DHS Admits Privacy Act Violation

WASHINGTON -- The Homeland Security Department admitted Friday it violated the Privacy Act two years ago by obtaining more commercial data about U.S. airline passengers than it had announced it would.

Seventeen months ago, the Government Accountability Office, Congress' auditing arm, reached the same conclusion: The department's Transportation Security Administration "did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act."

QUIZ What percent of U.S. tweens own a mobile phone? A. 15 percent B. 25 percent C. 35 percent D. 55 percent • Test Your Knowledge -- More Questions Partnership Resources for anyone who runs a small business or wants to start one. • Protect Your Business Credit in a Crisis • In Political Debate, Small Manufacturers Are Ignored • SMBs Must Look Beyond Platitudes and Their Party on Tax Policies • Starting a Business • Small Business on the Net • Home-Based Businesses » RESOURCE CENTER Save & Share Article What's This? Digg Google del.icio.us Yahoo! Reddit Facebook

Even so, in a report Friday on the testing of TSA's Secure Flight domestic air passenger screening program, the Homeland Security department's privacy office acknowledged TSA didn't comply with the law. But the privacy office still couldn't bring itself to use the word "violate."

Instead, the privacy office said, "TSA announced one testing program, but conducted an entirely different one." In a 40-word, separate sentence, the report noted that federal programs that collect personal data that can identify Americans "are required to be announced in Privacy Act system notices and privacy impact assessments."

TSA spokesman Christopher White noted the GAO's earlier conclusions and said, "TSA has already implemented or is in the process of implementing each of the DHS privacy office recommendations."

Congress has been unhappy with TSA's domestic airline screening program for years _ since it was called CAPPS II before it was tweaked and renamed Secure Flight. Federal law now bars TSA from implementing a domestic screening system until the GAO is satisfied it can meet 10 standards of privacy protection, accuracy and security.

Secure Flight has never passed all those tests, and White said there is no target date for implementing it. "We are more concerned with getting it right," White said.

Friday's report reinforced concerns on Capitol Hill.

"This further documents the cavalier way the Bush administration treats Americans' privacy," said Sen. Patrick Leahy, D-Vt., who is set to become Senate Judiciary Committee chairman in January. "With this database program, first they ignored the Privacy Act, and now, two years later, they still have a hard time admitting it."

Leahy promised the new Congress will try to learn more about how the administration uses such databases. "Data mining technology has great potential," Leahy said, "but history shows that without adequate checks and balances and oversight, misuse and abuse of the public's personal information will be inevitable."

Characterizing the Secure Flight problems as "largely unintentional," Homeland Security's privacy office attributed them to TSA's failure to revise the public announcement after the test changed.

The privacy office said TSA announced in fall 2004 it would acquire passenger name records of people who flew domestically in June 2004. Airline passenger name records include the flyer's name, address, itinerary, form of payment, history of one-way travel, contact phone number, seating location and even requests for special meals.