Retention and Access
Retention of personal information concerning foreign persons acquired through SIGINT activities is authorized only if the Agency has lawfully collected or received the information in accordance with FISA or Part I of Executive Order 12333 and the processes established by PPD-28, and the retention of comparable information concerning U.S. persons would be permitted under Section 2.3 of Executive Order 12333. Such information shall be subject to the same retention periods as comparable information concerning U.S. persons. Information for which no permanent retention determination has been made shall not be retained for more than five (5) years, unless the DNI expressly determines that continued retention is in the national security interests of the United States. Information for which no permanent retention determination has been made may be retained for up to five (5) years, or the extended period approved by the DNI, to determine whether it falls within one of the following categories that meet the standard for permanent retention:
- information that is publicly available or collected with the consent of the person concerned;
- information constituting foreign intelligence or counterintelligence. If the Agency is permanently retaining personal information concerning a foreign person because it is foreign intelligence, the information must relate to an authorized intelligence requirement, and cannot be retained solely because of the person’s foreign status. Thus, for example, personal information about the routine activities of a foreign person may not be retained unless it relates to an authorized foreign intelligence requirement;
- information obtained in the course of a lawful foreign intelligence, counterintelligence, international drug or international terrorism investigation;
- information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
- information needed to protect foreign intelligence or counterintelligence sources, methods and activities from unauthorized disclosure;
- information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
- information arising out of a lawful personnel, physical or communications security investigation;
- information acquired by overhead reconnaissance not directed at specific U.S. persons;
- incidentally obtained information that may indicate involvement in activities that may violate Federal, state, local, or foreign laws; and
- information necessary for administrative purposes.
Personal information acquired through SIGINT activities for which no determination has been made that it can be permissibly disseminated or retained shall be accessed only in order to make such determinations (or to conduct authorized administrative, security, compliance, and oversight functions).
4
