News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The Privacy Challenges of U.S. Fusion Centers Related reading: A comprehensive guide to creating a sustainable cookie program

rss_feed

""

By Rebecca Andino, PMP, CIPP/G

Consider these scenarios:

Scenario #1: Officials suddenly notice a pattern of individuals trespassing in unusual areas of a subway. They take action and successfully prevent a terrorist attack, saving dozens of lives.

Scenario #2: A large corporation partners with a state fusion center and quietly uses its databases to screen prospective employees. When the media reports this, citizens are outraged, authorities and officials are scrambling, and Congress is planning hearings.

These are just two examples of the opportunities and privacy risks involved in U.S. fusion centers.

Fusion centers have existed in various forms for decades, but since 9/11, their role has expanded and evolved. Recent actions, such as the Implementing Recommendations of the 9/11 Commission Act of 2007 ("The 9/11 Act") (P.L. 110-53), passed by Congress August 3, 2007, and the president's October 2007 National Strategy on Information Sharing, which announced federal funding and technical support for fusion centers, have underscored the importance of their role in the U.S. counter-terrorism mission.

Fusion centers may increase public safety because they facilitate information sharing between different levels of government and between the public and private sectors. A fusion center, as defined by the Department of Justice (DOJ) in the Fusion Center Guidelines, is a "collaborative effort between two or more agencies that provide resources, expertise, and information to the center with the goal of maximizing their ability to detect, prevent, investigate and respond to criminal and terrorist activity."

However, complex lines of authority, the variety of implementations and the fact that 58 centers are already fully operational, create privacy challenges and opportunities.

Current Status of Fusion Centers
According to the interactive map on the American Civil Liberties Union (ACLU) Web site, fusion centers exist in every state except Idaho and Hawaii. The Congressional Research Service (CRS) report "Fusion Centers: Issues and Options for Congress," reports that the majority are co-located with a state police headquarters; fewer than 20 percent of fusion centers are regional or local in jurisdiction.

Fundamentally, fusion centers are not federal entities; they are operated by state, regional, or local law enforcement entities. According to the CRS report, the Department of Homeland Security (DHS) has provided about $380 million in funding since 2001. It estimates fusion centers are funded about 80 percent by states and 20 percent by the federal government. Each fusion center has a different funding and governance structure. As a result, each fusion center is subject to a unique combination of state and federal laws governing criminal intelligence information collection and handling and information sharing.

There are numerous federal touch-points to fusion centers. The official federal liaison to fusion centers is the State and Local Program Office in the Intelligence and Analysis Office of the DHS. The DHS provides staffing, technical, and privacy and civil liberties training to fusion centers and collaborates with the Global Justice Information Sharing Initiative ("Global"), a DOJ entity, to deliver training. In addition, the FBI provides special agents and other staff; more than a dozen fusion centers are collocated with FBI entities. Finally, because fusion centers are part of the Information Sharing Environment (ISE), the Program Manager of the ISE, from the Office of the Director of National Intelligence (ODNI), provides the overall information sharing framework, privacy guidance and resources.

The key privacy challenges related to fusion centers stem from the complex governance structures, and the need to apply the appropriate levels of transparency to this high-profile security mission.

Complex Governance
There is no lack of guidance; the federal government has provided substantial privacy guidelines and resources to fusion centers, including those listed in the sidebar. Instead, the challenges are related to how the guidance will be implemented, and the roles, responsibilities and accountability assignments.

Currently, there is forward momentum and cooperation between Federal agencies and fusion centers, demonstrated by joint participation in the DHS Data Privacy and Integrity Advisory Committee, joint press releases and well-attended fusion center conferences. However, it is a work in progress; the relationships between DHS and each of the 58 fusion centers are still being established. The agencies are currently in the process of defining how privacy and civil liberties guidance provided from the federal government will be ensured.

Federal agencies must use influence, not authority, to achieve fusion center compliance with the federal privacy guidelines. The ISE guidelines do not apply to fusion centers, but do require federal entities to ensure that any fusion center with which they share information has privacy protections that are at least as comprehensive as the ISE guidelines. The DOJ Fusion Center Guidelines are completely voluntary, although, according to a DHS official, all fusion centers have agreed to follow them.

Typical non-compliance actions, such as withholding funding or revoking network connectivity would halt information sharing, harming the overall counter-terrorism mission. Instead, the federal government has engaged fusion centers in a collaborative partnership to achieve alignment with the guidelines. DHS, DOJ and the ISE are offering training and other resources such as sample privacy policies and procedures, through the Global Fusion Process Technical Assistance Program.

Transparency and the Fair Information Practices
The second major privacy challenge of fusion centers is to achieve the appropriate balance between transparency and the protection of sensitive, mission-critical information.

As non-federal entities, fusion centers are not bound by the Privacy Act or E-Government Act, although the DHS and National Governors Association recommend all fusion centers develop a Privacy Impact Assessment (PIA) as a privacy management tool. The DHS is providing PIA training and assistance to each of the fusion centers through the Global program. Whether the PIAs will be made available to the public is up to the leadership of each individual fusion center.

At the federal level, DHS is required to perform an overall PIA on fusion centers. In the 9/11 Act, Congress directed the DHS privacy officer to deliver a Concept of Operations that includes an initial privacy and civil liberties assessment by November 2007, and a PIA on August 8, 2008. The PIA is currently in draft form and under review for submission to Congress.

All fusion centers are different. Some are extremely open about their information practices, even providing their standard operating procedures to the public. Others are not as open. Privacy issues will be discussed in each fusion center's PIA, if fusion centers choose to create them, and will address their approach to the Fair Information Practices (FIPs). Issues include:

Openness
Many fusion centers have not shared with the public what databases they use. This was demonstrated in an April 2, 2008 article in The Washington Post titled "Centers Tap into Personal Databases." It revealed that several fusion centers in the northeast have access to millions of people's information including unlisted cell phone numbers, insurance claims, driver's license photographs and credit reports. Although these resources are common to state and local law enforcement agencies, the fact that fusion centers had access to such a wide variety of commercial databases was previously unknown to the public.

In March 2008, EPIC filed a Virginia FOIA lawsuit against the Virginia State Police for refusing to provide information on meetings with the DHS and the DOJ regarding funding, operations and information-sharing governance.

Collection
While many fusion centers do adhere to 28 CFR, Part 23, which requires "reasonable suspicion" in collecting information on individuals, some fusion centers may not. PIAs, if developed and published, will describe the conditions under which personal information is collected.
In its article "What's Wrong with Fusion Centers," the ACLU equates the fusion process to data mining on innocent individuals, a practice they claim is both unfair and ineffective for predicting or preventing acts of terrorism.

Use
To comply with the FIPs, fusion centers should ensure that personal information will be shared with other entities only for its lawfully-stated purpose. Fusion centers will share information with the private sector. In a warning similar to the example scenario at the beginning of this article, the ACLU cautions that protections against improper private sector use must be built in to ensure people will not be unfairly fired from a job, evicted from an apartment, denied a loan or otherwise unfairly treated based on information shared between a fusion center and the private sector.

Individual Participation
Individual participation—in particular, redress—in fusion centers is challenging, for two reasons. First, information collected about individuals in fusion centers is often exempt from State Freedom of Information laws, so limited if any individual participation is possible. Second, the complex network of fusion centers and the federal government may make it particularly difficult for an individual to determine which entity "owns" his or her information in order to submit a redress request to that entity.

The Fusion Center Guidelines do not recommend a specific redress policy, but state that fusion centers should consider implementing the Fair Information Principles, including the "Individual Participation" principle. Section 8 of the ISE's 2006 Privacy Guidelines directs federal agencies that participate in the ISE to implement redress processes.

Accountability
Who is ultimately accountable for protecting privacy? Larry Ponemon of The Ponemon Institute asked this question at the September 19, 2007 DHS Advisory Committee meeting. One panelist responded that the fusion center director would be responsible and accountable; another said the "buck stops" with the governor of each state. Because all states have different governance models and internal oversight processes, they said there is no "cookie-cutter approach."

Next Steps
The DHS Privacy Office is completing the fusion center PIA and will submit it to Congress. The majority of DHS PIAs are made available to the public, although the DHS has not stated whether this PIA will be released. The DHS is in the process of identifying the privacy point of contact at each fusion center; representatives are traveling to meet individuals at each fusion center. The DHS and Global will continue to deliver privacy and civil liberties training to analysts assigned to fusion centers. As one DHS official stated, "Protecting privacy in fusion centers is a continuous process. There is no finish line."

Rebecca Andino, PMP, CIPP/G, is president and founder of Highlight Technologies, a firm providing program management and privacy consulting services to national security programs. Contact Rebecca Andino at randino@highlighttech.com or 202-271-0469.

Comments

If you want to comment on this post, you need to login.

Related Stories
FISA Section 702's Reauthorization Era
1
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
Major trends in US cybersecurity law and policy
Privacy professionals have always needed to have one eye on data security. However, the obligation of data custodians to protect the confidentiality, integrity and availability of the personal information they hold is becoming increasingly complex with its own, sometimes overlapping, sometimes confl...
Read More queue Save This

Related Stories
Recent Comments