart from the Privacy Act. In accordance with a variety of legal and policy requirements, OPCL works to ensure that all inquiries and complaints are properly reviewed and responses are appropriately provided and/or referred to components. Such inquiries and complaints may concern, for example, questions about the Department’s handling of PII or requests to correct inaccurate PII consistent with the objective of maintaining data quality, as well as other issues involving the proper handling of PII. OPCL will typically refer such inquiries and complaints to the appropriate component of the Department, which will typically review the inquiry or complaint and make a determination on an appropriate response. If a person is not satisfied with the response received from the component, OPCL can provide additional review.
OPCL's contact information can be found here.