150k intelligence workers about to see changes in data collection policy

ATLANTA — The intelligence community is about to get a big update on the way it collects and uses data on U.S. citizens.

The Defense Department is “days or weeks” away from changing a more than 30-year policy on data collection and usage, said Michael Mahar, DoD’s senior intelligence oversight official during an Aug. 1 speech.

In order to enforce the upcoming policy, DoD needs IT help from industry.

The new policy is trying to strike a balance between the privacy of U.S. persons and national security when collecting data that might contain personal information.

The biggest change comes from the use of shared data by the intelligence community.

“It’s a recognition of how significant [shared data] is to us in the intelligence community,” Mahar said at the DoD Intelligence Information Systems Worldwide Conference in Atlanta. “What we’ve done is for the first time established rules and procedures and responsibilities for both the hosts and the participants in these systems.”

Basically, those who hold shared information on citizens and those who use it must follow the new rules.

The rules are written to monitor who is looking at the data, what kind of searches they are conducting and what authorities they have to do that.

The hosts of the shared data must now have written confirmation that all of the agencies using that data will comply with the laws, rules and procedures.

“The bottom line to the whole thing is we treat access to information in a shared repository the same way we do today for a dissemination of information,” Mahar said.

The policy will also change the way the government can collect and store data that may have personal information.

Chat with Alastair Thomson, CIO of NIH’s National Heart, Lung, and Blood Institute, Aug. 16 at 11 a.m. Sign up here.

There will soon be limits on how long the IC can hold onto the data it collects on citizens depending on the type of information.

“Today … information is considered collected when it’s received for use, which means that today I can put all the information that I want into a big data repository and it could stay there forever because it’s only when I take that information out for use that I have a clock that requires me to examine that for permanent retention,” Mahar said.

That is about to change. The IC will now have limits on how long it can keep personal data from the moment it is collected.

Intentionally collected citizen data may be kept for up to five years, incidentally collected data and data voluntarily ceded might be kept for 25 years.

“It sounds like a long period of time, but for a lot of our databases in the Middle East, we never thought we’d be there for as long as we were there and that time goes by very quickly and that information is important to have and track the movements and pattern of life of some of these high value targets,” Mahar said.

The policy comes after a number of citizen privacy breaches. The National Security Agency was found to be collected metadata on U.S. citizens’ telephones, leading to more mistrust of the IC. Additionally, millions of federal workers’ personal information have been compromised by foreign hackers in the past couple of years.

In order to enforce the new rules, DoD and the IC are calling on industry to come up with ways to parse information, audit searches and check authorizations of information users.

“First and foremost I think is we need to be able to effectively limit access to only those employees, only those intelligence professionals that have the appropriate security level, they have the appropriate access permission and they have a specific mission requirement to look at that data,” Mahar said.

Intelligence oversight wants to be able to check on those using the data by auditing their searches and monitoring the data.

“That is an IT challenge when you are talking about over 150,000 intelligence professionals that are engaged in some aspect of collection, retention, dissemination and analysis or IT support,” Mahar said.

Mahar said the IC will need a computer-based training program to train its employees. It will also need industry’s help creating a system that can sift through and tag personal information.

Mahar said DoD is also looking to industry for ways to document the legitimacy of searches in the database to prove it is for a mission.

Related Stories