CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data (REDACTED)

Date Issued

Friday, September 29, 2023

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Components

United States Customs and Border Protection (CBP)

Report Number

OIG-23-61

Report Description

U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), and the United States Secret Service (Secret Service) did not adhere to Department privacy policies or develop sufficient policies before procuring and using commercial telemetry data (CTD). Specifically, the components did not adhere to DHS’ privacy policies and the E-Government Act of 2002, which require certain privacy sensitive technology or data obtained from that technology, such as CTD, to have an approved Privacy Impact Assessment (PIA) before such technology is developed or procured.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend that the Commissioner, U.S. Customs and Border Protection discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.
3	No	$0	$0
We recommend that the Director, U.S. Immigration and Customs Enforcement discontinue use of commercial telemetry data until the Privacy Impact Assessments are completed and approved.
5	No	$0	$0
We recommend that the Director, United States Secret Service develop and implement controls to ensure compliance with DHS privacy policies, specifically approval of Privacy Impact Assessments, when required, before developing or procuring information technology that collects, maintains, or disseminates information in an identifiable form.
7	No	$0	$0
We recommend that the Chief Privacy Officer, DHS Privacy Office ensure compliance with its privacy policies or revise them to include the guidance necessary for program offices to meet the intent of the privacy requirements when, with due diligence, the technology needs to be procured and tested to complete the Privacy Impact Assessment process. The additional guidance, if developed, should address justification for deviating from Privacy Impact Assessment–related privacy policies and restrictions on the operational use of privacy-sensitive information; the guidance should also ensure Privacy Impact Assessments are completed before privacy-sensitive information is collected and used operationally.
8	No	$0	$0
We recommend that the Chief Data Officer, Office of Chief Information Officer, Management Directorate develop and implement a department-wide commercial telemetry data policy, including component policy requirements, to ensure oversight of commercial telemetry data use, privacy protection, and applicable legal standards.