PII includes information that is personal in nature and which may be used to identify you. You may provide PII to us when you send us an e-mail message or a request for information, when you fill out a questionnaire or customer satisfaction survey, when you participate in a research study, etc. We do not require you to register or provide PII to visit our websites. We do collect some technical information that does not include PII when you visit to make your visit seamless. The section below explains how we handle and collect information when you visit CISA websites.
The PII you provide on a CISA website will be used only for the purpose for which you provided it. We will protect your information consistent with the principles of the Privacy Act of 1974, the E-Government Act of 2002, and the Federal Records Act.
CISA Office of Privacy
DHS Mail Stop 0380
245 Murray Lane
Arlington, VA 20598
As a general rule, CISA does not collect PII about you when you visit our websites, unless you choose to provide such information to us. Submitting PII through our website is voluntary. By doing so, you are giving the Department permission to use the information for a specific, stated purpose.
If you choose to provide us with PII through such methods as completing a web form, we will use that information to help us provide you the information or service you have requested. The information we may receive from you varies based on what you do when visiting our site.
We only share the PII you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. We never create individual profiles or give your PII to any private organizations. CISA never collects information for commercial marketing.
If we store your PII in a record system designed to retrieve information about you by personal identifier (name, personal email address, home mailing address, personal or mobile phone number, etc.), so that we may contact you, we will safeguard the information you provide to us in accordance with the Privacy Act of 1974, as amended (5 U.S.C. §552a). The Act requires all public-facing sites or forms that request PII to prominently and conspicuously display a privacy notice.
The notice must address the following criteria:
- Legal authorization to collect information about you;
- Purpose for which the information will be used;
- Routine uses for disclosure of information outside of the Department of Homeland Security;
- Whether your providing the information is voluntary or mandatory under law; and
- Effects if you choose to not provide the requested information.
For the general contact information that may be submitted through CISA websites, we have completed a Privacy Impact Assessment (PIA) and System of Records Notice (SORN) providing details about the privacy protections and redress options available for the contact information we collect from the public. This information may be used to distribute information to you and to perform various administrative tasks. For further information, please reference the privacy compliance documentation below:
- DHS/ALL/PIA-006 Department of Homeland Security General Contact Lists Privacy Impact Assessment (April 25, 2019)
- DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other Lists System of Records Notice (November 25, 2008) (73 FR 71659)
Many of our programs and websites allow you to send us email messages. We will use the information you provide to respond to your inquiry. We will only send you general information via email. You should be reminded that email may not necessarily be secure against interception. Therefore, we suggest that you do not send sensitive PII (such as your Social Security number) to us via email. If your intended email communication is sensitive, e.g., it includes information such as your bank account, charge card, or Social Security number, you should instead send it by U.S. mail. Another alternative may be submission of data through a secure program website, if available.
Electronic mail messages that meet the definition of records in the Federal Records Act (44 U.S.C. § 3101) are covered under the same disposition schedule as all other Federal records. This means that emails you send us will be preserved and maintained for varying periods of time if those emails meet the definition of Federal records. Electronic messages that are not records are deleted when no longer needed.
Web Measurement Tools and Web Surveys
When you browse through any website, certain information about your visit can be collected. We automatically collect the following types of information about your visit:
- Domain from which you access the internet;
- IP address (an IP address is a number that is automatically assigned to a computer when surfing the internet);
- Operating system and information about the device or browser used when visiting the site;
- Date and time of your visit;
- Content you visited or downloaded; and,
- Website (such as google.com or bing.com) or referral source (email notice or social media site) that connected you to the website.
CISA uses Google Analytics measurement software to collect the information listed above. The data are automatically sent to Google’s system and the system immediately aggregates the data. Neither the Department nor Google ever have access to the specifics of your particular site visits. The staff can only see the aggregate data from all users for a particular time period.
CISA gathers this information to improve our websites and has chosen to not share the aggregate data with Google. We may use the aggregated data to share with our partners and contractors to help improve visitor experiences.
CISA also uses online surveys to collect opinions and feedback from a random sample of visitors. CISA uses Survey Monkey online surveys to obtain feedback and data on visitors’ satisfaction with CISA websites. Surveys do not collect PII and participation in surveys is voluntary. If you decline the survey, you will still have access to identical information and resources on the website as those who take the survey. Answers to the survey help CISA improve its websites to make it easier to use and more responsive to the needs of our visitors. CISA staff conducts analysis and reports on aggregated data from website surveys. The reports are only available to website managers, members of their communications and web teams, and other designated staff who require this information to perform their duties.
CISA retains data from Google analytics and Survey Monkey survey results only as long as required by law or needed to support the mission of CISA websites.
The Office of Management and Budget Memo M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies allows Federal agencies to use session and persistent cookies.
When you visit any website, its server may generate a piece of text known as a “cookie” to place on your computer. Placing cookie text allows websites to “remember” visitors’ preferences, surfing patterns, and behavior while they are connected.
The cookie makes it easier for you to use the dynamic features of webpages. Cookies from CISA webpages only collect information about your browser’s visit to the site; they do not collect any personal information about you.
There are two types of cookies, single session (temporary), and multi-session (persistent). Session cookies last only as long as your web browser is open. Once you close your browser, the cookie disappears. Persistent cookies are stored on your computer for longer periods.
Session Cookies: We use session cookies for technical purposes such as to enable better navigation through our site. These cookies let our server know that you are continuing to visit our site. The OMB Memo 10-22 guidance defines our use of session cookies as “Usage Tier 1-Single Session.” The policy says, “This tier encompasses any use of single session web measurement and customization technologies.”
Persistent Cookies: We use persistent cookies to differentiate between new and returning visitors to our site. Persistent cookies remain on your computer between visits to CISA websites for six months. We also use persistent cookies to block repeated invitations to take our customer satisfaction surveys. The persistent cookies that block repeated survey invitations expire in 90 days. The OMB Memo 10-22 guidance defines our use of persistent cookies as “Usage Tier 2-Multi-session without Personally Identifiable Information (PII).” The policy says, “This tier encompasses any use of multi-session web measurement and customization technologies when no PII is collected.”
Third party software, modules, or add-ins being leveraged on CISA websites may or may not use persistent cookies or similar technology; however, no data collected in this manner is accessible, viewable, or retained by the federal government.
If you do not wish to have session or persistent cookies stored on your machine, you can opt out or disable cookies in your browser. You will still have access to all information and resources at CISA websites. However, turning off cookies may affect the functioning of some websites. Be aware that disabling cookies in your browser will affect cookie usage at all other websites your visit as well.
For additional information about CISA’s use of Google Analytics, please see our privacy impact assessment, DHS/ALL/PIA-033 Google Analytics (June 9, 2011).
Third-Party Websites and Applications
CISA uses social media websites and other kinds of third-party websites. CISA uses social media websites to engage in dialogue, share information and media, and collaborate with the public. CISA may also use these websites to make information and services widely available, while promoting transparency and accountability, as a service for those seeking information about or services from CISA. The Department has published two Privacy Impact Assessments detailing the use of social media:
- DHS/ALL/PIA-031 Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue (September 16, 2010)
- DHS/ALL/PIA-036 Use of Unidirectional Social Media Applications (March 8, 2011)
CISA does not used third-party websites to solicit and collect PII from individuals. Any PII collected by the third-party website will not be transmitted or stored by CISA; no PII will be disclosed, sold, or transferred to any other entity outside the Department, unless required for law enforcement purposes or by statute consistent with the Privacy Act.
CISA takes the security of all PII very seriously. We take precautions to maintain the security, confidentiality, and integrity of the information we collect on CISA websites. Such measures include access controls designed to limit access to the information to the extent necessary to accomplish our mission. We also employ various security technologies to protect the information stored on our systems. We routinely test our security measures to ensure that they remain operational and effective.
- For site security purposes and to ensure that services remain available to all users, this government computer system employs commercial software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.
- Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with National Archives and Records Administration guidelines.
- Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
Visiting Other Websites
Our websites may contain links to international agencies, private organizations, and commercial entities. These websites are not within our control and may not follow the same privacy, security, or accessibility policies. Once you link to another site, you are subject to the policies of that site. All Federal websites, however, are subject to the same Federal policy, security, and accessibility mandates.