Full Report
Department of Homeland Security leaders removed top privacy officers who objected to mislabeling government records to block their public release, WIRED has learned.
Analysis Summary
# Regulation/Compliance: Freedom of Information Act (FOIA) & Privacy Act Compliance
## Overview
This matter concerns the mandatory disclosure requirements for federal agency records under the Freedom of Information Act (FOIA) and the statutory privacy compliance obligations regarding the collection of personally identifiable information (PII) through government surveillance technologies. It specifically addresses the misuse of "Draft" and "Deliberative Process" designations to circumvent public disclosure mandates.
## Key Details
- **Issuing Authority:** Department of Homeland Security (DHS) / DHS Privacy Office
- **Effective Date:** Policy change issued December 3, 2025 (approximate based on report)
- **Jurisdiction:** Federal Law / U.S. Government Agencies (specifically CBP/DHS)
- **Status:** In Effect (Internal DHS Policy); Legally Contested
## Requirements
### Mandatory Requirements
1. **Privacy Threshold Analysis (PTA):** Agencies must complete a PTA for any system that harvests or uses personal data to determine if a full Privacy Impact Assessment (PIA) is required.
2. **FOIA Disclosure:** Federal agencies must release non-exempt records to the public upon request.
3. **Accurate Record Labeling:** Records must be labeled according to their actual status; finalized, signed compliance documents may not be fraudulently labeled as "drafts" to bypass disclosure laws.
4. **Privacy Act Compliance:** Surveillance systems (e.g., Mobile Fortify face recognition) must be documented to ensure they comply with federal law regarding data retention and notification.
### Recommended Practices
1. **Ethical Compliance Reporting:** Privacy officers should have the autonomy to report illegal orders without fear of reassignment or retaliation.
2. **Transparency in Surveillance:** Public disclosure of data retention periods (e.g., the 15-year storage policy mentioned) to maintain public trust.
## Affected Organizations
- **Industries:** Federal Government, Law Enforcement, Defense
- **Organization Size:** All DHS components and sub-agencies (CBP, ICE, etc.)
- **Geographic Scope:** United States federal jurisdiction
## Compliance Timeline
- **December 3 (Year Prior):** DHS Privacy Office announced a "major change" requiring all PTAs to carry a disclaimer marking them as exempt.
- **January – February (Current Year):** Removal and reassignment of top CBP Privacy and FOIA officials who questioned the policy.
- **Ongoing:** Legal challenges and internal friction regarding the "Pre-decisional, Deliberative" designation of signed compliance forms.
## Implementation Guidance
### Assessment Phase
- Evaluate all current Privacy Threshold Analyses (PTAs) to determine if they contain "For Official Use Only" (FOUO) or "Draft" disclaimers that conflict with their signed, final status.
### Implementation Phase
- Ensure all technology-usage records (specifically biometric apps like Mobile Fortify) are documented in compliance with the Privacy Act.
- Apply FOIA exemptions (like Exemption 5: Deliberative Process) only where documents are authentically pre-decisional.
### Validation Phase
- Auditing by the Office of Inspector General (OIG) or Government Accountability Office (GAO) to ensure record mislabeling is not occurring to shield surveillance activities from oversight.
## Technical Requirements
- **Data Retention Controls:** Configuration of surveillance databases to adhere to the 15-year storage limit identified in released assessments.
- **Labeling Metadata:** Technical systems for document management must accurately reflect the "Final" signed status of compliance forms to prevent automated misclassification as "Draft."
## Penalties & Enforcement
- **Fines:** Potential civil penalties under FOIA and the Privacy Act.
- **Other Consequences:** Administrative actions against officials; loss of public trust; court-ordered disclosures and payment of plaintiff legal fees.
- **Enforcement:** Enforced via judicial review in Federal Court (FOIA lawsuits) and oversight by the DHS Office for Civil Rights and Civil Liberties (CRCL).
## Related Standards
- **FOIA (5 U.S.C. § 552):** The primary statute governing public access to records.
- **Privacy Act of 1974:** Requirements for how agencies collect and maintain PII.
- **NIST SP 800-53:** Privacy controls (specifically Authority and Purpose, and Transparency).
## Resources
- **Official Documentation:** [dhs.gov/privacy] (Defanged)
- **Guidance Documents:** FOIA Guide - [justice.gov/oip/doj-guide-freedom-information-act-0] (Defanged)
- **Tools:** DHS PTA Template and FOIA Public Liaison.
## Practical Recommendations
- **Avoid Categorical Withholding:** Do not attempt to categorically exempt PTAs via templates; each document must be reviewed individually.
- **Protect Whistleblowers:** Ensure internal channels are open for compliance officers to voice concerns regarding the legality of labeling policies.
- **Legal Review:** Conduct a legal review of the "Draft" disclaimer policy to ensure it does not constitute a "policy of secrecy" that violates federal records law.