Progress Report on Intelligence Community Implementation of Safeguards for Personal Information Under Presidential Policy Directive 28

On October 17, 2014, the Office of the Director of National Intelligence ("ODNI") released a report¹ on implementation of Presidential Policy Directive 28 ("PPD-28") regarding Signals Intelligence ("SIGINT") Activities, which President Obama issued in response to leaks by Edward Snowden and the recommendations of the President's Review Group on Intelligence and Communications Technologies.² ODNI's report, which was required under Section 4 of PPD-28, found that all elements of the Intelligence Community ("IC") are on track to have policies and procedures in place to implement PPD-28 by January 17, 2015.  

The report states that "[m]ost agencies already have adequate existing procedures for some aspects of PPD-28."  However, updates to IC agencies' existing policies and procedures regarding handling information collected through SIGINT and establishment of new policies and procedures will be required.  In particular, the Central Security Service at the National Security Agency ("NSA") is developing a set of supplemental procedures to build the requirements of PPD-28 into the policy framework that governs the U.S. SIGINT System.  ODNI's report anticipates that IC agencies other than the NSA will update their policies and procedures as well, but notes that the changes other IC agencies "will be required to make will be narrower than NSA's" because other IC agencies are generally consumers of SIGINT, rather than collectors.

The ODNI report outlines key principles that all IC agencies must incorporate in their policies and procedures implementing PPD-28 in order to ensure protection for personal information collected through SIGINT.  Such policies and procedures will: 

• Include limitations on the use of SIGINT collected in bulk, such as restriction to use for the six purposes specified in PPD-28³ and prohibiting use of SIGINT for suppressing or burdening criticism or dissent, disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion, or affording a competitive advantage to U.S. companies and U.S. business sectors commercially;
• Incorporate the principles for the collection of SIGINT outlined in PPD-28, including ensuring that new and unique SIGINT collection programs or significant changes to existing programs are authorized by law and are not conducted for a prohibited purpose, ensuring that civil liberties and privacy protections are integral considerations in the planning and execution of SIGINT collection activities, and ensuring that such SIGINT activities are as tailored as feasible and that IC agencies focus collection on specific foreign intelligence targets or topics;  
• Set appropriate standards for querying SIGINT data, including seeking to structure queries or search techniques to identify intelligence information relevant to a valid intelligence or law enforcement task and minimizing the review of personal information not pertinent to intelligence or law enforcement requirements; 
• Establish that the mere fact that SIGINT is about a non-U.S. person is not sufficient to permanently retain or disseminate such information;
• Consider as a default position subjecting non-U.S. person information to the same retention periods afforded to U.S.-person information under the Attorney General approved guidelines;
• Require that IC agencies make a written request to the ODNI for an extension of the five-year retention period that includes a specific justification for the extension and the views of the relevant privacy and civil liberties officer;
• Establish procedures that permit dissemination of personal information of non-U.S. persons collected through SIGINT only if the dissemination of comparable information concerning U.S. persons would be permitted under Section 2.3 of Executive Order 12333; 
• Require adequate training as a condition of access or handling of unevaluated and unminimized personal information in SIGINT;
• Make available information on how IC personnel report privacy and civil liberties complaints and other violations of law;
• Require that, when a significant compliance issue involving personal information collected through SIGINT occurs, it must be reported promptly to the head of the IC agency who will notify the ODNI so that ODNI can determine if corrective action is necessary; and
• Develop robust oversight and compliance programs to ensure adherence to PPD-28, including mechanisms for periodic auditing and review of each agency's practices for protecting personal information contained in SIGINT by privacy and civil liberty officers.

IC agencies' implementing policies and procedures will be publicly released to the maximum extent possible, consistent with classification requirements.  Such policies and procedures will be carefully analyzed by privacy advocates and telecommunications, social media, and other technology companies.