The Department of Homeland Security (DHS) empowers its programs to succeed by integrating privacy protections from the outset. The DHS Privacy Office is the first statutorily mandated privacy office in the Federal Government and serves a unique role as both an advisor and oversight body for the department.
DHS views privacy as more than just compliance with privacy laws. Privacy at DHS is also about public trust and confidence. It’s about how the government acts responsibly and transparently in the way it collects, maintains, and uses personally identifiable information.
DHS employs a layered approach to privacy oversight for the department’s cybersecurity activities. It starts with the Chief Privacy Officer and extends through the National Protection and Programs Directorate (NPPD)’s Component Privacy Officer, the Director of Privacy Technology, and dedicated privacy staff across the department.
- This fact sheet summarizes the nexus between privacy and cybersecurity at DHS.
Fair Information Practice Principles (FIPPs)
In 2008, DHS issued a policy declaring the eight Fair Information Practice Principles (FIPPs) as the foundation and guiding principles of the Department’s privacy program. The FIPPs were formed from the foundations of the Privacy Act of 1974, and memorialized in the National Strategy for Trusted Identities in Cyberspace.
On February 12, 2013, the President signed an Executive Order on Improving Critical Infrastructure Cybersecurity (Executive Order) (learn more about the White House’s ongoing cybersecurity policies). Section 5 of the Executive Order directs the DHS Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties to issue an annual report using the FIPPs to assess the Department’s cyber operations under the Executive Order. As Deputy Attorney General James M. Cole explained during the public presentation of the Executive Order, the FIPPs are “time-tested and universally recognized principles that form the basis of the Privacy Act of 1974 and dozens of other federal privacy and information protection statutes.”
The Executive Order also directs the senior agency privacy and civil liberties officials of other agencies engaged in activities under the order to conduct their own assessments for inclusion in the DHS public report. In 2010, DHS issued a White Paper on Computer Network Security & Privacy Protection to provide an overview of the Department's cybersecurity responsibilities, the role of the EINSTEIN system in implementing those responsibilities, and the integrated privacy protections.
Executive Order 13636 Assessment Reports
Executive Order 13636, Improving Critical Infrastructure Cybersecurity, requires that senior agency officials for privacy and civil liberties assess the privacy and civil liberties impacts of the activities their respective departments and agencies have undertaken to implement the Executive Order, and to publish their assessments annually in a report compiled by the DHS Privacy Office and Office for Civil Rights and Civil Liberties.
- 2015 Executive Order 13636 Privacy and Civil Liberties Assessment Report, April 10, 2015.
- 2014 Executive Order 13636 Privacy and Civil Liberties Assessment Report, April 2014.
- Letter from the Privacy & Civil Liberties Oversight Board to DHS, March 21, 2014.
- DHS response letter, April 8, 2014.
- DOJ response letter, April 4, 2014.
Cyber-Related Privacy Impact Assessments
- DHS/NPPD/PIA-027 EINSTEIN 3 Accelerated (E3A), April 19, 2013.
- DHS/NPPD/PIA-028 Enhanced Cybersecurity Services (ECS), January 16, 2013.
- DHS/NPPD/PIA-026 National Cybersecurity Protection System (NCPS), July 30, 2012.
- DHS/NPPD/PIA-008 EINSTEIN 2, May 19, 2008.
- DHS/NPPD/PIA-001 The EINSTEIN Program, September 2004.
- Retired Cyber-Related Privacy Impact Assessments
Privacy Compliance Reviews
- Privacy Compliance Review of the EINSTEIN Program, January 3, 2012.
Additional Guidance
- DPIAC Recommendations Paper 2012-01, November 7, 2012. sets forth recommendations for DHS to consider when evaluating the effectiveness of cybersecurity pilots, and for specific privacy protections DHS can consider when sharing information from a cybersecurity pilot with other agencies.