The Agency shall include personal information in intelligence products and reports only as consistent with applicable IC standards for accuracy and objectivity, and as necessary to meet an analytic or operational purpose, as set forth in relevant IC directives.
When disseminating unevaluated SIGINT that may contain personal information, the Agency will inform the recipient that the dissemination may contain personal information so that the recipient can take appropriate steps to protect that information.
Dissemination of personal information acquired through SIGINT activities to a foreign government is authorized only if the dissemination meets the following criteria:
- the dissemination is in the interests of the United States; and
- the dissemination complies with applicable laws, Executive Orders, and IC policies.
Compliance
Agency policies and procedures shall include appropriate measures to facilitate compliance and oversight of the implementation of safeguards protecting personal information acquired through SIGINT activities, to include periodic auditing against the standards required by this regulation and implementing guidance, and training for personnel authorized to access such information.
Agency information systems will be designed to monitor activity in datasets involving personal information and facilitate the monitoring, recording, and auditing of queries of personal information.
The Agency shall notify personnel how they may securely report violations of law, regulation, or policy.
When a significant compliance issue occurs involving personal information of any person, regardless of nationality, collected as a result of SIGINT activities, the issue shall, in addition to any existing reporting requirements, be reported promptly to the PCLO, who shall determine what, if any, corrective actions are necessary. All significant compliance issues involving personal information shall be promptly reported to the DNI. If the issue involves a foreign person, the DNI, in consultation with the Secretary of State and the Director of the Central Intelligence Agency (D/CIA), shall determine whether steps should be taken to notify the relevant foreign government, consistent with the protection of sources and methods and of U.S. personnel.
Responsibilities
The Director of the Central Intelligence Agency (D/CIA) shall approve any exception to any provision of this regulation that is not required by the Constitution or a statute, Executive Order, proclamation, or Presidential directive, and notify, and if practicable consult in
6
