Customs and Border Protection released the personally identifiable information, including Social Security numbers, of thousands of individuals to dozens of federal agencies during an investigation of cheating on polygraph tests.
CBP violated some aspects of the Privacy Act in distributing the information across government, the Homeland Security Department’s inspector general found in its report. The agency collected and distributed information such as Social Security numbers, email and mailing addresses, and phone numbers of individuals who had purchased materials from two individuals who helped job applicants pass polygraphs.
Over the course of the two investigations, CBP sent the sensitive PII of 5,000 individuals to up to 30 federal agencies that themselves conduct “lie-detector” polygraph exams. Some of the individuals were never federal employees or applicants. In 2011 and 2012, CBP investigated Chat Dixon and Douglas Williams for training potential and current federal employees on “countermeasures designed to conceal disqualifying information during polygraph examinations.” Both Dixon and Williams have served time in prison for their crimes.
While CBP collected and stored the PII in compliance with federal statute, the agency showed “little regard for individuals’ privacy” when distributing the information to other agencies, according to the IG. CBP often did not “document its disclosures of sensitive PII, password protect sensitive PII in electronic transmissions or obtain consent from the agencies that originated the information to further disseminate it.” Those failures represented violations of the 1974 Privacy Act, the IG said, potentially compromising the individuals’ privacy.
Had CBP conducted the information sharing properly, it would have been allowed, provided it did so to “further its investigations.” The auditors, however, questioned whether CBP actually had that objective in mind when distributing the data.
“Because of the criticality of their mission, the Privacy Act gives law enforcement officials wide latitude in sharing PII,” the IG wrote. “But the mission’s criticality, along with the importance of maintaining public trust, also make it imperative that law enforcement officials not take advantage of their authority and fail to safeguard individuals’ privacy.”
Of the individuals in the shared dataset whose profession was listed, nearly 70 percent had “no apparent affiliation” with the federal government. Their jobs ranged from priest to professional golfer to actor. Several dozen individuals on the list were deceased.
In interviews, CBP staff told the auditors privacy concerns often interfered with conducting investigations and training on the subject was not specific to a law enforcement environment.
The IG recommended revised standard operating procedures for information sharing to ensure compliance with privacy rules, and more specific training for privacy policies and guidelines. CBP said it is currently taking steps to address both of those suggestions.