Privacy Impact Assessment

for the

NOC Patriot Report Database

December 7, 2010

Contact Point
Ashley Tyler
Department of Homeland Security
Office of Operations and Coordination and Planning

Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 2

Abstract
The National Operations Center (NOC) in the Office of Operations Coordination and Planning
(OPS) operates the NOC Patriot Report Database. The NOC Patriot Report Database is a repository for
reports generated to record and track suspicious activity that may implicate terrorism-related or criminal
activity. OPS has conducted this privacy impact assessment (PIA) because the NOC Patriot Report
Database may contain personally identifiable information (PII).

Overview
The NOC is the primary national-level hub for domestic situational awareness, common
operational picture, information fusion, information sharing, communications, and coordination
pertaining to the prevention of terrorist attacks and domestic incident management. The NOC is the
primary conduit for the White House Situation Room and DHS Leadership for domestic situational
awareness and facilitates information sharing and operational coordination with other federal, state, local,
tribal, non-governmental operation centers and the private sector.

In fulfillment of its mission to provide domestic situational awareness of all threats and hazards,
the NOC Fusion Desk utilizes the NOC Patriot Report Database to record and track suspicious activity
that may implicate terrorism-related or criminal activity. The reports generated are called NOC Patriot
Reports. The content of a NOC Patriot Report varies and may or may not contain PII. The NOC Fusion
Desk officer writes a NOC Patriot Report when information received from federal, state, local, tribal, and
territorial agencies and organizations, foreign governments and international organizations, domestic
security and emergency management officials, private sector entities, or individuals, is determined (based
on training, experience, and their individual knowledge of the subject at hand) to be credible and either
possibly linked to terrorism and/or criminal behavior. When further corroboration of a report is needed,
the desk officer may search publically available data, such as news organization websites or from
commercial databases; or in the case of a private citizen report, the desk officer may reach out to the
citizen’s local authorities.
NOC Patriot Reports are distributed as soon as the information is deemed credible and accurately
documented in the NOC Patriot Report Database. The Fusion Desk distributes all NOC Patriot Reports
via email to a “standard” distribution list which includes all organizations that have a physical presence at
the NOC; the FBI’s 24/7 operations center Counter Terrorism Watch (CTW); a distribution list for all
DHS I&A Representatives assigned to the individual fusion centers; state and local fusion centers;
National Infrastructure Coordination Center (NICC); and Protective Security Advisors (PSA) Duty Desk
(24/7 Center/reach back for PSA’s in the field).
The level of effort required to produce a NOC Patriot Report varies on a report by report basis.
The primary determining factor is the amount of information provided to the Fusion Desk and the amount
of time it takes the desk officer to confirm certain information, gather supporting documents (maps,
photos, police reports, etc.) and compile that information into a reportable format which may be easily
read and understood by the target audience.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 3

The NOC Patriot Report Database also serves as an archive of all NOC Patriot Reports processed
by the NOC-HSIN (Homeland Security Information Network) and NOC Fusion Desks – these desk
officers provide support to the NOC and its components within the HSIN network.

Section 1.0 Authorities and Other Requirements

1.1 What specific legal authorities and/or agreements permit
and define the collection of information by the project in
question?
Section 515 of the Homeland Security Act (6 U.S.C. § 321d(b)(1)) requires the NOC “to
provide situational awareness and establish a common operating picture for the entire federal
government and for state, local, and tribal governments as appropriate, in the event of a natural
disaster, act of terrorism, or other manmade disaster; ensure that critical terrorism and disaster-
related information reaches government decision-makers.”

1.2 What Privacy Act System of Records Notice(s) (SORN(s))

apply to the information?
The current collection is covered by the DHS/IAIP-001 Homeland Security Operations
Center Database SORN. As part of the biennial review of DHS SORNs, DHS has decided to
update and rename this SORN to provide additional transparency. In conjunction with this PIA,
DHS is publishing the DHS/OPS – 003 Operations Collection, Planning, Coordination,
Reporting, Analysis, and Fusion SORN.

1.3 Has a system security plan been completed for the

information system(s) supporting the project?
Yes, Authority to Operate was granted on March 31, 2009, valid for three years.

1.4 Does a records retention schedule approved by the

National Archives and Records Administration (NARA)
exist?
OPS is working with NARA to develop a records retention schedule of no more than five
(5) years.

1.5 If the information is covered by the Paperwork Reduction

Act (PRA), provide the OMB Control number and the
agency number for the collection. If there are multiple
forms, include a list in an appendix.
No specific form is being filled out by the public therefore PRA is not implicated.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 4

Section 2.0 Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected, as
well as reasons for its collection.

2.1 Identify the information the project collects, uses,

disseminates, or maintains.
The NOC Patriot Report Database provides a thorough documentation of the events,
incidents, or suspicious activities that are reported to the NOC Fusion Desk. SAR data may
include the following elements as made available by the reporting source: description of the
suspicious activity, a description of a possible threat, date-time and location of incident, reliability
rating of informational source, validity rating of content, cross-referenced record number, if
applicable, critical infrastructure indicators, names of reporting and/or responding agency
personnel, and their respective contact information. An “additional comment” section provides a
contextual narrative of the event and the as available: name, alias, height, weight, sex, build, race,
complexion, eye color, hair color, hair style/length, ethnicity, distinguishing features and personal
identifiers (e.g., drivers license, passport, Social Security number, etc.) of the person(s) engaged
and/or connected to the suspicious activity.
The NOC Patriot Report Database covers the following categories of individuals:
Federal, state, local, tribal, and territorial officials; foreign government and
international officials; domestic security and emergency management officials; and
private sector individuals who request assistance from, provide information to, are
the subject of, or participate with the Department in activities related to all-threats
and all-hazards, man-made disasters and acts of terrorism, and natural disasters; and
Individuals who provide information to the Department related to all-threats and all-
hazards, man-made disasters and acts of terrorism, and natural disasters, including
Suspicious Activity Reports (SARs).
Contact information collected from the person calling in the report NOC Patriot Reports
not required and is completely voluntary. Such information may include: name, address, home
phone, or work phone. This information may be used to help further substantiate a report. For
example, if a private individual reports suspicious activity near a nuclear power plant, local law
enforcement authorities might be contacted to confirm that there is indeed suspicious activity. In
this case, the information received from local law enforcement would also be entered into the
NOC Patriot Report Database and would include the name, title, and contact information of the
official.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 5

2.2 What are the sources of the information and how is the
information collected for the project?
Information is collected from private individuals submitting tips or observations of
suspicious activity to the NOC Fusion Desk and when warranted, information from local
authorities that corroborates or disproves a report. Information received from private citizens in
strictly voluntary and initiated by the caller. While the NOC may receive SAR data from other
sources, that other SAR data is not incorporated in the NOC Patriot Report Database.

2.3 Does the project use information from commercial sources

or publicly available data? If so, explain why and how this
information is used.
The NOC Patriot Report Database may have information from commercial sources or
publicly available data. As part of the effort of the Fusion Desk officers to determine whether or
not the information is credible, the Fusion Desk officers may query publicly available data,
including websites as well as commercial data sources. For example, if someone calls the Fusion
Desk to report an explosion in Times Square, the desk officer may check CNN or CNN.com to
see if there is any substantiating information being reported.

2.4 Discuss how accuracy of the data is ensured.

In order to determine if reported information has a possible nexus to terrorism or criminal
activity, Fusion Desk officers have the necessary training, experience, and individual knowledge
of the subject at hand to properly vet information for credibility and accuracy. Additionally,
Fusion Desk officers will look both at internal DHS databases as well as commercial databases
and publicly available data to corroborate information provided through the NOC Patriot Report
process.

2.5 Privacy Impact Analysis: Related to Characterization of the

Information
Privacy Risk: There is a privacy risk that more PII than is necessary may be collected.
Mitigation: This privacy risk is minimized by the strict controls imposed and training
mandated to ensure Fusion Desk Officers understand what is appropriate use and collection of
sensitive PII. Further, any information provided by the caller information is summarized and
input into a call log report that is only shared upon a verified need to know bases. In order to
become an authorized user, a Fusion Desk officer must have successfully completed privacy
training and hold appropriate security clearances (at a minimum “secret”). Finally, an officer
must have a “need to know” for the information in the performance of their official duties.
Privacy Risk: There is a privacy risk that inaccurate information will be attributed to the
individual as part of the corroboration process.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 6

Mitigation: Information from/about the reporting individual is used only to help verify
the event they are reporting. If an individual believes for any reason that inaccurate information
about them was in the database, they can contact the fusion desk to have it corrected.

Section 3.0 Uses of the Information

The following questions require a clear description of the project’s use of information.

3.1 Describe how and why the project uses the information.
The NOC utilizes the NOC Patriot Report Database to collect, report, analyze, and fuse
information related to terrorism-related or criminal-related threats and activities collected or
received from federal, state, local, tribal, and territorial agencies and organizations; foreign
governments and international organizations; domestic security and emergency management
officials; and private sector entities or individuals. Those Patriot Reports that meet the ISE-SAR
Functional Standard Version 1.5 will be entered into the DHS ISE-SAR Server.

3.2 Does the project use technology to conduct electronic

searches, queries, or analyses in an electronic database to
discover or locate a predictive pattern or an anomaly? If
so, state how DHS plans to use such results.
No.

3.3 Are there other components with assigned roles and

responsibilities within the system?
No, only Fusion Desk officers are afforded access to the database.

3.4 Privacy Impact Analysis: Related to the Uses of

Information
Privacy Risk: There is a privacy risk of misuse or unauthorized access to the
information.
Mitigation: To mitigate this risk, access to data in the NOC Patriot Report Database is
controlled through passwords and restrictive rules. Authentication and role-based user access
requirements ensure that users can only access or change information that is appropriate for their
official duties. Background checks are conducted on users to ensure they are suitable for
authorized access to the logs. The effectiveness of authentication and security protections are
verified through audits of system operation and usage. Further, the NOC is located in a Sensitive
Compartmented Information Facility.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 7

Section 4.0 Notice

The following questions seek information about the project’s notice to the individual about the information
collected, the right to consent to uses of said information, and the right to decline to provide information.

4.1 How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain
why not.
Notice is provided through this PIA and through the publication of DHS/OPS-003
Operations Collection, Planning, Coordination, Reporting, Analysis, and Fusion SORN.

4.2 What opportunities are available for individuals to consent

to uses, decline to provide information, or opt out of the
project?
When an individual is submitting information to the NOC over the phone, he/she has the
right to decline providing personal information. As an example, an anonymous caller contacts a
law enforcement agency with a report of suspicious activity. The information may be submitted
to the NOC without capturing the caller’s identifying information. However, in instances where
PII is provided as part of the suspicious report, (e.g., the description of a person/persons acting
suspiciously) the individual(s) being described is unlikely to have knowledge that his/her
information has been submitted to the system.

4.3 Privacy Impact Analysis: Related to Notice

Privacy Risk: There is a possibility of individuals not being aware of the collection of
information.
Mitigation: Notice of the collection of information is provided via this PIA and the
DHS/OPS-003 SORN mitigating this risk.

Section 5.0 Data Retention by the project

The following questions are intended to outline how long the project retains the information after the initial
collection.

5.1 Explain how long and for what reason the information is
retained.
OPS is working with NARA to develop a records retention schedule of no longer than
five (5) years. This five-year retention schedule is based on the operational needs of the
Department.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 8

5.2 Privacy Impact Analysis: Related to Retention

Privacy Risk: There is a possibility of retaining information longer than is necessary.
Mitigation: Although there is always risk inherent in retaining PII for any length of
time, the data retention period for the NOC Patriot Report Database is based on case type
identified in the NARA retention schedule and is consistent with the concept of retaining PII only
for as long as necessary to support the agency’s mission.

Section 6.0 Information Sharing

The following questions are intended to describe the scope of the project information sharing external to
the Department. External sharing encompasses sharing with other federal, state and local government, and private
sector entities.

6.1 Is information shared outside of DHS as part of the normal

agency operations? If so, identify the organization(s) and how
the information is accessed and how it is to be used.
The Fusion Desk distributes all NOC Patriot Reports via email to a “standard”
distribution list which includes the following: DHS components with an operational or law
enforcement mission, FBI CTW, a distribution list for all DHS I&A Representatives assigned to
the individual fusion centers, state and local fusion centers, NICC, and PSA Duty Desk. There is
the possibility of a report being disseminated to other entities from agencies on the NOC
distribution list, however, it would be strictly on a “need to know” basis to be determined by the
agency that receives it from the NOC. The sharing of NOC Patriot Reports through a standard
distribution list to notify appropriate entities of possible terrorism-related or criminal activity is
compatible with the routine uses listed in the SORN.

6.2 Describe how the external sharing noted in 6.1 is

compatible with the SORN noted in 1.2.
Routine uses of DHS/OPS-003 allows DHS to share information with federal, state, or
local agency, or other appropriate entities or individuals, through established liaison channels for
counterintelligence or antiterrorism purposes. The sharing of NOC Patriot Reports through a
standard distribution list to notify appropriate entities of possible terrorism-related or criminal
activity is compatible with this routine use.

6.3 Does the project place limitations on re-dissemination?

External organizations secure NOC Patriot Reports in accordance to the terms of
information sharing agreements which include provisions for appropriate and adequate
safeguarding of sensitive information and restrictions on re-dissemination.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 9

6.4 Describe how the project maintains a record of any

disclosures outside of the Department.
NOC Patriot Reports are only disseminated by email and only to authorized entities. A
copy of the email and all the recipients is kept in the sent box of the Fusion desk as an audit trail.

6.5 Privacy Impact Analysis: Related to Information Sharing

Privacy Risk: There is a potential risk of NOC Patriot Reports being leaked, misused, or
lost by the agencies with which DHS shares information.
Mitigation: The distribution list of external entities who receive the NOC Patriot Reports
is narrowly tailored to only include those agencies that have a need to know. No external
organizations have direct access to the NOC Patriot Report Database, meaning external entities
do not have access through individual user accounts. Finally, all sharing is consistent with the
routine uses enumerated in DHS/OPS-003.
Privacy Risk: There is a potential risk of NOC Patriot Reports being further
disseminated by receiving agencies.
Mitigation: When the NOC distributes a NOC Patriot Report it clearly labels this
information as law enforcement sensitive. Receiving agency personnel have been trained on
proper use of law enforcement sensitive information and understand that they may only provide
the information to those who have a need to know.

Section 7.0 Redress

The following questions seek information about processes in place for individuals to seek redress
which may include access to records about themselves, ensuring the accuracy of the information collected
about them, and/or filing complaints.

7.1 What are the procedures that allow individuals to access

their information?
Individuals seeking access to any record containing information that is part of a DHS
system of records, or seeking to contest the accuracy of its content, may submit a Freedom of
Information Act (FOIA) or Privacy Act (PA) request to DHS. Given the nature of some of the
information in the NOC Patriot Report Database (sensitive law enforcement or intelligence
information), DHS may not always permit the individual to gain access to or request amendment
of his or her record. However, requests processed under the PA will also be processed under
FOIA; requesters will always be given the benefit of the statute with the more liberal release
requirements. The FOIA does not grant an absolute right to examine government documents; the
FOIA establishes the right to request records and to receive a response to the request. Instructions
for filing a FOIA or PA request are available at http://www.dhs.gov/xfoia/editorial_0316.shtm.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 10

The FOIA/PA request must contain the following information: Full Name, current
address, date and place of birth, telephone number, and email address (optional). Privacy Act
requesters must either provide a notarized and signed request or sign the request pursuant to
penalty of perjury, 28 U.S.C. §1746. Please refer to the DHS FOIA website for more information.

7.2 What procedures are in place to allow the subject

individual to correct inaccurate or erroneous information?
If an individual believes that he or she has suffered an adverse consequence that is related
to the NOC Patriot Report Database, that individual will be able to provide any information that
they deem relevant with a request that it be included within any record maintained in the NOC
Patriot Report Database regarding a particular incident, activity, transaction, or occurrence. That
correspondence will be directed to the NOC Fusion Desk, and a member of the watch will
research the NOC Patriot Report Database to ascertain whether any record correlates to the
information provided. If there is correlative information, the watch officer will enter the
information provided into that record and indicate it as First-Party Amplifying information.

7.3 How does the project notify individuals about the

procedures for correcting their information?
Mechanisms for correcting information are set forth above as well as in DHS/OPS-003
SORN.

7.4 Privacy Impact Analysis: Related to Redress

Privacy Risk: The privacy risk is that an individual may not be afforded adequate
opportunity to correct information.
Mitigation: To mitigate this risk, individuals are afforded opportunity to request access
or amendment of their records by either submitting a FOIA or a PA request as outlined above.

Section 8.0 Auditing and Accountability

The following questions are intended to describe technical and policy based safeguards and security
measures.

8.1 How does the project ensure that the information is used in
accordance with stated practices in this PIA?
Privacy protections include strict access controls, including passwords and real-time
auditing that tracks access to electronic information. Authentication and role-based user access
requirements ensure that users only can access or change information that is appropriate for their
official duties. Background checks are conducted on users to ensure they are suitable for
authorized access to the logs. The effectiveness of authentication and security protections are
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 11

verified through audits of system operation and usage. DHS Employees may be subject to
discipline and administrative action for unauthorized disclosure of this information.

8.2 Describe what privacy training is provided to users either

generally or specifically relevant to the project.
All DHS employees and contractors are required to follow DHS Management Directive
(MD) Number: 11042, Safeguarding Sensitive But Unclassified (For Official Use Only)
Information, May 11, 2004. This guidance controls the manner in which DHS employees and
contractors must handle Sensitive but Unclassified/For Official Use Only Information. All
employees and contractors are required to follow Rules of Behavior contained in the DHS
Sensitive Systems Handbook. Additionally, all DHS employees are required to take annual
computer security training, which includes privacy training on appropriate use of sensitive data
and proper security measures.

8.3 What procedures are in place to determine which users

may access the information and how does the project
determine who has access?
Privacy protections include strict access controls, including passwords and real-time
auditing that tracks access to electronic information. Authentication and role-based user access
requirements ensure that users only can access or change information that is appropriate for their
official duties. Background checks are conducted on users to ensure they are suitable for
authorized access to the logs. The effectiveness of authentication and security protections are
verified through audits of system operation and usage. DHS Employees may be subject to
discipline and administrative action for unauthorized disclosure of this information.
 Privacy Impact Assessment
Operations, National Operations Center NOC Patriot Report Database
Page 12

8.4 How does the project review and approve information

sharing agreements, MOUs, new uses of the information,
new access to the system by organizations within DHS and
outside?
All MOUs are reviewed by the program manager, component Privacy Officer, and
counsel and then sent to DHS for formal review.

Responsible Officials
Ashley Tyler, Program Manager
Department of Homeland Security
Office of Operations Coordination and Planning

Approval Signature

Original signed and on file with the DHS Privacy Office

Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
 Privacy Impact Assessment
for the

National Infrastructure Coordinating Center

Suspicious Activity Reporting Initiative
December 29, 2010

Contact Point
Shawn Graff
Director, National Infrastructure Coordinating Center
Office of Infrastructure Protection
National Protection and Programs Directorate
(703) 235-3074
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780
Abstract
The Department of Homeland Security (DHS) National Protection and Programs
Directorate (NPPD) Office of Infrastructure Protection (IP) National Infrastructure Coordinating
Center (NICC) is publishing this PIA to reflect activities under its Suspicious Activity Reporting
(SAR) Initiative. The NICC SAR Initiative serves as a mechanism by which a report involving
suspicious behavior related to an observed encounter or reported activity is received and
evaluated to determine its potential nexus to terrorism. NICC is conducting this PIA because
SAR occasionally contain personally identifiable information (PII) and NICC will be collecting
and contributing SAR data for reporting and evaluation proceedings.

Overview
The National Infrastructure Coordinating Center (NICC) is the coordinating center within
the Office of Infrastructure Protection (IP). The mission of IP is to lead the national effort to
mitigate the terrorism risk, and to strengthen the protection of and enhance the all-hazard
resilience of the Nation's critical infrastructure. In an effort to further its mission, IP has
implemented the NICC SAR Initiative. All SARs are centered on activities, meaning that an
event or action has occurred that has triggered some degree of suspicion. Under the NICC SAR
Initiative, all suspicious activities are reported via email or phone to the NICC. It is important to
note that the NICC SAR Initiative does not replace the Emergency First Responder services
provided by calling 911.
When the NICC receives a SAR from the Critical Infrastructure and Key Resources
(CIKR) community or the general public, the SAR information is used to create a NICC Patriot
Report and a corresponding redacted NICC Patriot Report, which is maintained on WebEOC.
(These reports are distinct from DHS National Operations Center (NOC) Patriot Reports, which
are maintained separately and are covered by the DHS NOC Patriot Report PIA.) The NICC
Patriot Report will then be submitted via email to the FBI and the DHS NOC, to generate a
Guardian 1 number as well as a DHS NOC number, respectively.
The NICC Patriot Report that is sent to the FBI is submitted to the FBI Counter-terrorism
division. There, the FBI will determine whether there is sufficient information and cause to issue
a Guardian number. If the NICC Patriot Report does not provide sufficient information, FBI will
contact the NICC for amplifying information and then determine whether or not to issue a
Guardian number. In addition, the FBI will make a determination as to whether to also send the
report to the e-Guardian unclassified database, 2 pursuant to the authority of the FBI. Whether or

1
The FBI Guardian System has SORN coverage provided under 63 FR 8659 titled, “Department of Justice Federal
Bureau of Investigation – 002 Central Records System (CRS) System of Records,” published on January 25, 2007. The
PIA for the FBI Guardian System is not published, as this is a National Security System.2
http://foia.fbi.gov/eguardian_threat.htm
2
http://foia.fbi.gov/eguardian_threat.htm
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 3

not a Guardian number is issued, the NICC will disseminate the report in accordance with the
below description.
Unlike the Guardian number, every SAR is issued a DHS NOC number once it is
submitted to the DHS NOC. Once the Guardian and DHS NOC numbers are received, they will
be included into the NICC Patriot Report, and the NICC will then distribute these finalized NICC
Patriot Reports to FBI, DHS NOC, and DHS Intelligence and Analysis. Additionally, the
redacted version of the Patriot Report is posted to HSIN-CS. With the advent of the Nationwide
Suspicious Activity Reports Initiative (NSI), DHS NICC will begin inputting those NICC SARs
that meet the Information Sharing Environment Functional Standard into the DHS ISE SAR
Server.
Within the NICC SAR Initiative, information reported is collected by authorized “Watch
Standers.” The NICC Watch Stander staff analyze all information in a manner that attempts to
clarify and validate any reported facts as to its impact on Critical Infrastructure. NICC Watch
Standers complete Personally Identifiable Information (PII), Protected Critical Infrastructure
Information (PCII), and Chemical-Terrorism Vulnerability Information (CVI) training before
becoming Watch-qualified. All Watch Standers are scheduled to complete necessary vetting
training and must also maintain an active “secret” security clearance or higher. All reported
information is collected from a variety of sources including Critical Infrastructure Stakeholders
or the general public via email, fax or phone to NICC Watch Standers as it relates to suspicious
activities, events or incidents. Information collected will include all suspicious activities that are
observed, reported, and recorded in WebEOC and through the HSIN-CS portal. Information
collected of the events, incidents, or suspicious activities reported can include contact
information from the person that is reporting the suspicious activity, such as name, address,
home phone, or work phone. This information is used to gather additional information about the
activity witnessed.

Section 1.0 Authorities and Other Requirements

1.1 What specific legal authorities and/or agreements permit
and define the collection of information by the project in
question?
The Homeland Security Act of 2002 as codified within the United States Code at
6 U.S.C. § 321d(b)(1), Section 515 provides DHS with authority to collect the
information. Additionally, specific legal authority for IP to operate is provided by under 6
USC § 121(d)(1), Directorate for Information Analysis and Infrastructure Protection.

1.2 What Privacy Act System of Records Notice(s) (SORN(s))

apply to the information?
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 4

Department of Homeland Security system of records titled, “Department of

Homeland Security National Protection and Programs Directorate – 001 National
Infrastructure Coordinating Center Records System of Records,” published on November
15, 2010.
1.3 Has a system security plan been completed for the
information system(s) supporting the project?
A system security plan has been completed with the Authority to Operate for the
LENS systems, which was issued on September 9, 2009 and is valid for two years, as
well as the Authority to Operate for the HSIN system, which was issued on March 31,
2009 and is valid for three years.

1.4 Does a records retention schedule approved by the

National Archives and Records Administration (NARA)
exist?
The NICC is working with the NPPD and DHS Records Officer to develop a
NARA approved retention schedule, and DHS plans to propose a retention schedule of
five years for SARs unless the record becomes part of an ongoing law enforcement
investigation.

1.5 If the information is covered by the Paperwork Reduction

Act (PRA), provide the OMB Control number and the
agency number for the collection. If there are multiple
forms, include a list in an appendix.
The NICC SAR Initiative collects information through non-standardized email
and phone reporting. Therefore, there are no PRA implications for this system.

Section 2.0 Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected, as
well as reasons for its collection.

2.1 Identify the information the project collects, uses,

disseminates, or maintains.
The NICC collects all reported information received via email or phone to NICC
Watch Standers as it relates to suspicious activities, events or incidents.
SAR data may include, but is not limited to, the following elements as made
available by the reporting source: description of the suspicious activity, a description of a
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 5

possible threat, date-time and location of incident, reliability rating of informational

source, validity rating of content, cross-referenced record number, if applicable, critical
infrastructure indicators, names of reporting and/or responding agency personnel, and
their respective contact information. An “Amplifying Information” section, based on the
information provided by the submitter, provides a contextual narrative of the event and as
available: name, alias, height, weight, sex, build, race, complexion, eye color, hair color,
hair style/length, ethnicity, distinguishing features and personal identifiers (e.g., driver’s
license number, passport, Social Security number, etc.) of the person(s) engaged and/or
connected to the suspicious activity.
The NICC SAR Initiative covers the following categories of individuals:
• Federal, state, local, tribal, and territorial officials; foreign government and
international officials; domestic security and emergency management
officials; and private sector individuals who request assistance from, provide
information to, are the subject of, or participate with the Department in
activities related to all-threats and all-hazards, man-made disasters and acts of
terrorism, and natural disasters; and
• Individuals who are the subject of information sent to the Department related
to all-threats and all-hazards, man-made disasters and acts of terrorism, and
natural disasters, including Suspicious Activity Reports (SARs).
Contact information collected from the person calling in the report is not required
and is completely voluntary. Such information may include: name, address, home phone,
or work phone. This information may be used to help further substantiate a report.
2.2 What are the sources of the information and how is the
information collected for the project?
SARs are collected by the NICC through National Response Center (NRC)
emails, NICC emails, HSIN-CS sector portals, fax and phone calls from CIKR
community members witnessing suspicious activities. It is also possible private
individuals and state local and local government officials to include law enforcement may
submit information. As background, the primary function of the NRC is to serve as the
sole national point of contact for reporting all oil, chemical, radiological, biological, and
etiological discharges into the environment anywhere in the United States and its
territories. In addition to gathering and distributing spill data for Federal On-Scene
Coordinators and serving as the communications and operations center for the National
Response Team, the NRC maintains agreements with a variety of federal entities to make
additional notifications regarding incidents meeting established trigger criteria. The NRC
also takes Terrorist/Suspicious Activity Reports and Maritime Security Breach Reports.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 6

Reports are received by the NRC through their 800 number, online reporting tool
and email. The NICC receives NRC reports as an email that is directly ingested into
WebEOC. Additionally, PII is included in the NRC reports received by the NICC.

2.3 Does the project use information from commercial sources

or publicly available data? If so, explain why and how this
information is used.
The system does not use commercial or publically available data.

2.4 Discuss how accuracy of the data is ensured.

SAR data is collected and recorded “as is” by the NICC. Any action taken or
based on any SAR data must be properly vetted and researched through appropriate
channels (i.e., DHS NOC, FBI, etc.) once it has been disseminated by the NICC. The
NICC does not vet SAR information, nor does the NICC cross reference or check
information that has been received by the DHS NOC.

2.5 Privacy Impact Analysis: Related to Characterization of the

Information
Privacy Risk: There is a privacy risk that more PII than is needed for further
analysis of the reporting will be collected and retained.
Mitigation: All information that is collected at the time of the reporting will be
used to determine whether a potential SAR event is occurring. Thus, this privacy risk is
inherent in the type of activity that is occurring under the NICC SAR Initiative. As
further dissemination and analysis takes place after the NICC Patriot Report is generated
with the information received, this privacy risk may be mitigated by the use of the
additional PII to determine whether a viable SAR has been received.

Section 3.0 Uses of the Information

The following questions require a clear description of the project’s use of information.

3.1 Describe how and why the project uses the information.
The NICC utilizes the information obtained in the SAR Initiative to report
information related to terrorism-related threats and other criminal activities. This action
enables law enforcement and intelligence analysts the opportunity to evaluate suspicious
activity before an incident, providing another tool to combat terrorism. The NICC uses
this information as a mechanism to share suspicious behavior reports relating to an
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 7

observed encounter or reported activity with appropriate federal entities to evaluate its
potential nexus to terrorism. It is important to note that the NICC SAR Initiative does not
replace the Emergency First Responder services provided by calling 911.
3.2 Does the project use technology to conduct electronic
searches, queries, or analyses in an electronic database to
discover or locate a predictive pattern or an anomaly? If
so, state how DHS plans to use such results.
The NICC does not conduct electronic searches, queries, or analyses in an
electronic database to discover or locate a predictive pattern or an anomaly prior to
submitting a SAR in a NICC Patriot Report.

3.3 Are there other components with assigned roles and

responsibilities within the system?
Information may be shared internally within DHS to those who demonstrate a
need-to-know in the performance of their official duties. PII should only be shared
internally where the information received was for a purpose required by statue, executive
order, or regulation (all other PII received will be managed in accordance with the
requirements for this PIA).

3.4 Privacy Impact Analysis: Related to the Uses of

Information
Privacy Risk: There is a privacy risk that SAR reports containing PII in
connection with a report will be disseminated through the NICC Patriot Report and the
PII will be transmitted to other components within the system with the potential to lead to
unauthorized use of the PII.
Mitigation: This privacy risk is mitigated by the fact that both a redacted and an
un-redacted NICC Patriot Report are generated once a SAR is received. The redacted
NICC Patriot Report, which has been scrubbed of PII, is distributed to a larger group with
a need to know. The un-redacted NICC Patriot Report is disseminated to other agencies
with investigative responsibilities.

Section 4.0 Notice

The following questions seek information about the project’s notice to the individual about the information
collected, the right to consent to uses of said information, and the right to decline to provide information.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 8

4.1 How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain
why not.
This PIA serves as notice of the NICC SAR initiative. Notice of the initial
collection of SAR data is provided through the DHS SORN titled, “Department of
Homeland Security National Protection and Programs Directorate – 001 National
Infrastructure Coordinating Center Records System of Records,” published on November
15, 2010.

The NICC SAR Initiative is a voluntary submission of unsolicited information

from the reporting individual to the NICC. The reporting individual may call or email the
NICC of their own volition to submit SAR information, where it is collected for inclusion
in a NICC Patriot Report.

4.2 What opportunities are available for individuals to consent

to uses, decline to provide information, or opt out of the
project?
Individuals who are the subject of a SAR are not provided the opportunity to
consent to the use of their information. With SAR data, frequently the individual who is
the subject of the SAR may not be aware that his information has been submitted to DHS.

For information about the individual submitting a SAR, the individual is given the
opportunity to decline to provide their own information.

4.3 Privacy Impact Analysis: Related to Notice

Privacy Risk: Individuals may not be aware of the information collection that is
occurring under the SAR program.
Mitigation: During law enforcement and intelligence activities, such notice may
be counter-productive or simply impossible in the context of certain operations and
investigations. Formal notice of this initiative is provided by this PIA. In addition, the
SORN cited above provides notice that NICC within DHS collects and uses SAR data for
their mission needs.

Section 5.0 Data Retention by the project

The following questions are intended to outline how long the project retains the information after the initial
collection.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 9

5.1 Explain how long and for what reason the information is
retained.
SARs collected through the HSIN-CS or the LENS portal will be retained for a
period of five years. HSIN-CS users will be required to change the status of their
submissions from active to inactive if an incident is determined to have no nexus to
terrorism.

5.2 Privacy Impact Analysis: Related to Retention

Privacy Risk: There is a privacy risk that records containing PII collected under
the SAR Initiative will be deemed to not qualify as suspicious activities after further
investigation and analysis but will be retained in the system.
Mitigation: This privacy risk will be mitigated by the records retention schedules
that are in place for the SAR Initiative. Given that most of the contained data reported is
not PII, but is more focused on the nation’s CIKR operational status, contemporary
knowledge of incident and recovery planning indicate long periods of historical data is
required to make good decisions on current events.

Section 6.0 Information Sharing

The following questions are intended to describe the scope of the project information sharing external to
the Department. External sharing encompasses sharing with other federal, state and local government, and private
sector entities.

6.1 Is information shared outside of DHS as part of the normal

agency operations? If so, identify the organization(s) and how
the information is accessed and how it is to be used.
When a SAR is submitted, the NICC will create a NICC Patriot Report and a
corresponding redacted NICC Patriot Report. The NICC will then disseminate the
NICC Patriot Reports according to the appropriate protocols and as necessary (e.g.,
to FBI, DHS - Homeland Infrastructure Threat and Risk Analysis Center (HITRAC),
and other agencies).
The NICC Watch uploads redacted Patriot Reports to HSIN-CS where Critical
Infrastructure Stakeholders with access to HSIN-CS main page can access them.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 10

6.2 Describe how the external sharing noted in 6.1 is

compatible with the SORN noted in 1.2.
The dissemination of NICC Patriot Reports will allow the NICC to collect and
distribute infrastructure information related to all threats and all hazards, law enforcement
activities, acts of terrorism, and other information collected or received.

Consistent with DHS’s information sharing mission, information contained in the

DHS/NPPD – 001 NICC Records System of Records may be shared with other DHS
components, as well as appropriate agencies and entities. This sharing will only take
place after DHS determines that the receiving component or agency has a verifiable need-
to-know the information to carry out national security, law enforcement, immigration,
intelligence, or other functions consistent with Routine Use I set forth in this system of
records notice.

6.3 Does the project place limitations on re-dissemination?

Yes. All NICC Patriot Reports contain the following statement at the bottom of
the page:
Third Agency dissemination of this report is prohibited without prior DHS
approval. Please address requests for further distribution, questions, or
comments to the NICC via telephone 202-282-9201 or email NICC@dhs.gov.

6.4 Describe how the project maintains a record of any

disclosures outside of the Department.
The NICC distributes SAR through email to a select group of recipient within the
federal government. All emails from the NICC Watch are retained in the DHS email
system in accordance with DHS retention policy.

6.5 Privacy Impact Analysis: Related to Information Sharing

Privacy Risk: There is a privacy risk that SAR containing PII outside the scope
of the initial reporting will be disseminated outside the Department.
Mitigation: This privacy risk is mitigated by the fact that both a redacted and an
un-redacted NICC Patriot Report are generated by the NICC once a SAR is received. The
redacted NICC Patriot Report, which has been scrubbed of PII, is disseminated to the
larger authorized and pre-approved group with a need-to-know. The un-redacted NICC
Patriot Report is disseminated to other agencies with investigative responsibilities
pursuant to strict protocols and with a prohibition on further dissemination.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 11

Section 7.0 Redress

The following questions seek information about processes in place for individuals to seek redress which
may include access to records about themselves, ensuring the accuracy of the information collected about them,
and/or filing complaints.

7.1 What are the procedures that allow individuals to access

their information?
Individuals seeking access to any record containing information that is part of a
DHS system of records, or seeking to contest the accuracy of its content, may submit a
Freedom of Information Act (FOIA) or Privacy Act (PA) request to DHS. Given the
nature of some information in the NICC SAR Initiative, DHS may not always permit the
individual to gain access to or request amendment of his or her record.

The procedures for submitting FOIA requests are available in 6 C.F.R. Part 5.
Please write to “FOIA, U.S. Department of Homeland Security, National Programs and
Protection Directorate, Attn: FOIA Officer, Washington, D.C. 20528.” You may also
make informal inquiries to NPPD.FOIA@dhs.gov.

7.2 What procedures are in place to allow the subject

individual to correct inaccurate or erroneous information?
Given the nature and function of the NICC SAR Initiative, there are no
procedures in place for the subject individual to correct inaccurate or erroneous
information at the time of collection. If additional information is received relating to a
particular incident, the re-submission process allows for the correction of inaccurate or
additional information that may have been reported at the onset of the reporting.

7.3 How does the project notify individuals about the

procedures for correcting their information?
If an individual feels that the information maintained in the SAR system is
inaccurate, there will be two methods available to provide accurate information to the
NICC. The DHS FOIA process (see Question 7.1) allows access to records. All
communications received, regardless of method, will be entered into and remain on
record within the SAR system pursuant to its general record retention schedule and will
be subject to audit.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 12

7.4 Privacy Impact Analysis: Related to Redress

Privacy Risk: A major privacy risk relating to redress is that an individual may
not be afforded adequate opportunity to correct information.
Mitigation: This privacy risk is mitigated by providing individuals the
opportunity to submit any information they deem relevant to the SAR system. If an
individual believes that he or she has suffered an adverse consequence related to the SAR
system, that individual will be able to provide any information that they deem relevant
with a request that it be included within any record maintained in the SAR system
regarding a particular incident, activity, transaction, or occurrence.

The development of the SAR system and the processes governing its use include
detailed consideration of the impact of erroneous data on individuals. Information in the
SAR system is, by definition, raw information. The SAR system is simply a pool of un-
vetted, reported “as is” information that is maintained in a manner making it accessible to
appropriate official entities for further investigation and analysis predicated upon
reasonable suspicion of a terrorism nexus.
Having verified and accurate information is the ultimate goal of the NICC, as well
as all law enforcement, intelligence community, and other governmental officials using
the system. The redress process referred to in Question 7.2, above, will help to ensure
that the information is accurate. NICC Watch Standers will ensure the integrity of the
SAR information based upon information provided by individuals, as well as any updates
received from law enforcement and other government authorities.

Section 8.0 Auditing and Accountability

The following questions are intended to describe technical and policy based safeguards and security
measures.

8.1 How does the project ensure that the information is used in
accordance with stated practices in this PIA?
The NICC SAR Initiative serves as a mechanism by which a report involving
suspicious behavior relating to an observed encounter or reported activity is received and
evaluated to determine its potential nexus to terrorism. Once the information is collected,
a NICC Patriot Report is created and transmitted to the FBI for further analysis and
dissemination. Given its role, the NICC SAR Initiative does not analyze the submissions
received. Rather, the transmission to the FBI allows for auditing of the information to be
completed at the next level. Thus, the NICC SAR Initiative solely serves as a repository
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 13

for the collection of information and no auditing mechanisms are in place to verify the
information collection at this stage.

8.2 Describe what privacy training is provided to users either

generally or specifically relevant to the project.
All DHS employees are required to take annual computer security training, which
includes privacy training on appropriate uses of sensitive data and proper security
measures. In addition, all Watch Standers must complete PII, PCII and CVI training
before becoming Watch-qualified to access the data.

8.3 What procedures are in place to determine which users

may access the information and how does the project
determine who has access?
Access to records in maintained through password protections and tiered access to
the information that is contained within the system. In addition, all Watch Standers must
complete PII, PCII and CVI training before becoming Watch qualified to access the data.
Further, all Watch Standers are scheduled to complete vetting training, and must maintain
an active “Secret” security clearance or higher. Also, authentication and role-based user
access requirements ensure that users can only access or change information that is
appropriate for their official duties.
 Privacy Impact Assessment
NPPD, Suspicious Activities Reporting Initiative
Page 14

8.4 How does the project review and approve information

sharing agreements, MOUs, new uses of the information,
new access to the system by organizations within DHS and
outside?
All MOUs are reviewed by the program manager, component Privacy Officer,
and counsel and then sent to DHS for formal review.

Responsible Officials
Shawn Graff
Director, National Infrastructure Coordinating Center
Office of Infrastructure Protection
National Protection and Programs Directorate

Approval Signature

(Original signed copy on file with the DHS Privacy Office)

Mary Ellen Callahan

Chief Privacy Officer
Department of Homeland Security