WASHINGTON, Feb. 20 (UPI) -- Employees of the Transportation Security Administration acted "outside the spirit of the Privacy Act," in 2002 when they facilitated the transfer of 1.5 million passenger records from the budget airline JetBlue to a defense contractor, but did not break the law, according to a report published Friday.
The report, by Nuala O'Conner Kelly, the privacy officer at the Department of Homeland Security, found -- in her words -- that there was "no violation of the Privacy Act because no data was brought into the control of the Transportation Security Administration."
Therefore, no "system of records" -- which under the act has to be publicly announced -- was created by the agency.
However, she told reporters in Washington, up to six of its employees had facilitated the project -- carried out by the defense contractor Torch Concepts for the Department of Defense's base security enhancement program.
Torch Concepts approached the Pentagon in October 2001, the report says. They offered to try and develop data mining and analysis techniques to detect potential terrorists by sifting large numbers of personal records.
In April 2002, with the assistance of the TSA officials, Torch received data about 1.5 millions JetBlue passengers from Acxiom, a data aggregator employed by the airline.
The officials "acted without regard to the privacy interests of the private citizens whose data was transferred, outside the spirit of the Privacy Act of 1974," O'Conner Kelly said, especially because their "participation was essential (to project), because a number of airlines had been approached (and) all had refused because of the lack of involvement of a regulatory body with authority over the airlines."
But for the TSA's involvement, she concluded, the data transfer would not have taken place.
Her report recommended that the officials undergo "substantial" privacy act training; and that the department should draw up guidelines governing the sharing of data between public and private sector entities.
O'Conner Kelly did not comment on whether any other agency might have breached the law, but experts said that the work done by Torch Concepts for the Pentagon almost certainly amounted to creating a system of records. They noted that the Privacy Act applied to contractors as if they were federal agencies.
"There certainly appears to have been a breach of the Privacy Act," said Lara Flint, staff counsel to the Center for Democracy and Technology -- a privacy and civil rights pressure group. "There should have been a notice (of creation of a system of records) published."
"Federal agencies are liable for the work of their contractors in cases like this," added her colleague Ari Schwartz, adding that it was the Army, as the agency which had engaged Torch, that had failed to publish such a notice. Failure to publish is an administrative breach of the act, and the incident was under investigation by the inspector-general of the Army, he said.
Because of the picture it paints of TSA employees ignoring privacy concerns, Friday's report is likely to arouse further questions about the agency's controversial computer-assisted passenger screening system, CAPPS II -- which employs similar data mining techniques -- and about the extended negotiations with the European Union over the transfer of passenger data from foreign airlines flying into the United States.
