USCIS Privacy &Confidentiality Policies
USCIS Policy Manual Chapter 7 – Privacy and Confidentiality A. Privacy Act of 1974 The Privacy Act provides that federal agencies must protect against the unauthorized disclosure of personally identifiable information (PII) that it collects, disseminates, uses, or maintains. The Privacy Act requires that personal information belonging to U.S. citizens and lawful permanent residents (LPRs) be protected from unauthorized disclosure. Violations of these requirements may result in civil and criminal penalties. B. Fair Information Practice Principles DHS treats all persons, regardless of immigration status, consistent with the Fair Information Practice Principles (FIPPs). The FIPPs are a set of eight principles that are rooted in the tenets of the Privacy Act of 1974. The principles are: Transparency; Individual participation; Purpose specification; Data minimization; Use limitation; Data quality and integrity; Security; and Accountability and auditing. The table below provides a description of each principle. Fair Information Practice Principles DHS Framework for Privacy Policy Principle Description Transparency DHS provides transparency for how it handles sensitive information through various mechanisms, including Privacy Impact Assessments, System of Records Notices, Privacy Act Statements, and the Freedom of Information Act (FOIA). Individual Participation To the extent practicable, DHS should involve persons in the process of using their personal information, and they may always request information about themselves through a FOIA request. Purpose Specification DHS’ default action should be to not collect information, and if it is otherwise necessary, DHS should articulate the authorities that permit collection and must clearly state the purposes of the information collection. Data Minimization DHS collects only information relevant and necessary to accomplish the purposes specified and special emphasis is placed on reducing the use of sensitive personal information, where practical. Use Limitation Any sharing of information outside of the agency must be consistent with the use or purpose originally specified. Data Quality and Integrity DHS should, to the extent practical, ensure that PII is accurate, relevant, timely, and complete. Security DHS uses appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification or unintended or inappropriate disclosure. Accountability and Auditing DHS has a number of accountability mechanisms, including reviews of its operations, training for employees, and investigations when appropriate. C. Personally Identifiable Information DHS defines PII as any information that permits the identity of a person to be directly or indirectly inferred, including any information which is linked or linkable to that person regardless of whether the person is a U.S. citizen, lawful permanent resident (LPR), visitor to the United States, or a DHS employee or contractor.[3] Sensitive PII is defined as information which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to a person.[4] Some examples of PII that USCIS personnel may encounter include: Name; Address; Date of birth; and Certificate of Naturalization or Citizenship number. Alien number (A-number); Social Security number; Driver’s license or state ID number; Passport number; and Biometric identifiers. USCIS employees have a professional and legal responsibility to protect the PII the agency collects, disseminates, uses, or maintains. All USCIS employees must follow proper procedures when handling all PII and all information encountered in the course of their work. All USCIS employees processing PII must know and follow the policies and procedures for collecting, storing, handling, and sharing PII. Specifically, USCIS employees must: Collect PII only when authorized; Limit the access and use of PII; Secure PII when not in use; Share PII, only as authorized, with persons who have a need to know; and Complete and remain current with all privacy, computer security, and special protected class training mandates. D. Case-Specific Inquiries USCIS receives a variety of case-specific inquiries, including requests for case status updates, accommodations at interviews, appointment rescheduling, and the resolution of other administrative issues. USCIS personnel are permitted to respond to these inquiries if: The requestor is entitled to receive the requested case-specific information; and Disclosure of the requested case-specific information would not violate Privacy Act requirements or other special protected class confidentiality protections. 1. Verifying Identity of Requestor USCIS employees must verify the identity of a person inquiring about a specific application or petition. For in-person inquiries, those present must provide a government-issued identity document so that USCIS can verify their identity. For inquiries not received in person (for example, those received through telephone call or email), it may be difficult to verify the identity of the person making the request through a government-issued document. In these cases, USCIS employees should ask for specific identifying information about the case to ensure that it is appropriate to communicate case-specific information. Examples of identifying information include, but are not limited to: receipt numbers, A-numbers, full names, dates of birth, email addresses, and physical addresses. If a person is unable to provide identifying information that an applicant, petitioner, or representative should reasonably know, USCIS employees may refuse to respond to the request, or direct the requestor to make an appointment at a local field office or create a myUSCIS account. 2. Disclosure of Information Except for case types with heightened privacy concerns, USCIS employees may communicate about administrative case matters if the requestor is able to demonstrate his or her identity (for example, by showing government-issued identification during an in-person encounter), or provide verifying information sufficient to demonstrate that communication would be proper. Administrative case matters are generally any issues that do not involve the legal substance or merit of an application or petition. USCIS employees should not disclose PII when responding to case-specific requests; inquiries can generally be resolved without any discussion of PII. To ensure that a USCIS employee is not disclosing PII, the USCIS employee can always require that the requestor first provide and confirm any PII at issue. In addition, a USCIS employee may take action that results in the resending of cards, notices, or documents containing PII to addresses on file instead of directly disclosing PII to a requestor. Interested parties may be present at in-person appointments or during telephone calls, with the consent of the … Read more