Registered Traveler: Data privacy, security prompts chairman’s inquiry

A House committee chairman with jurisdiction over the Homeland Security Department is urging DHS' Transportation Security Administration (TSA) to get more involved in safeguarding personal data for about 165,000 people held by a defunct former partner in the Registered Traveler program.

Verified Identity Pass Inc., the largest private operator of Registered Traveler services, shut down operations June 22. Its Registered Traveler program, named Clear, allowed pre-screened and enrolled travelers expedited service through security clearances at airports.

Registered Traveler is a frequent flier-type program that was co-sponsored by TSA from 2005 through 2008. It continues to involve TSA in various aspects of its operation; for example, TSA mandates many of the requirements regarding the collection and handling of personal information for enrollees in the program.

Rep. Bennie Thompson (D-Miss.) who chairs the House Homeland Security Committee, wrote to TSA to say he is worried because the agency apparently did not set requirements for disposal of the personally identifiable information held by Registered Traveler operators that shut down.

“We are concerned about the security and safety of the information currently held by Clear,” Thompson wrote to TSA Acting Assistant Secretary Gail Rossides on June 25.

“Many members of the traveling public have trusted TSA’s Registered Traveler program,” Thompson wrote. “This level of trust can only be maintained by TSA providing clear and proper protocols to govern the disposition of data when a Registered Traveler operator decides to leave the program.”

Verified Identity Pass said in an undated announcement on its Web site that it is working with lead systems integrator Lockheed Martin Corp. to protect the personal information of Clear enrollees while it shuts down the program.

“The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a TSA-authorized service provider,” the company announcement states. “Any new service provider would need to maintain personally identifiable information in accordance with the TSA’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”

The company said it intends to notify Clear members in a final e-mail message when the information is deleted.

In response, TSA Spokeswoman Ann Davis said today that a response to Thompson is being drafted.
 
TSA’s policy on data handling in Registered Traveler is further described on its Web site, Davis said. After TSA co-sponsorship of Registered Traveler was terminated in July 2008, service providers’ use of data was to be regulated under their own privacy policies. Information submitted to TSA prior to July 2008 will be destroyed in accordance with the record retention period approved by the National Archives and Records Administration, she said.

Also signing the letter were Reps. Christopher Carney (D-Pa.), and Sheila Jackson-Lee (D-Texas), who chair two subcommittees of the homeland security committee.