The Department of Homeland Security Privacy Office is responsible for ensuring that the Department has procedures in place to receive, investigate, respond to, and, when appropriate, provide redress for privacy complaints. U.S. citizens, Lawful Permanent Residents (LPR), visitors to the United States, and aliens may submit privacy complaints to the Department. The Privacy Office also reviews and responds to privacy complaints referred by employees throughout the Department or those submitted by other government agencies, the private sector, or the public.
Unfortunately, over the past three years, the number of privacy complaints have increased from around 2,100 in the April 1, 2016 – March 31, 2017 time period to almost 12,200 in the April 1, 2018 – March 31, 2019 time period. The Privacy Office will soon be publishing the 2019-2020 annual report. Hopefully this report will address the reasoning behind the substantial increase in privacy complaints.
Privacy complaints are typically divided into four categories. They are: procedure, redress, operational, and referred. Procedure complaints are those such as consent, collection, and appropriate notice at the time of collection. Redress includes appropriate access or correction to Personally Identifiable Information (PII) held by DHS. It also includes DHS Traveler Redress Inquiry Program (DHS TRIP) privacy-related complaints. Operational involves general privacy concerns or other concerns that are not addressed in process or redress but don’t pertain to Privacy Act matters. Last, referred are those complaints referred to another federal agency or external entity for handling. For DHS TRIP, the complaint form includes a privacy check box that reads: “I believe my privacy has been violated because a government agent has exposed or inappropriately shared my personal information.”
Table 1 shows privacy complaints received by the DHS Privacy Office for the time period March 2014 through March 2019. The Privacy Office did not provide the data over a longitudinal basis and therefore the table is a compilation of information from the Privacy Office Annual Reports from July 2014 to June 2019.
Two issues associated with data contained in the previous table surface. The first is double-counting and that the data for each of the years 2014-2015 and 2015-2016 actually represents 13 months worth of complaints while the data for each of the later years correctly represents 12 months of information. Fortunately, the “overlap” challenge was corrected in more recent years.
The second and more troublesome concern is that the number of privacy complaints nearly tripled (5,921/2,061 = 2.87) from the April 1, 2016 – March 31, 2017 time period to the April 1, 2017 – March 31, 2018 time period and more than doubled (12,164/5,921 = 2.05) from the April 1, 2017 – March 31, 2018 time period to the April 1, 2018 – March 31, 2019 time period.
Table 1 also shows that the majority of the complaints and the biggest percentage increase are in the redress and operational categories.
The latest annual report provides some evidence for the origin of these complaints but no basis for the increase (See Table 2). For the last six months of available data, from October 1, 2018 to March 31, 2019, the majority of the privacy complaints were considered to be operational. CBP operational complaints might be physical screening and pat down procedures at airports. The Privacy Office also published the FY 2019 Semiannual Report on January 22, 2020. Unfortunately, CBP complaints were not included.
Only in a few select instances has the Privacy Office addressed the reasoning for why people are filing these complaints. Even if a large number of these complaints are unfounded, the perception among filers is that they have a privacy issue. In the next several months, the Privacy Office will be publishing the July 2019 to June 2020 annual privacy report. Hopefully the new report will address the reasoning behind the substantial increase in privacy complaints.