From: "Saved by Windows Internet Explorer 8"
Subject: Federal Register, Volume 78 Issue 49 (Wednesday, March 13, 2013)
Date: Fri, 26 Apr 2013 10:54:31 -0400
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://www.gpo.gov/fdsys/pkg/FR-2013-03-13/html/2013-05674.htm
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
=EF=BB=BF
Federal Register, Volume 78 Issue 49 (Wednesday, =
March 13, 2013)
[Federal Register Volume 78, Number 49 (Wednesday, March 13, =
2013)]
[Notices]
[Pages 15962-15968]
From the Federal Register Online via the Government Printing Office [http://www.gpo.gov/]
[FR Doc No: 2013-05674]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Office of the Secretary
[Docket No. DHS-2012-0073]
Privacy Act of 1974; Department of Homeland Security, U.S.=20
Customs and Border Protection--DHS/CBP-018--Customs--Trade Partnership=20
Against Terrorism (C-TPAT) System, System of Records
AGENCY: Privacy Office, Department of Homeland Security.
ACTION: Notice of Privacy Act system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, the Department of=20
Homeland Security proposes to
[[Page 15963]]
establish a new system of records titled, ``Department of Homeland=20
Security, U.S. Customs and Border Protection, DHS/CBP-018 Customs--
Trade Partnership Against Terrorism System of Records.'' This system of=20
records allows the Department of Homeland Security/U.S. Customs and=20
Border Protection, DHS/CBP-018, Customs-Trade Partnership Against=20
Terrorism to collect and maintain records about members of the trade=20
community related to Customs and Border Protection's Customs-Trade=20
Partnership Against Terrorism program. Businesses accepted into the=20
program, called partners, agree to analyze, measure, monitor, report,=20
and enhance their supply chains in exchange for greater security and=20
facilitated processing offered by Customs and Border Protection. The=20
Customs-Trade Partnership Against Terrorism program allows Customs and=20
Border Protection to focus its resources on higher risk businesses and=20
thereby assists the agency in achieving its mission to secure the=20
border and facilitate the movement of legitimate international trade.=20
This new system of records collects and manages information, including=20
personally identifiable information, about prospective, ineligible,=20
current, or former trade partners in Customs-Trade Partnership Against=20
Terrorism, and other entities and individuals in their supply chains.=20
This system also collects and maintains information, including=20
personally identifiable information, regarding members of a foreign=20
government secure supply chain program that have been recognized by=20
Customs and Border Protection, through a mutual recognition arrangement=20
or comparable arrangement, as being compatible with the program. The=20
Customs-Trade Partnership Against Terrorism program provides a Security=20
Link Portal, which allows partners and applicants to access and manage=20
their information. Customs and Border Protection is publishing this new=20
system of records notice in order to notify the public about the=20
system, permit trade partners access to the information they provide,=20
and offer a description of how and where information is collected and=20
maintained. Additionally, the Department of Homeland Security is=20
issuing a Notice of Proposed Rulemaking elsewhere in the Federal=20
Register, to exempt this system of records from certain provisions of=20
the Privacy Act. This newly established system will be included in the=20
Department of Homeland Security's inventory of record systems.
DATES: The new system of records will be effective April 12, 2013,=20
unless comments are received that result in a contrary determination.
ADDRESSES: You may submit comments, identified by docket number DHS-
2012-0073 by one of the following methods:
Federal e-Rulemaking Portal: http://www.regulations.gov/.=20
Follow the instructions for submitting comments.
Fax: 202-343-4010.
Mail: Jonathan R. Cantor, Acting Chief Privacy Officer,=20
Privacy Office, Department of Homeland Security, Washington, DC 20528.
Instructions: All submissions received must include the agency name=20
and docket number for this rulemaking. All comments received will be=20
posted without change to http://www.regulations.gov/, =
including any=20
personal information provided.
Docket: For access to the docket to read background documents or=20
comments received go to http://www.regulations.gov/.
FOR FURTHER INFORMATION CONTACT: For general questions please contact:=20
Laurence E. Castelli (202-325-0280), CBP Privacy Officer, U.S. Customs=20
and Border Protection, 90 K Street NE. Washington, DC 20229. For=20
privacy issues please contact: Jonathan R. Cantor (202-343-1717),=20
Acting Chief Privacy Officer, Privacy Office, Department of Homeland=20
Security, Washington, DC 20528.
SUPPLEMENTARY INFORMATION:
I. Background
In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the=20
Department of Homeland Security (DHS), US Customs and Border Protection=20
(CBP) proposes to establish a new DHS system of records titled, ``DHS/
CBP-018-C-TPAT System of Records.''
CBP is publishing this new system of records notice to notify the=20
public about the system and offer a description of how CBP collects and=20
maintains information pertaining to prospective, ineligible, current,=20
or former trade partners in C-TPAT; other entities and individuals in=20
their supply chains; and members of foreign governments' secure supply=20
chain programs that have been recognized by CBP, through a mutual=20
recognition arrangement or comparable arrangement, as being compatible=20
with C-TPAT.
CBP will use the information collected and maintained through the=20
C-TPAT program to carry out its trade facilitation, law enforcement,=20
and national security missions. In direct response to 9/11, CBP=20
challenged the trade community to partner with the government to design=20
a new approach to supply chain security--one that protects the United=20
States from acts of terrorism by improving security while facilitating=20
the flow of compliant cargo and conveyances. The result was the=20
Customs-Trade Partnership Against Terrorism (C-TPAT)--an innovative,=20
voluntary government/private sector partnership program. C-TPAT is a=20
voluntary program in which certain types of businesses agree to=20
cooperate with CBP in the analysis, measurement, monitoring, reporting,=20
and enhancement of their supply chains.
Businesses accepted in to C-TPAT are called partners and agree to=20
take actions to protect their supply chain, identify security gaps, and=20
implement specific security measures and best practices in return for=20
facilitated processing of their shipments by CBP. The program focuses=20
on improving security from the point of origin (including manufacturer,=20
supplier, or vendor) through a point of distribution to the=20
destination. The current security guidelines for C-TPAT program members=20
address a broad range of topics including personnel, physical and=20
procedural security; access controls; education, training and=20
awareness; manifest procedures; conveyance security; threat awareness;=20
and documentation processing. These guidelines offer a customized=20
solution for the members, while providing a clear minimum standard that=20
approved companies must meet.
Businesses eligible to fully participate in C-TPAT include U.S.=20
importers; U.S./Canada highway carriers; U.S./Mexico highway carriers;=20
rail and sea carriers; licensed U.S. Customs brokers; U.S. marine port=20
authority/terminal operators; U.S. freight consolidators; ocean=20
transportation intermediaries and non-operating common carriers;=20
Mexican and Canadian manufacturers; and Mexican long-haul carriers. As=20
part of its development, CBP plans to include exporters from the United=20
States in C-TPAT.
There are three tiers of C-TPAT partnership, with each tier having=20
its own set of requirements and corresponding facilitated processing.=20
In general, businesses are considered applicants until CBP has vetted=20
the information in the application and accepted the business into the=20
program. Once accepted, the business is designated as a Tier One=20
certified partner, and a site visit is arranged. The site visit is used=20
to validate the partner's supply chain security and leads to importers=20
becoming Tier Two validated partners. As C-TPAT has incorporated other=20
eligible business types, it has led
[[Page 15964]]
to those businesses becoming certified, validated non-importers. If an=20
importer with Tier Two validated partner status exemplifies best=20
practices in its supply chain security, it may attain Tier Three=20
validated partner status. As a business progresses up the tiers, it=20
receives more facilitated processing at ports of entry.
Information is collected directly from C-TPAT partners or applicant=20
businesses seeking membership in C-TPAT and indirectly from trade=20
partners or through Mutual Recognition Arrangements (MRA) or memoranda=20
of understanding relating to harmonization efforts between CBP and the=20
foreign secured supply chain program. In the course of enrolling,=20
certifying, and validating C-TPAT trade partners and their supply=20
chains, the C-TPAT system will receive personally identifiable=20
information (PII) and confidential business information from trade=20
entities and their representatives.
To participate in the C-TPAT program, a company is required to=20
submit a confidential, on-line application using the C-TPAT Security=20
Link Portal, https://ctpat.cbp.dhs.gov/. The =
C-TPAT Security Link Portal=20
is the public-facing portion of the C-TPAT system used by applicants to=20
submit the information in their company and supply chain security=20
profiles. Initially, the applicant business provides basic business-
identifying information in the company profile using the online=20
application form. This business-identifying information is used to=20
verify the identity and actual existence of the applicant business and=20
may include basic identifying elements and/or PII used in the=20
importation of cargo, such as U.S. Social Security Numbers (SSN) for=20
sole proprietors, Internal Revenue Service Business Identification=20
Numbers, and Customs assigned identification numbers (such as=20
Manufacturer Identification numbers and Broker/Filer codes, etc.).=20
Point of contact information is collected for the business, as well as=20
owner information.
Additionally, the applicant business must complete a Supply Chain=20
Security Profile (SCSP). The information provided in the SCSP is a=20
narrative description of the procedures the applicant business uses to=20
adhere to each C-TPAT Security Criteria or Guideline articulated for=20
their particular business type (importer, customs broker, freight=20
forwarder, air, sea, and land carriers, contract logistics providers,=20
etc.) together with any supporting documentation. Data elements entered=20
by the applicant business are accessible for update or revision through=20
the C-TPAT Security Link Portal. An applicant's SCSP must provide=20
supply chain security procedures for each business in the applicant's=20
supply chain, even if those businesses are not, or do not desire to=20
become partners of C-TPAT separately. This information is focused on=20
the security procedures of those businesses (e.g., whether the business=20
conducts background investigations on employees), rather than the=20
individuals related to those businesses (e.g., a list of employee=20
names).
A CBP Supply Chain Security Specialist (SCSS) vets the SCSP=20
information provided by the applicant by querying that information=20
through various information sources and systems, and queries of=20
publicly available data (e.g., through Google). The SCSS will then=20
evaluate the SCSP information against the results provided by such=20
system vetting, derogatory or otherwise, and indicate whether the=20
applicant is fit for the program in the Security Link Portal.=20
Derogatory vetting results are incorporated into an issue paper for a=20
C-TPAT supervisor's approval, and the issue paper is stored separately=20
from the Security Link Portal on an internal C-TPAT SharePoint, which=20
is only accessible by appropriate CBP employees and supervisors.
Vetting results containing PII are not stored in the C-TPAT=20
Security Link Portal. When a query reveals derogatory information about=20
a business applicant or partner, the SCSS makes a notation on the=20
internal portion of the C-TPAT Security Link Portal indicating the=20
existence of derogatory information and a citation to the appropriate=20
records. For instance, if a query of an applicant in TECS results in=20
derogatory information, the TECS ID is used as an identifier for the=20
record in the C-TPAT Security Link Portal, rather than the contents of=20
the TECS record. However, specific details regarding the incident or=20
violation giving rise to the unfavorable analysis will be maintained=20
within the C-TPAT SharePoint site and the relevant source system. The=20
SCSS is responsible for vetting all C-TPAT applicants, and conducts=20
this vetting of business entities every 6-12 months to ensure continued=20
compliance.
Consistent with DHS's information sharing mission, information=20
stored in DHS/CBP-018 Customs--Trade Partnership Against Terrorism (C-
TPAT) System may be shared with other DHS components that have a need=20
to know the information to carry out their national security, law=20
enforcement, immigration, intelligence, or other homeland security=20
functions. In addition, information may be shared with appropriate=20
federal, state, local, tribal, territorial, foreign, or international=20
government agencies consistent with the routine uses set forth in this=20
system of records notice.
Additionally, DHS is issuing a Notice of Proposed Rulemaking to=20
exempt this system of records from certain provisions of the Privacy=20
Act, elsewhere in the Federal Register. This newly established system=20
will be included in DHS's inventory of record systems.
II. Privacy Act
The Privacy Act embodies fair information practice principles in a=20
statutory framework governing the means by which Federal Government=20
agencies collect, maintain, use, and disseminate individuals' records.=20
The Privacy Act applies to information that is maintained in a ``system=20
of records.'' A ``system of records'' is a group of any records under=20
the control of an agency for which information is retrieved by the name=20
of an individual or by some identifying number, symbol, or other=20
identifying particular assigned to the individual. In the Privacy Act,=20
an individual is defined to encompass U.S. citizens and lawful=20
permanent residents. As a matter of policy, DHS extends administrative=20
Privacy Act protections to all individuals where systems of records=20
maintain information on U.S. citizens, lawful permanent residents, and=20
visitors.
Below is the description of the DHS/CBP-018 Customs--Trade=20
Partnership Against Terrorism (C-TPAT) System of Records. In accordance=20
with 5 U.S.C. 552a(r), DHS has provided a report of this system of=20
records to the Office of Management and Budget and to Congress.
System of records:
Department of Homeland Security (DHS)/U.S. Customs and Border=20
Protection (CBP)-018.
System name:
DHS/CBP-018 Customs--Trade Partnership Against Terrorism (C-TPAT)
Security classification:
Unclassified, for official use only, law enforcement sensitive.
System location:
Records are maintained at CBP Headquarters, Washington, DC and=20
field offices in C-TPAT's Security Link Portal and a CBP collaborative=20
intranet.
Categories of individuals covered by the system:
Individuals, including Points of Contact (POC), owners, and others=20
associated with prospective, ineligible, current, or former C-TPAT=20
business
[[Page 15965]]
entities; individuals associated with the supply chain of such C-TPAT=20
business entities; and individuals associated with business entities in=20
foreign governments secure supply chain programs that have been=20
recognized by CBP, through harmonization, a mutual recognition=20
arrangement, or comparable arrangement, as being compatible with C-
TPAT.
Categories of records in the system:
At the Application level, information is collected from the=20
applicant about itself and those members of its international supply=20
chain. Pre-set fields of business-identifying information within the=20
company profile portion of the online application include:
Business Entity Type;
Application Exception Token;
Legal Business Name;
Other Name(s) by which the Business is known (i.e.,=20
``Doing Business As''), if applicable;
Business Telephone;
Business Fax;
Business Web site address;
Business history;
Physical Address(es);
Mailing Address(es);
Owner Type: (e.g., Corporation\ Partnership\Sole=20
Proprietor, etc.);
Years in Business;
Number of Employees;
Business Points of Contacts;
First Name;
Last Name;
Title;
Email Address (also used to log in to the Security Link=20
Portal);
Password;
Telephone Number;
Contact Type;
U.S. Social Security Numbers (as volunteered by sole=20
proprietors as their tax identification number);
Internal Revenue Service Business Identification Numbers;
Customs assigned identification numbers (Importers of=20
Record (IOR) number; Manufacturer Identification Numbers (MID) and=20
Broker/Filer codes, etc.);
Issue Papers, including information regarding whether the=20
applicant is eligible for C-TPAT membership or source record numbers=20
for such information;
Narrative description of supply chain security procedures=20
for applicant and other entities in applicant's supply chain;
Validation supporting documentation (e.g., bills of=20
lading; audits--internal & external; proof of background checks;=20
contractual obligations; via a letter from a senior business partner=20
officer attesting to compliance; statements demonstrating compliance=20
with C-TPAT security criteria or an equivalent World Customs=20
Organization accredited security program administered by a foreign=20
customs authority; importer security questionnaire); and
Account Status.
Information received from and confirmed to countries with which CBP=20
has a Mutual Recognition Arrangement (MRA) includes:
Legal Business Name;
Other Name(s) by which the Business is known (i.e.,=20
``Doing Business As''), if applicable;
Company Type;
Date Partner Certified;
Account Status;
Vetting Status;
Date Validation Completed;
SCSS Name;
Office Assigned Name;
Mutual Recognition Country;
Business identifying numbers, e.g.:
[cir] Standard Carrier Alpha Code (SCAC);
[cir] IOR;
[cir] MID;
By Applicant request, information received from, and forwarded to,=20
foreign secure supply chain programs pursuant to a harmonization=20
program may include, but is not limited to:
Legal Name;
Doing Business As;
Telephone Number;
Fax Number;
Web site;
Owner Type;
Business Start Date;
Number of Employees;
Brief Company History;
Primary Address, Type;
Primary Address, Name;
Primary Address, Country;
Primary Address, Street Address;
Primary Address, City;
Primary Address, State/Province;
Primary Address, Zip/Postal Code;
Mailing Address:
[cir] Type;
[cir] Name;
[cir] Country;
[cir] Street Address;
[cir] City;
[cir] State/Province; and
[cir] Zip/Postal Code.
Primary Contact:
[cir] Email Address;
[cir] Type;
[cir] Salutation;
[cir] First Name;
[cir] Last Name;
[cir] Title; and
[cir] Telephone Number.
Partner Notifications;
Number of Entries;
U.S. Department of Transportation (DOT) Issued Number;
U.S. National Motor Freight Traffic Association Issued;
SCAC;
Dun & Bradstreet Number;
Services Offered;
Driver Sources;
Entries related to harmonization country;
The entire Security Profile (Upon Request):
[cir] Account Number;
[cir] Risking Status;
[cir] MSR Status;
[cir] Validation Type;
[cir] Validation Closed Date;
[cir] Validation Status;
[cir] Validation Type Verification (Government Contact);
[cir] Verification Type Start Date;
[cir] Verification Type: (phone, visit, mutual recognition);
[cir] Verification Visit address;
[cir] Business Type; and
[cir] Harmonization Host Program.
Account Status;
Vetting Status;
Minimum Security Requirements/Security Profile Status;
Validation Status; and
Harmonization Status.
Authority for maintenance of the system:
This system and program are authorized by 6 U.S.C. 901 note=20
(Security and Accountability for Every Port Act of 2006 (SAFE Port=20
Act), including 6 U.S.C. 961-973. Pilot programs enhancing secure=20
supply chain practices related to C-TPAT are also authorized by=20
Homeland Security Presidential Directive/HSPD-8, ``National=20
Preparedness'' Section 22 (December 17, 2003).
Purpose(s):
The purpose of this system is to verify the identity of C-TPAT=20
partners, determine enrollment level, and provide identifiable ``low=20
risk'' entities with fewer random checks and facilitated processing.=20
The information will be cross-referenced with data maintained in CBP's=20
other cargo and enforcement databases and will be shared with other law=20
enforcement systems, agencies or foreign entities, as appropriate, when=20
related to ongoing investigations or operations. Information will be=20
used to analyze, measure, monitor, report, and enhance business supply=20
chains to permit facilitated processing of C-TPAT partner shipments by=20
CBP.
Routine uses of records maintained in the system, including categories=20
of users and the purposes of such uses:
In addition to those disclosures generally permitted under 5 U.S.C.
[[Page 15966]]
552a(b) of the Privacy Act, all or a portion of the records or=20
information contained in this system may be disclosed outside DHS as a=20
routine use pursuant to 5 U.S.C. 552a(b)(3). Any disclosure of=20
information must be made consistent with the official duties of the=20
person making the disclosure. The routine uses are as follows:
A. To the Department of Justice (DOJ), including the United States=20
Attorneys Offices, or other federal agency conducting litigation or in=20
proceedings before any court, adjudicative or administrative body, when=20
it is relevant or necessary to the litigation and one of the following=20
is a party to the litigation or has an interest in such litigation:
1. DHS or any component thereof;
2. Any employee of DHS in his/her official capacity;
3. Any employee of DHS in his/her individual capacity when DOJ or=20
DHS has agreed to represent the employee; or
4. The United States or any agency thereof.
B. To a congressional office from the record of an individual in=20
response to an inquiry from that congressional office made at the=20
request of the individual to whom the record pertains.
C. To the National Archives and Records Administration (NARA) or=20
General Services Administration pursuant to records management=20
inspections being conducted under the authority of 44 U.S.C. 2904 and=20
2906.
D. To an agency or organization for the purpose of performing audit=20
or oversight operations as authorized by law, but only such information=20
as is necessary and relevant to such audit or oversight function.
E. To appropriate agencies, entities, and persons when:
1. DHS suspects or has confirmed that the security or=20
confidentiality of information in the system of records has been=20
compromised;
2. DHS has determined that as a result of the suspected or=20
confirmed compromise there is a risk of harm to economic or property=20
interests, identity theft or fraud, or harm to the security or=20
integrity of this system or other systems or programs (whether=20
maintained by DHS or another agency or entity) or harm to the=20
individuals that rely upon the compromised information; and
3. The disclosure made to such agencies, entities, and persons is=20
reasonably necessary to assist in connection with DHS's efforts to=20
respond to the suspected or confirmed compromise and prevent, minimize,=20
or remedy such harm.
F. To contractors and their agents, grantees, experts, consultants,=20
and others performing or working on a contract, service, grant,=20
cooperative agreement, or other assignment for DHS, when necessary to=20
accomplish an agency function related to this system of records.=20
Individuals provided information under this routine use are subject to=20
the same Privacy Act requirements and limitations on disclosure as are=20
applicable to DHS officers and employees.
G. To an appropriate federal, state, tribal, local, international,=20
or foreign law enforcement agency or other appropriate authority=20
charged with investigating or prosecuting a violation or enforcing or=20
implementing a law, rule, regulation, or order, when a record, either=20
on its face or in conjunction with other information, indicates a=20
violation or potential violation of law, which includes criminal,=20
civil, or regulatory violations.
H. To appropriate foreign governmental agencies or multilateral=20
governmental organizations pursuant to an arrangement between CBP and a=20
foreign government or multilateral governmental organization regarding=20
supply chain security.
I. To an appropriate federal, state, local, territorial, tribal, or=20
foreign governmental agencies or multilateral governmental=20
organizations or other appropriate authority or entity when necessary=20
to vet a C-TPAT applicant or validate a C-TPAT partner.
J. To appropriate federal, state, local, tribal, or foreign=20
governmental agencies or multilateral governmental organizations when=20
DHS reasonably believes there to be a threat or potential threat to=20
national or international security for which the information may be=20
relevant in countering the threat or potential threat.
K. To a federal, state, tribal, or local agency, or other=20
appropriate entity or individual, or foreign governments, in order to=20
provide relevant information related to intelligence,=20
counterintelligence, or antiterrorism activities authorized by U.S.=20
law, Executive Order, or other applicable national security directive.
L. To an organization or individual in either the public or private=20
sector, either foreign or domestic, when there is a reason to believe=20
that the recipient is or could become the target of a particular=20
terrorist activity or conspiracy, or when the information is relevant=20
and necessary to the protection of life or property.
M. To third parties during the course of a law enforcement=20
investigation to the extent necessary to obtain information pertinent=20
to the investigation.
N. To an appropriate federal, state, local, tribal, foreign, or=20
international agency, if the information is relevant to a requesting=20
agency's decision concerning the hiring or retention of an individual,=20
or issuance of a security clearance, license, contract, grant, or other=20
benefit, or if the information is relevant to a DHS decision concerning=20
the hiring or retention of an employee, the issuance of a security=20
clearance, the reporting of an investigation of an employee, the=20
letting of a contract, or the issuance of a license, grant or other=20
benefit.
O. To a federal, state, local, tribal, or foreign governmental=20
agency or multilateral governmental organization for the purpose of=20
consulting with that agency or entity: (1) To assist in making a=20
determination regarding redress for an individual in connection with=20
the operations of a DHS component or program; (2) for the purpose of=20
verifying the identity of an individual seeking redress in connection=20
with the operations of a DHS component or program; or (3) for the=20
purpose of verifying the accuracy of information submitted by an=20
individual who has requested such redress on behalf of another=20
individual.
P. To appropriate federal, state, local, tribal, or foreign=20
governmental agencies or multilateral governmental organizations for=20
the purpose of protecting the vital health interests of a data subject=20
or other persons (e.g., to assist such agencies or organizations in=20
preventing exposure to or transmission of a communicable or=20
quarantinable disease or to combat other significant public health=20
threats; appropriate notice will be provided of any identified health=20
threat or risk).
Q. To the news media and the public, with the approval of the Chief=20
Privacy Officer in consultation with counsel, when there exists a=20
legitimate public interest in the disclosure of the information or when=20
disclosure is necessary to preserve confidence in the integrity of DHS=20
or is necessary to demonstrate the accountability of DHS's officers,=20
employees, or individuals covered by the system, except to the extent=20
it is determined that release of the specific information in the=20
context of a particular case would constitute an unwarranted invasion=20
of personal privacy.
Disclosure to consumer reporting agencies:
None.
[[Page 15967]]
Policies and practices for storing, retrieving, accessing, retaining,=20
and disposing of records in the system:
Storage:
Records in this system are stored electronically or on paper in=20
secure facilities in a locked drawer behind a locked door. The records=20
are stored on magnetic disc, tape, digital media, and CD-ROM.
Retrievability:
Records may be retrieved by any of the information listed in the=20
categories of records above.
Safeguards:
Records in this system are safeguarded in accordance with=20
applicable rules and policies, including all applicable DHS automated=20
systems security and access policies. Strict controls have been imposed=20
to minimize the risk of compromising the information that is being=20
stored. Access to the computer system containing the records in this=20
system is limited to those individuals who have a need to know the=20
information for the performance of their official duties and who have=20
appropriate clearances or permissions.
Retention and disposal:
CBP is proposing the following retention schedule to the National=20
Archives and Records Administration (NARA): Information stored in C-
TPAT will be retained for the period during which the application is=20
pending decision by CBP and for the period of active membership of the=20
business entity, plus five years. Where information regarding the=20
possible ineligibility of an applicant for C-TPAT membership is found,=20
it will be retained in the C-TPAT system for an additional 25 years to=20
assist with future vetting, or consistent with the applicable retention=20
period for the System of Records from which such information was=20
derived, whichever is longer.
System Manager and address:
C-TPAT Director, U.S. Customs and Border Protection, 1300=20
Pennsylvania Avenue NW., Washington, DC 20229; (202) 344-2619.
Notification procedure:
The C-TPAT Security Link Portal provides access to the information=20
an applicant or partner submitted. The C-TPAT partner interface allows=20
participants to access and change the information they have provided at=20
any time by accessing their business identifying information and C-TPAT=20
profile through secure login procedures. C-TPAT Partners access the C-
TPAT Security Link Portal via https://ctpat.cbp.dhs.gov/.
Through the Security Link Portal, C-TPAT partners have a direct=20
messaging option where they may communicate with their assigned SCSS if=20
they believe CBP has acted upon inaccurate or erroneously provided=20
information. If this method is unsuccessful and C-TPAT facilitated=20
processing is denied or removed, within 30 days of notification the=20
entity may make written inquiry regarding such denial or removal. The=20
applicant should provide as much identifying information as possible=20
regarding the business, in order to identify the record at issue. C-
TPAT participants may provide CBP with additional information to ensure=20
that the information maintained by CBP is accurate and complete. The=20
submitter will receive a written response to each inquiry. If C-TPAT=20
partnership is suspended or removed, the business may appeal this=20
decision to CBP HQ, to the attention of the Executive Director, C-TPAT=20
Program Division: Executive Director, Cargo and Conveyance Security,=20
U.S. Customs and Border Protection, 1300 Pennsylvania Avenue NW., Room=20
2.2A, Washington, DC 20229.
The Secretary of Homeland Security has exempted portions of this=20
system from the notification, access, and amendment procedures of the=20
Privacy Act because it is a law enforcement system. However, DHS/CBP=20
will consider individual requests to determine whether or not=20
information may be released. Thus, individuals seeking notification of=20
and access to any record contained in this system of records, or=20
seeking to contest its content, may submit a request in writing to the=20
Headquarters or component's FOIA Officer, whose contact information can=20
be found at http://www.dhs.gov/foia under =
``contacts.'' If an=20
individual believes more than one component maintains Privacy Act=20
records concerning him or her the individual may submit the request to=20
the Chief Privacy Officer and Chief Freedom of Information Act Officer,=20
Department of Homeland Security, 245 Murray Drive SW., Building 410,=20
STOP-0655, Washington, DC 20528.
When seeking records about yourself from this system of records or=20
any other Departmental system of records your request must conform with=20
the Privacy Act regulations set forth in 6 CFR part 5. You must first=20
verify your identity, meaning that you must provide your full name,=20
current address, and date and place of birth. You must sign your=20
request, and your signature must either be notarized or submitted under=20
28 U.S.C. 1746, a law that permits statements to be made under penalty=20
of perjury as a substitute for notarization. While no specific form is=20
required, you may obtain forms for this purpose from the Chief Privacy=20
Officer and Chief Freedom of Information Act Officer, http://www.dhs.gov/ or 1-866-431-0486. =
In addition you should provide the=20
following:
An explanation of why you believe the Department would=20
have information on you;
Identify which component(s) of the Department you believe=20
may have the information about you;
Specify when you believe the records would have been=20
created; and
Provide any other information that will help the FOIA=20
staff determine which DHS component agency may have responsive records.
If your request is seeking records pertaining to another living=20
individual, you must include a statement from that individual=20
certifying his/her agreement for you to access his/her records.
Without this bulleted information the component(s) may not be able=20
to conduct an effective search, and your request may be denied due to=20
lack of specificity or lack of compliance with applicable regulations.
Record access procedures:
See ``Notification procedure'' above.
Contesting record procedures:
See ``Notification procedure'' above.
Record source categories:
Records are obtained from the business; from CBP systems including,=20
but not limited to, TECS, the Automated Targeting System (ATS), the=20
Automated Commercial System (ACS); and from public sources. Information=20
is also collected by the SCSS from the C-TPAT applicant and other=20
businesses during the course of validating the business's supply chain=20
and from foreign governments and multilateral governmental=20
organizations with which CBP has entered into MRAs or other=20
arrangements.
Exemptions claimed for the system:
No exemption shall be asserted with respect to information=20
requested from and provided by the C-TPAT applicant including, but not=20
limited to, company profile, supply chain information, and other=20
information provided during the application and validation process. CBP=20
will not assert any exemptions for an individual's application data and=20
final membership determination in response to a request from that=20
individual. However, the Privacy Act requires DHS
[[Page 15968]]
to maintain an accounting of the disclosures made pursuant to all=20
routines uses. Disclosing the fact that a law enforcement agency has=20
sought particular records may affect ongoing law enforcement=20
activities. As such, pursuant to 5 U.S.C. 552a(j)(2), DHS will claim=20
exemption from sections (c)(3), (e)(8), and (g) of the Privacy Act of=20
1974, as amended, as is necessary and appropriate to protect this=20
information. Further, DHS will claim exemption from section (c)(3) of=20
the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(k)(2) as=20
is necessary and appropriate to protect this information.
Pursuant to exemption 5 U.S.C. 552a(j)(2) of the Privacy Act, all=20
other C-TPAT data, including information regarding the possible=20
ineligibility of an applicant for C-TPAT membership discovered during=20
the vetting process and any resulting issue papers, are exempt from 5=20
U.S.C. 552a(c)(3) and (4); (d); (e)(1), (e)(2), (e)(3), (e)(4)(G),=20
(e)(4)(H), (e)(4)(I), (e)(5) and (e)(8); (f); and (g). Pursuant to 5=20
U.S.C. 552a(k)(2), information regarding the possible ineligibility of=20
an applicant for C-TPAT membership discovered during the vetting=20
process and any resulting issue papers are exempt from 5 U.S.C.=20
552a(c)(3); (d); (e)(1), (e)(4)(G), (e)(4)(H),(e)(4)(I); and (f). In=20
addition, to the extent a record contains information from other exempt=20
systems of records, CBP will rely on the exemptions claimed for those=20
systems.
Dated: February 21, 2013.
Jonathan R. Cantor,
Acting Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2013-05674 Filed 3-12-13; 8:45 am]
BILLING CODE 9111-14-P