A. Ensuring that a system—or collection of records—maintains privacy integrity requires that safeguard procedures are outlined and followed.  It is commonly accepted  that, with three separate components of personal identifiable information (PII), a person’s identity can be obtained; for instance, full name, birth date, and zip code.  U.S. government systems are required to meet The Privacy Act compliance and the E-Government Act of 2002, which minimize PII unveiling.

A. The DoD Automated Biometric Information System (ABIS) resides on standalone servers.  No information is downloaded to laptops and brought home.  Sometimes CDs are used to transport data sets, but only through an authorized chain of custody.  The biometric data on the DoD ABIS server is primarily just the rudimentary biometric (e.g.,fingerprints, iris, face, palm) and some biographic information, not the “so what,” which is how we refer to the intelligence value of those data.

The technical tests for accreditation are important processes for the DoD ABIS in order to ensure privacy protections.

A. The E-Government Act requires that a Privacy Impact Assessment (PIA) be conducted for a system such as the DoD ABIS.  The BTF will work with other parties that have DoD ABIS PIA responsibility.  Conducting a PIA typically involves complex coordination with components external to the BTF, to include:  Army Office of General Counsel (AOGC), Army Privacy Office (APO), Defense Privacy Office (DPO), CIO/G-6, NETCOM, and OSD.  For any given U.S. government office, a PIA requires close collaboration of both the operational/technical experts and the policy/privacy experts.

A. The aforementioned privacy compliance safeguards are very important and go a long way toward protecting privacy rights.  Not only do we as U.S. citizens expect that our government is protecting us, we want the same safeguards if we travel to London to see the 2012 Olympics, for example.  If my fingerprint is taken upon arrival in that country, I hope the same diplomatic safeguards are in place.  Additionally, the U.S. follows fundamental human rights that protect both law-abiding and law-breaking persons’ minimal privacy interests.  Pursuant to DoDD 8521.01E, DoD Biometrics, BTF Policy Branch works with the Biometric Enterprise to meet any enterprise needs related to the development of non-U.S. person privacy policies.  Thus, even privacy interests of non-U.S. persons are being addressed.  The BTF Policy Branch has recently submitted a “Privacy Interests of Non-U.S. Persons” policy to DDR&E for staffing though the Executive Committee.

A. You got it. While privacy protection is necessary, it can lead to frustrating results.  For example, without your child’s Social Security Number, the health care industry’s Health Insurance Portability and Accountability Act (HIPAA) protects privacy from any inquiring individual, but not necessarily from insurance companies.  Additionally, the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records.  The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education, and it mandates that the student sign a waiver for his or her grades to go to the parents.  Other examples of privacy protection include the Genetic Information Nondiscrimination Act (GINA), which prohibits U.S. insurance companies and employers from discriminating on the basis of information derived from genetic tests, and the Right to Financial Privacy Act (RFPA) of 1978 (12 U.S.C. §§ 3401-342), which protects  privacy of bank records.  The RFPA was amended due to the USA PATRIOT Act of 2001:  Section 358 of the U.S. PATRIOT Act amended the RFPA to permit the disclosure of financial information to any intelligence or counterintelligence agency in any investigation related to international terrorism (October 2001).  In the retail sector, many individual companies have privacy policies to include online privacy policies.  The National Retail Federation has a Privacy Committee to protect consumer privacy.  Various states have enacted legislation directed at protecting the retail consumer’s privacy.

A. Yes, the BTF takes privacy very seriously.  The BTF Policy Branch works on an ongoing basis to ensure compliance with the Privacy Act and the E-Government Act.  In accordance with DoDD 8521.01E, the Policy Branch works with the enterprise to meet any enterprise needs related to the development of non-U.S. person privacy policies.  Based on existing authority, the BTF develops privacy-related policies to support biometrics implementation.  Moreover, the BTF is developing and implementing a Privacy/Information Assurance Plan as  required by Biometrics Enterprise Strategic Plan (BESP(I) 3.7.4.  The BTF has also developed and will be implementing a FOIA compliance SOP.