Framework for Privacy Analysis of Programs, Technologies, and Applications

The Framework for Privacy Analysis of Programs, Technologies, and Applications is a framework developed by the Department of Homeland Security Data Privacy and Integrity Advisory Committee and issued as report 2006-01 on March 7, 2006. [http://www.dhs.gov/interweb/assetlibrary/privacy_advcom_03-2006_framework.pdf] It provides a multi-step analysis framework to be used for considering effects of a proposed program on privacy and other interests.

The Framework

Scope

The Scope is a description of the program and its purposes. According to the Framework, the Scope should answer the following questions:

* What is the program under review?
* What is its purpose?
* What is its history and origin?
* How has it come to be used or considered by the Department?
* Where is it used or being considered for use?

Legal Basis

The Legal Basis is an explanation of the laws relevant to the program. It should explain what the legal authority for the program is and what legal limits are placed on the program. Importantly, the Legal Basis includes consideration of any law that limits the program, including judicial rulings, other statutes, and constitutions.

According to the Framework, the Legal Basis should answer the following questions:

* What is the legal authority for the program under consideration?
* What are the pre-existing legal limits on the program under consideration?

Risk Management: Efficacy

The Risk Management assessment is an explanation of the precise purposes of the program and the problem it is trying to solve. It includes consideration of the proportionality of the response to the problem and possible additional problems created by that response. According to the Framework, the Risk Management assessment should answer the following questions:

* What are you trying to protect? The Framework notes that this should be as specific as possible, as opposed to general answers like "the American people."
* What are you trying to protect it from?
* What is the likelihood of each threat occurring and the consequence if it does?
* What kind of action does the program take in response to the threat? The Framework suggests that there are four different ways of responding to a threat: acceptance, prevention, interdiction, and mitigation.
* Does the response create new risks to the asset or others?

Effects on Privacy Interests

The Framework calls this step "the heart of the process." It notes that many programs will have some cost to privacy, and that these costs should be minimized. The Framework also suggests that different interests may be affected, including the following:

Privacy

* How does the program affect individuals' ability to control how personal information about them is collected, used, or shared?
* Does the program include rules and practices that protect the confidentiality of personal information once it has been collected? ("Confidentiality")
* Does the program erode individuals' ability to control identifying information and to remain anonymous when they want to do so? ("Anonymity")
* Does the program use or foster surveillance? ("Seclusion") The Framework suggests minimizing collection of data to that needed for an explicit, limited purpose, minimizing use to only that purpose, and minimizing the length of time the data is retained.

Fairness

* Does the program treat individuals fairly at every step?
* Does the program collect data directly from the subject of the information? If the program uses information from other sources, what is done to assure that the sources are reliable? How does the program ensure that it uses accurate, timely, and relevant data? Does the program allow individuals access and correction rights? Does it ensure that corrections are propagated throughout the system? ("Data Quality")
* Does the program provide adequate notice to individuals of its data collection, use, disclosure, and redress policies? ("Notice")
* Does the program provide due process through redress mechanisms wherever a person may suffer an adverse action or determination? ("Individual Participation and Accountability")
* Is the program open to public scrutiny, understanding, and participation? Is information about agreements and contracts with other government agencies, government contractors, and foreign governments available to the public? Are architectures, technologies, data flows, tests, testing criteria, and testing results published? ("Transparency")
* Is the program manager accountable for compliance with privacy laws and principles? Does the program contain appropriate control measures, such as privacy audits and review by the DHS Privacy Office or the Inspector General? ("Accountability")

Liberty

* Does the program limit individual freedom in some dimension? For example, does it condition freedom of movement or action on the diminution of some privacy interest? Is interaction with the program mandatory or effectively mandatory?

Data Security

* How is personal information secured against threats to privacy and integrity? Does the program use reasonable and appropriate safeguards (including administrative, technical, and physical measures) to protect against unauthorized access, use, disclosure, modification, and destruction of data?

Recommendations

The final step in the Framework should answer two questions: Are there changes that could be made in the program that would reduce its privacy costs? Should the program proceed? In this step, the results of previous steps are considered and evaluated. Specifically, in determining whether the program should proceed the benefits described in step 3 should be weighed against the costs described in step 4. If the costs are not justified by the benefits, an attempt should be made to reduce the costs if possible.

Notes