Policy Podcast: Passport Security
March 21, 2008
MR. MCCORMACK: Ambassador Pat Kennedy, Under Secretary for Management, thanks for joining us today. Issues related to passport data privacy and personal data privacy have been a lot in the news over the past couple of days, and that has led to a lot of commentary and a lot of questions about how does the State Department protect passport data and personal data.
And let me just start with a question that we have actually been asked on our blog, and that is does every State Department employee have access to personal data that's given us for passports or other reasons?
UNDER SECRETARY KENNEDY: Absolutely not, Sean. The State Department uses the same very, very appropriate technique in protecting privacy data as it uses in protecting classified information, and it's usually known by the principle of need-to-know. If you have a need to know this information, if you need it to do your job to support the American people, then you have access to it. And so there are certain kinds of classified information that I would not have access to, and if I went to my computer, I could sit there for years trying to sign on to the passport system and I could never get there. The only people who have access to the passport data, the applications filed by American citizens seeking to get passports, are those people who actually receive the applications, adjudicate the applications, and produce and return the passport booklets to the American people.
MR. MCCORMACK: Now let me shift specifically to some of the questions that have been raised in the past couple of days. A passport application. American people, an American citizen, hands it over to us. What happens with that data? How does it get entered? How do we protect that on the front end in terms of data entry and making sure that these applications don't get passed around or, you know, put in other places or --
UNDER SECRETARY KENNEDY: Certainly. I think there's three things I'll touch on. First, all the employees or all the employees of contractors that the State Department uses to produce, record, mail out the passports -- all those individuals have been vetted by the State Department's Bureau of Diplomatic Security. We run name checks, we run security checks to ensure that the people that we hire or that our contractors hire to assist us are of good moral character, the kinds of people who cannot be expected to share that information with anyone except those who absolutely need it.
When you send in your passport application, it might go to a State Department office around the country, it might go to a clerk of the court, it might go to a library or a post office. That information is -- your application is assembled with others and transmitted via registered mail, via Federal Express -- all of it is traceable -- to one of our facilities, a facility such as the one that we work with the Department of the Treasury on in Newark, Delaware . And the information then is -- the envelopes are opened, the checks are removed so that they can be deposited to the Treasury's account, and then they are processed for onward transmission to one of the State Department's facilities that actually print out the passport books in your name.
But in order to protect that information, for example, we don't allow people to bring, you know, camera phones onto the -- camera cell phones onto the floor of the processing so no one could be taking a picture of that data. When we scan the material and then we use computer algorithms to check and make sure that the computer has read your handwriting correctly, the data entry personnel who are making sure that's right, they don't see the full application. They'll see your name. Someone else will see your address. Someone else will see your social security number. Someone else will see your date of birth. In other words, they're checking disembodied data. No one of those data entry people have all the information at once.
And then when they're finished with that and the material has to be sent off to one of our production facilities, they go into sealed bags and then they are couriered to the production facility -- again, checked out, checked in. Because we take it very, very seriously that we do not lose control of any material that has Americans' privacy information in it.
MR. MCCORMACK: Okay, let's shift to once your passport has been issued. You have it in hand and let's say it's a year after you got your passport. How do we protect that data that we still have in electronic form and prevent people from accessing the data and snooping around in somebody's file?
UNDER SECRETARY KENNEDY: Absolutely. All the personnel who work for us are trained. They are trained in the requirements under the Privacy Act. They are given documentation to read that shows them and reminds them that they may only use this information, they may only access that information, for official purposes. Then, when they sit down to work in the morning or in the evening, because some of our facilities run around the clock, and they go to sign on to their computer, the first thing that comes up on the screen when they're signing on is the rules again. And then they check off on the screen that they are acknowledging that they are going to use anything they see only for official purposes.
So we constantly remind people. We also do some random checks to make sure that no one is using that data for anything other than official purposes. Because, for example, you might lose your passport and therefore we want to go into the system and mark that you've reported that passport as canceled in case someone else would attempt to use it at another time. But we only maintain in our files your passport application. We keep no records of where you travel to. Your entry and exit to and from the United States, that data is kept by the Department of Homeland Security for their official purposes. It's not kept by us.
MR. MCCORMACK: One last question, just talking generally about data protection here at the State Department. I know that we are part of a U.S. Government-wide effort with respect to protecting personal data. Generally, what are some of the things that we do? What are some of our best practices here at the State Department in terms of protecting personal data, whether that's State Department employees or American citizens who are doing business with us in some regard?
UNDER SECRETARY KENNEDY: I think the first thing is, obviously, education. We communicate to our employees that they have an obligation to protect people's privacy. We have offices in the Department that oversee that. We work with the various divisions in the Department that handle the data. We make sure that when we move privacy material, we move it under controlled circumstances. Every step we take, we want to make sure that we wrap that Privacy Act data in a cocoon, in effect, so it can move safely either electronically or physically, and that the people who are handling that data have been taught and reminded, as I've mentioned earlier, when they sign on that this is their obligation to protect the data of the American public who they've been entrusted with.
MR. MCCORMACK: Ambassador Kennedy, thanks very much for taking a few minutes to talk with us about this very important issue.
UNDER SECRETARY KENNEDY: My pleasure, Sean. Thank you.
# # #