ODNI and DOJ updated guidelines for NCTC access, retention, use, and dissemination of information in datasets containing non-terrorism information
Office of the Director of National Intelligence and Department of Justice Joint Statement: REVISED GUIDELINES ISSUED TO ALLOW THE NCTC TO ACCESS AND ANALYZE CERTAIN FEDERAL DATA MORE EFFECTIVELY TO COMBAT TERRORIST THREATS
Director of National Intelligence James R. Clapper, Attorney General Eric Holder, and National Counterterrorism Center (NCTC) Director Matthew G. Olsen have signed updated guidelines designed to allow NCTC to obtain and more effectively analyze certain data in the government’s possession to better address terrorism-related threats, while at the same time protecting privacy and civil liberties.
The "Guidelines for Access, Retention, Use, and Dissemination by the National Counterrorism Center (NCTC) of Information in Datasets Containing Non-Terrorism Information" effective Mar. 22, 2012, update November 2008 guidelines that governed NCTC’s access, retention, use, and dissemination of "terrorism information" contained within federal datasets that are identified as also including non-terrorism information and information pertaining exclusively to domestic terrorism.
The updated Guidelines provide a framework that allows NCTC to obtain certain data held by other U.S. Government agencies to better protect the nation and its allies from terrorist attacks. In coordination with other federal agencies providing data to the NCTC, NCTC will establish the timeline for the retention of individual datasets based upon the type of data, the sensitivity of the data, any legal requirements that apply to the particular data, and other relevant considerations.
Among other modifications, the revised Guidelines:
- Permit NCTC to retain certain datasets that are likely to contain significant terrorism information and are already in the lawful custody and control of other federal agencies for up to five years, unless a shorter period is required by law.
- Permit NCTC to query this data only to identify information that is reasonably believed to constitute terrorism information.
- Provide that all data obtained by NCTC from another federal agency pursuant to the Guidelines, will be subject to appropriate safeguards and oversight mechanisms, including monitoring, recording, and auditing of access to and queries of the data, to protect privacy and civil liberties.
- Require NCTC to undertake a number of additional compliance and reporting obligations to ensure robust oversight.
The updated Guidelines do not provide any new authorities for the U.S. Government to collect information, nor do they authorize acquisition of data from entities outside the federal government. All information that would be accessed by NCTC under the Guidelines is already in the lawful custody and control of other federal agencies. The Guidelines merely provide the NCTC with a more effective means of accessing and analyzing datasets in the government’s possession that are likely to contain significant terrorism information. They permit NCTC to consolidate disparate federal datasets that contain information of value to NCTC’s critical counterterrorism mission.
Furthermore, the updated Guidelines do not supersede or replace any legal restrictions on information sharing (existing by statute, Executive Order, regulation, or international agreement). Thus, the updated Guidelines do not give NCTC authority to require another agency to share any dataset where such sharing would contravene U.S. law or an international agreement.
One of the issues identified by Congress and the Intelligence Community after the 2009 Fort Hood shootings and the Christmas Day 2009 bombing attempt was the government’s limited ability to query multiple federal datasets and to correlate information from many sources that might relate to a potential attack. A review of government actions taken before these attacks recommended that the Intelligence Community push for the completion of state-of-the-art search and correlation capabilities, including techniques that would provide a single point of entry to various government databases.
"Following the failed terrorist attack in December 2009, representatives of the counterterrorism community concluded it is vital for NCTC to be provided with a variety of datasets from various agencies that contain terrorism information," said Clapper, "The ability to search against these datasets for up to five years on a continuing basis as these updated Guidelines permit will enable NCTC to accomplish its mission more practically and effectively than the 2008 Guidelines allowed."
The updated Guidelines have undergone extensive review within the Office of the Director of National Intelligence and the Department of Justice and have been coordinated throughout the Intelligence Community. Under the National Security Act of 1947, NCTC is charged with serving as the primary organization in the U.S. Government for analyzing and integrating all intelligence possessed or acquired by the U.S. Government pertaining to terrorism and counterterrorism, excepting intelligence pertaining exclusively to domestic terrorists and domestic counterterrorism. Consistent with this statutory mission, Executive Order 12333 provides that Intelligence Community elements may collect, retain, or disseminate information concerning United States Persons (USPs) only in accordance with procedures established by the head of the Intelligence Community element and approved by the Attorney General in consultation with the Director of National Intelligence.
The 2008 Guidelines required NCTC to "promptly review" USP information and then "promptly remove" it if it is not reasonably believed to constitute terrorism information. This approach was a reasonable first step in 2008, but based on subsequent experience and lessons learned, the requirement to "promptly remove" USP information hampers NCTC’s ability to identify terrorism information by connecting the dots across multiple datasets.
"There are a number of protections built into the 2012 revised Guidelines," said Alexander Joel, ODNI Civil Liberties Protection Officer. "Before obtaining a dataset, the Director of NCTC, in coordination with the data provider, is required to make a finding that the dataset is likely to contain significant terrorism information."
Once ingested, data is subject to a number of baseline safeguards carried over from the 2008 Guidelines, including restrictions that limit access to only those individuals with a mission need and who have received training on the Guidelines.
"The approval of these Guidelines will significantly improve NCTC’s ability to carry out its statutory mission" said Clapper, "Our citizens expect that we do everything in our power to keep them safe, while protecting privacy and other civil liberties. These Guidelines provide our counterterrorism analysts with the means to accomplish that task more effectively."
###
