CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data (REDACTED)

Submitting OIG:

Department of Homeland Security OIG

Report Description:

U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD). Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.

Date Issued:

Friday, September 29, 2023

Agency Reviewed / Investigated:

Department of Homeland Security

Submitting OIG-Specific Report Number:

OIG-23-61

Component, if applicable:

United States Customs and Border Protection (CBP)

Location(s):

Agency-Wide

Type of Report:

Audit

Questioned Costs:

Funds for Better Use:

Number of Recommendations:

Report updated under NDAA 5274:

Additional Details Link:

https://www.oig.dhs.gov/sites/default/files/assets/2023-09/OIG-23-61-Sep23-Redac…

Recommendation Number	Recommendation Status	Significant Recommendation
1	Open	No
We recommend that the Commissioner, U.S. Customs and Border Protection discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.
2	Open	No
We recommend that the Commissioner, U.S. Customs and Border Protection develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
3	Open	No
We recommend that the Director, U.S. Immigration and Customs Enforcement discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.
4	Open	No
We recommend that the Director, U.S. Immigration and Customs Enforcement develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
5	Open	No
We recommend that the Director, United States Secret Service develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
6	Open	No
We recommend that the Chief Privacy Officer, DHS Privacy Office include a statement on approved Privacy Threshold Analyses that use of the project, program, or system determined to be privacy sensitive is not authorized for operational use until approval of the required Privacy Impact Assessment.
7	Open	No
We recommend that the Chief Privacy Officer, DHS Privacy Office ensure compliance with its privacy policies or revise them to include the guidance necessary for program offices to meet the intent of the privacy requirements when, with due diligence, the technology needs to be procured and tested to complete the Privacy Impact Assessment process. The additional guidance, if developed, should address justification for deviating from Privacy Impact Assessment–related privacy policies and restrictions on the operational use of privacy-sensitive information; the guidance should also ensure Privacy Impact Assessments are completed before privacy-sensitive information is collected and used operationally.
8	Open	No
We recommend that the Chief Data Officer, Office of Chief Information Officer, Management Directorate develop and implement a department-wide commercial telemetry data policy, including component policy requirements, to ensure oversight of commercial telemetry data use, privacy protection, and applicable legal standards.

Recommendation Number

Recommendation Status

Significant Recommendation

Additional Details

Open

We recommend that the Commissioner, U.S. Customs and Border Protection discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.

Open

We recommend that the Commissioner, U.S. Customs and Border Protection develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.

Open

We recommend that the Director, U.S. Immigration and Customs Enforcement discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.

Open

We recommend that the Director, U.S. Immigration and Customs Enforcement develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.