Privacy Impact Assessment Update
DHS/ICE/PIA-037(a) eHR System
Page 7
Mitigation: ICE limits dissemination of Portal log-in credentials to former detainees who
have been discharged from ICE detention facilities. Former detainees must log in using the
appropriate username and password and confirm their identity by entering their date of birth in
order to access the Portal. This significantly reduces the risk that an unauthorized third party can
access the contents of the Portal. Further, ICE user access is limited to IHSC personnel who have
a legitimate need to know.
There is also a benefit in providing former detainees online access to their medical
records so they may share that information, as necessary, with third parties, such as other
medical providers, family, friends, or legal representatives. With the deployment of the Portal,
former detainees will be able to access medical information more quickly and efficiently.
Redress
The right to request access to and amendment of records under the Privacy Act of 1974 (5
U.S.C. § 552a) is limited to United States citizens and lawful permanent residents. Executive
Order No. 13,768 Enhancing Public Safety in the Interior of the United States (January 25, 2017)
states: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy
policies exclude persons who are not United States citizens or lawful permanent residents from
the protections of the Privacy Act regarding personally identifiable information.”
8
This
Executive Order precludes DHS from extending such rights by policy. Additionally, the Judicial
Redress Act of 2015 (5 U.S.C. §552a note), which amended the Privacy Act, provides citizens of
certain countries with access, amendment, and other redress rights under the Privacy Act in
certain limited situations.
9
As a result of Executive Order 13,768, DHS’s “Mixed Systems Policy”
10
was rescinded
by the DHS Privacy Office in its Privacy Policy Guidance Memorandum (April 25, 2017).
11
However, DHS will consider individual requests to determine whether or not an individual may
8
The full text of Executive Order 13,768 can be found here: https://www.whitehouse.gov/the-press-
office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united.
9
The foreign countries and regional organizations covered by the Judicial Redress Act, as of February 1, 2017,
include the European Union (EU) and most of its Member States. For the full list of foreign countries and regional
organizations covered by the Judicial Redress Act, please visit the U.S. Department of Justice website
https://www.justice.gov/opcl/judicial-redress-act-2015
.
10
The DHS’ “Mixed Systems Policy” extended most Privacy Act protections to visitors and aliens whose
information was collected, used, maintained, or disseminated in connection with a mixed system of records (i.e.,
contains PII on U.S. citizens and lawful permanent residents, as well as non-U.S. citizens and non-legal permanent
residents). Memorandum Number 2007-1, DHS Policy Regarding Collection, Use, Retention, and Dissemination of
Information on Non-U.S. Persons.
11
DHS Memorandum 2017-01: DHS Privacy Policy Regarding Collection, Use, Retention, and Dissemination of
Personally Identifiable Information (April 25, 2017) (DHS Privacy Policy), available at
https://www.dhs.gov/publication/dhs-privacy-policy-guidance-memorandum-2017-01
. As the DHS Privacy Policy
notes, Executive Order 13768, does not affect statutory or regulatory privacy protections that may be afforded to
aliens, such as confidentiality rights for asylees and refugees, and individuals protected under 8 U.S.C. §1367. These
laws operate independently of the Privacy Act to restrict federal agencies’ ability to share certain information about
visitors and aliens, regardless of a person’s immigration status.