USDOS Refugee Admissions Program Guidelines

Questions and Answers

What is the purpose of the USRAP Integrity & Compliance Guide?

To provide detailed processing guidance for RSC

To provide general program integrity requirements for USRAP (correct)

To provide general information about the USRAP

To outline cooperative agreements with IOM

Who should suspected instances of fraud be reported to?

IOM only

PRM/A Fraud Prevention and Integrity Team, PRM Refugee Coordinator (RefCoord), and USCIS Desk Officer (correct)

PRM Refugee Coordinator (RefCoord) and USCIS Desk Officer

FDNS/USCIS only

What is the version of the USRAP Integrity & Compliance Guide?

v2.0

v1.0

v1.5 (correct)

v3.0

Who approved the USRAP Integrity & Compliance Guide?

Nicole Patel

What is the effective date of the USRAP Integrity & Compliance Guide?

April 26, 2024

Who is the USRAP Integrity & Compliance Guide for?

Resettlement Support Center (RSC) use only

What type of information is not authorized to be disclosed to third parties?

Security check processes and results

What applies to all information obtained by RSCs, regardless of the form in which it is stored?

These guidelines apply to all records

What is a requirement for RSC staff with access to physical and/or electronic records that contain refugee data?

Annual acknowledgement of having read the Integrity & Compliance Guide

What is the purpose of the Rules of Behavior?

To provide useful information about protecting the network/computer while using the internet

What is required for RSC staff who use an RSC computer connected to the internet?

Annual acknowledgement of having read the Rules of Behavior

What is the responsibility of RSC Management regarding annual acknowledgements?

To keep a record of annual acknowledgements

Which law regulates the handling of refugee case records in the United States?

Privacy Act

What is the primary purpose of the guidelines discussed in the content?

To regulate the handling of refugee case records in the United States

When do the guidelines discussed in the content apply to RSC files and file rooms?

As soon as an RSC receives an application, whether or not it is complete

What is excluded from the guidelines discussed in the content?

Separate facilities/file rooms/locations for non-U.S. resettlement that do not include any USRAP files

Which of the following is NOT a law or regulation mentioned in the content?

The Refugee Processing Center Guidelines

What is the purpose of the Privacy Act Systems of Record Notice, State-59, Refugee Case Records?

To notify the public of the existence of refugee case records

What is a primary guideline for the treatment of refugee records?

Government records may not be used, disclosed, or disseminated except in connection with the administration of the U.S.

What is the main purpose of protecting refugee records?

To protect the personally identifiable information (PII) of refugees

What is a key principle governing access to refugee records?

Authorized personnel can access refugee records only for official purposes

What is the consequence of failing to protect refugee records?

A data breach and potential harm to refugees

What is a key aspect of handling sensitive documents in the USRAP?

Protecting documents from unauthorized access

What is the main difference between PII and SPII?

PII is general information, while SPII is sensitive information

What is the purpose of compliance and regulations in the USRAP?

To ensure the security and privacy of refugee records

RSCs and IOM must submit a data sharing proposal to the Department of State before sharing START data with another person or entity for research purposes.

False

The data sharing proposal must include a description of the type and scope of START data to be shared.

True

PRM will review the data sharing proposal and provide a written response within 10 days of receiving the proposal.

False

The RSC, or IOM must destroy all shared data after completing the approved project.

False

The RSC, or IOM must send PRM by email a scanned copy of the data use agreement signed with the research partner within 10 business days of the date of signing.

False

RSCs and IOM may share an identified dataset with research partners after receiving written approval from PRM.

False

RSCs can export START filtered lists without authorization from the RPC.

False

The RPC restricts the exposure of CDM fields containing PII to all RSCs.

False

Tableau reports can be shared within the guidelines set forth in the document.

True

RSCs can request for any CDM field to be exposed without justification.

False

The RPC Help Desk provides approval for exporting data that cannot be met through Tableau reports.

True

System data can be viewed or shared outside of the START system without authorization.

False

RSCs and USRAP-affiliated IOM staff can share refugee records with research partners for the purpose of publication.

False

RSCs, IOM, and their research partners can publish individual refugee records after a refugee’s admission to the United States.

False

PRM recognizes that RSCs and IOM have a strong interest in partnering with researchers to improve their methods of implementing and evaluating the USRAP.

True

Before sharing any non-public refugee records, data, or information with a research partner, RSCs and USRAP-affiliated IOM staff must follow a specific process.

True

RSCs, IOM, and their research partners can publish reports that disclose individual refugees and their resettlement locations.

False

PRM permits the sharing of general information through public websites and/or resources, such as Settleinus.org or PRM’s website.

True

The RSC must record all routine contacts for processing steps in the Contact Log.

False

PRM allows sharing of refugee records, data, or information via unencrypted email.

False

The disclosure of information about applicants and approved refugees can be made freely.

False

RSCs can attach emails between the RSC and RPC or the RSC and PRM to cases as they prefer.

False

Data must be hosted on a secure server approved to handle sensitive data.

True

The RSC should record contact with authorized individuals who tried to seek information about the applicant from the RSC.

False

Personal health and medical information is not considered personally identifiable information (PII).

False

Match the following entities with their responsibilities in the data sharing process:

RSC or IOM = Submit a data sharing proposal to PRM PRM = Review the data sharing proposal and provide a written response Office of the Legal Adviser = Verify the proposal's consistency with the Department's privacy policies and guidelines Research Partner = Sign a data use agreement and non-disclosure agreement

Match the following components with their requirements in the data sharing proposal:

Description of the type and scope of START data to be shared = Must be included in the data sharing proposal Draft of the data use agreement to be signed by the intended research partner = Must be included in the data sharing proposal Name of the intended research partner = Must be included in the data sharing proposal List of all RSC staff with access to the data = Not required in the data sharing proposal

Match the following actions with the required timeframe:

PRM provides a written response to the data sharing proposal = Within 30 days of receiving the proposal RSC or IOM signs a data use agreement and non-disclosure agreement with the research partner = After receiving written approval from PRM RSC or IOM sends PRM a scanned copy of the data use agreement = Within 5 business days of the date of signing RSC or IOM shares the de-identified dataset with the research partner = After receiving written approval from PRM

Match the following requirements with the relevant guidelines:

Handling sensitive documents = requires that they be handled in accordance with the USRAP guidelines Protecting refugee records = requires that they be protected from unauthorized disclosure Sharing refugee records with research partners = requires that they follow a specific process Exporting data from START = requires authorization from the RPC

Match the following documents with their purpose:

Data sharing proposal = To obtain PRM's written approval for sharing START data with a research partner Data use agreement and non-disclosure agreement = To prohibit the disclosure of individual-level data and direct the research partner to destroy all shared data after completing the approved project Scanned copy of the data use agreement = To be sent to PRM by email within 5 business days of the date of signing START data = To be shared with research partners for the purpose of publication

Match the following actions with the relevant entities:

Review the data sharing proposal = PRM Submit the data sharing proposal = RSC or IOM Sign the data use agreement and non-disclosure agreement = Research Partner Destroy all shared data after completing the approved project = RSC, IOM, or Research Partner

Match the following data protection principles with their descriptions:

Confidentiality = Refugee records, data, and information collected after a refugee’s admission to the United States are still subject to the confidentiality provisions of PRM’s cooperative agreements and MOU with RSCs, and IOM. Publication = RSCs, IOM, and their research partners cannot publish individual refugee records after a refugee’s admission to the United States. Aggregation = RSCs, USRAP-affiliated IOM staff, and their research partners may publish aggregated statistical summaries describing the effectiveness of program innovations. Disclosure = PRM permits the sharing of general information through public websites and/or resources, such as Settleinus.org or PRM’s website.

Match the following Tableau report access guidelines with their descriptions:

Exporting = RSCs can export START filtered lists without authorization from the RPC. Sharing = Tableau reports can be shared within the guidelines set forth in the document. Viewing = The RPC restricts the exposure of CDM fields containing PII to all RSCs. Requesting = RSCs can request for any CDM field to be exposed without justification.

Match the following START system usage guidelines with their descriptions:

Data hosting = Data must be hosted on a secure server approved to handle sensitive data. Data sharing = RSCs and IOM must submit a data sharing proposal to the Department of State before sharing START data with another person or entity for research purposes. System access = System data can be viewed or shared outside of the START system without authorization. Data destruction = The RSC, or IOM must destroy all shared data after completing the approved project.

Match the following communication guidelines with their descriptions:

Email attachments = RSCs can attach emails between the RSC and RPC or the RSC and PRM to cases as they prefer. Contact logging = The RSC must record all routine contacts for processing steps in the Contact Log. Information disclosure = The disclosure of information about applicants and approved refugees can be made freely. Confidentiality notification = The RSC should record contact with authorized individuals who tried to seek information about the applicant from the RSC.

Match the following data sharing protocols with their descriptions:

Data use agreement = The RSC, or IOM must send PRM by email a scanned copy of the data use agreement signed with the research partner within 10 business days of the date of signing. Proposal review = PRM will review the data sharing proposal and provide a written response within 10 days of receiving the proposal. Data sharing approval = RSCs and IOM may share an identified dataset with research partners after receiving written approval from PRM. Public information = PRM permits the sharing of general information through public websites and/or resources, such as Settleinus.org or PRM’s website.

Match the following research partnership guidelines with their descriptions:

Research purpose = PRM recognizes that RSCs and IOM have a strong interest in partnering with researchers to improve their methods of implementing and evaluating the USRAP. Data sharing process = Before sharing any non-public refugee records, data, or information with a research partner, RSCs and USRAP-affiliated IOM staff must follow a specific process. Publication restrictions = RSCs, IOM, and their research partners cannot publish individual refugee records after a refugee’s admission to the United States. General information sharing = PRM permits the sharing of general information through public websites and/or resources, such as Settleinus.org or PRM’s website.

Match the following terms with their descriptions:

Common Data Models (CDMs) = Sets of data provided to RSCs for reporting in Tableau PII = Personally identifiable information within CDM data sets RSCs = Resettlement Support Centers Tableau Reports = Approved reports for sharing applicant data

Match the following guidelines with their purposes:

START System Usage = Manage system data and export filtered lists Tableau Report Access = Limit report creation to enforce data integrity and reduce PII distribution Data Sharing Protocols = Regulate data sharing with research partners Communication Guidelines = Ensure secure and authorized communication

Match the following terms with their roles:

RPC = Restricting the exposure of CDM fields containing PII PRM = Providing approval for adding CDM fields and reviewing data sharing proposals RSCs = Requesting CDM fields with justified business need RPC Help Desk = Providing approval for exporting data that cannot be met through Tableau reports

Match the following protocols with their restrictions:

Data Sharing Protocols = Require written approval from PRM for sharing START data with research partners START System Usage = Prohibit exporting START filtered lists without authorization Tableau Report Access = Limit access to CDM fields containing PII Communication Guidelines = Ensure secure and authorized communication

Match the following actions with their requirements:

Requesting CDM fields = Submitting a justification of business need Exporting START filtered lists = Obtaining approval from RPC Sharing Tableau reports = Following guidelines set forth in the document Destroying shared data = After completing the approved project

Match the following entities with their responsibilities:

RSCs = Providing a business case with justification for each report created in Tableau PRM = Reviewing data sharing proposals and providing written responses RPC = Restricting the exposure of CDM fields containing PII RPC Help Desk = Providing approval for exporting data that cannot be met through Tableau reports

Match the following types of information with their classification as personally identifiable information (PII):

Full-face photographic images = PII Personal health and medical information = PII Refugee status = Non-PII Biometric records = PII

Match the following entities with their responsibilities regarding data sharing:

RSCs = Record interactions with applicants and unauthorized individuals in the Contact Log RPC = Restrict the exposure of CDM fields containing PII to all RSCs PRM = Review data sharing proposals and provide written responses IOM = Destroy shared data after completing approved projects

Match the following actions with their requirements or guidelines:

Sharing refugee records with research partners = Follow a specific process and obtain written approval from PRM Disclosing information about applicants and approved refugees = Contain the least amount of PII possible Recording interactions with applicants and unauthorized individuals = Use RSC phone and/or email addresses Hosting data = Use a secure server approved to handle sensitive data

Match the following communication methods with their guidelines:

Email = Encrypt when sharing refugee records, data, or information Contact Log = Document interactions with applicants and unauthorized individuals Phone = Use RSC phone addresses when recording interactions with applicants and unauthorized individuals Unencrypted email = Not allowed for sharing refugee records, data, or information

Match the following types of data with their usage guidelines:

START data = Requires a data sharing proposal and written approval from PRM for research purposes Tableau reports = Can be shared within the guidelines set forth in the document CDM fields = Exposure restricted to authorized RSCs Refugee case records = Must be hosted on a secure server approved to handle sensitive data

Match the following entities with their responsibilities regarding data protection:

RSCs = Record interactions with applicants and unauthorized individuals in the Contact Log PRM = Review data sharing proposals and provide written responses IOM = Destroy shared data after completing approved projects RSC Management = Ensure annual acknowledgements from RSC staff

Match the following actions with their consequences or guidelines:

Failing to protect refugee records = Consequences not specified Sharing general information = Permitted through public websites and/or resources Attaching emails to cases = Not recommended and should be copied and pasted into the Contact Log instead Disclosing information about applicants and approved refugees = Must contain the least amount of PII possible

Study Notes

Guidelines for the Treatment of Refugee Records

• The USRAP Integrity & Compliance Guide provides general program integrity requirements for the U.S. Refugee Admissions Program (USRAP), in compliance with Department of State Bureau of Population, Refugees, and Migration (DOS/PRM) and Refugee Processing Center (RPC) policies.

Records Covered

• These guidelines apply to any information obtained by the RSCs from employees, contract workers, volunteer workers, applicants, international organizations, or any other source that relates to individuals identified for possible admission to the United States under the USRAP or SIV program.
• The guidelines apply regardless of the form in which information is stored (e.g., paper or electronic media).

Authorized Access to Records

• Authorized unrestricted access to records is limited to those with a need to know and who have a legitimate interest in the information.
• Authorized limited disclosures of information may be made to third parties, but only with the written consent of the applicant and in accordance with the guidelines.

Data Sharing and Communication

• Data sharing and communication must be limited to only necessary information and only to authorized personnel.
• Data must be protected from unauthorized disclosure, modification, or destruction.
• Data breaches must be reported immediately to the appropriate authorities.

Integrity and Compliance

• All RSC staff must acknowledge, in writing, having read the entire Integrity & Compliance Guide and the Rules of Behavior.
• RSC Management must keep a record of these annual acknowledgements to ensure staff compliance.
• Suspected instances of fraud must be reported immediately to the PRM/A Fraud Prevention and Integrity Team, PRM Refugee Coordinator (RefCoord), USCIS Desk Officer, and Fraud Detection and National Security Directorate (FDNS/USCIS).

Security Checks

• Results of security checks on a case are not to be disclosed to third parties.
• Information regarding reasons for USCIS decisions (e.g., reasons for approval, denial) beyond the information already provided in the decision letter is not to be disclosed to third parties.
• Authorization to receive limited disclosures of information in applicant records does not provide the recipient the authority to disclose information to persons who are not otherwise entitled to receive it under these guidelines.

Data Sharing Proposal

• RSCs and IOM must submit a data sharing proposal to PRM and obtain written approval on a case-by-case basis before sharing START data with another person or entity for research purposes.
• The proposal must include:
  • Description of the type and scope of START data to be shared
  • Name of the intended research partner
  • Explanation of how the sharing of START data will further the implementation of the USRAP
  • Draft of the data use agreement to be signed by the intended research partner

Review and Approval Process

• PRM will review the data sharing proposal in consultation with the Department of State's Office of the Legal Adviser
• PRM will verify whether the proposal is consistent with the Department's privacy policies and guidelines
• PRM will issue a written response approving, denying, or requesting modifications to the data sharing proposal
• PRM will strive to provide a written response within 30 days of receiving the data sharing proposal

Data Sharing Agreement and Non-Disclosure Agreement

• Upon receiving written approval from PRM, the RSC or IOM must sign a data use agreement and non-disclosure agreement with the intended research partner
• The agreement must specifically prohibit any disclosure of individual-level data
• The agreement must direct the research partner to destroy all shared data after completing the approved project

Secure Data Sharing

• The RSC or IOM must send PRM a scanned copy of the data use agreement signed with the research partner within 5 business days of the date of signing
• Upon following the steps described above, the RSC or IOM may securely share an appropriately de-identified dataset with research partners

Protecting Data in Tableau Reports

• Sharing of Tableau reports is permitted within the guidelines set forth in this document
• Common Data Models (CDMs) are the sets of data provided to the RSCs for reporting in Tableau
• CDMs define the model for the data that will be included in the data source
• Fields with PII will only be exposed to RSCs if the RSC has a valid business need for access to the field and if the RSC does not have another feasible workaround

Exporting Data

• RSCs must provide a business case with justification for each report created in Tableau and with justification for any PII included in Tableau reports
• START users currently have the ability to export START filtered lists as a reporting feature, but this capability should not be used without authorization from the RPC
• If staff have a justified business need to export data that cannot be met through Tableau reports, an exception may be pursued by submitting a request to the RPC Help Desk for approval

Sharing Refugee Records

• RSCs and USRAP-affiliated IOM staff are not permitted to share refugee records, data, or information collected before a refugee's admission with research partners for the purpose of publication
• Refugee records, data, and information collected after a refugee's admission to the United States are still subject to the confidentiality provisions of PRM's cooperative agreements and MOU with RSCs and IOM
• RSCs, USRAP-affiliated IOM staff, and their research partners may publish aggregated statistical summaries describing the effectiveness of program innovations that are based on data collected after a refugee's admission to the United States

Data Sharing Proposal

• RSCs and IOM must submit a data sharing proposal to PRM and obtain written approval on a case-by-case basis before sharing START data with another person or entity for research purposes.
• The proposal must include:
  • Description of the type and scope of START data to be shared
  • Name of the intended research partner
  • Explanation of how the sharing of START data will further the implementation of the USRAP
  • Draft of the data use agreement to be signed by the intended research partner

Review and Approval Process

• PRM will review the data sharing proposal in consultation with the Department of State's Office of the Legal Adviser
• PRM will verify whether the proposal is consistent with the Department's privacy policies and guidelines
• PRM will issue a written response approving, denying, or requesting modifications to the data sharing proposal
• PRM will strive to provide a written response within 30 days of receiving the data sharing proposal

Data Sharing Agreement and Non-Disclosure Agreement

• Upon receiving written approval from PRM, the RSC or IOM must sign a data use agreement and non-disclosure agreement with the intended research partner
• The agreement must specifically prohibit any disclosure of individual-level data
• The agreement must direct the research partner to destroy all shared data after completing the approved project

Secure Data Sharing

• The RSC or IOM must send PRM a scanned copy of the data use agreement signed with the research partner within 5 business days of the date of signing
• Upon following the steps described above, the RSC or IOM may securely share an appropriately de-identified dataset with research partners

Protecting Data in Tableau Reports

• Sharing of Tableau reports is permitted within the guidelines set forth in this document
• Common Data Models (CDMs) are the sets of data provided to the RSCs for reporting in Tableau
• CDMs define the model for the data that will be included in the data source
• Fields with PII will only be exposed to RSCs if the RSC has a valid business need for access to the field and if the RSC does not have another feasible workaround

Exporting Data

• RSCs must provide a business case with justification for each report created in Tableau and with justification for any PII included in Tableau reports
• START users currently have the ability to export START filtered lists as a reporting feature, but this capability should not be used without authorization from the RPC
• If staff have a justified business need to export data that cannot be met through Tableau reports, an exception may be pursued by submitting a request to the RPC Help Desk for approval

Sharing Refugee Records

• RSCs and USRAP-affiliated IOM staff are not permitted to share refugee records, data, or information collected before a refugee's admission with research partners for the purpose of publication
• Refugee records, data, and information collected after a refugee's admission to the United States are still subject to the confidentiality provisions of PRM's cooperative agreements and MOU with RSCs and IOM
• RSCs, USRAP-affiliated IOM staff, and their research partners may publish aggregated statistical summaries describing the effectiveness of program innovations that are based on data collected after a refugee's admission to the United States

Description

Learn about the US Refugee Admissions Program guidelines, including program integrity requirements and policies for Refugee Processing Center and Department of State Bureau of Population, Refugees, and Migration. Test your knowledge of refugee records and compliance rules.