icg.pdf

Full Transcript

USRAP Integrity & Compliance Guide
Effective: April 26, 2024 Version: v1.5 Approved By: Nicole Patel

Summary: The USRAP Integrity & Compliance Guide provides general program integrity
requirements for the U.S. Refugee Admissions Program (USRAP), in compliance with
Department of State Bureau of Population, Refugees, and Migration (DOS/PRM) and
Refugee Processing Center (RPC) policies. For general information about the USRAP,
refer to the USRAP Policy Guide. For detailed processing guidance, refer to the USRAP
Processing Guides in START Knowledge.

The USRAP Integrity and Compliance Guide is for Resettlement Support Center (RSC)
use only and is not for further or public distribution. Any information sharing is
governed by specific limitations and requirements in the cooperative agreements, the
Memorandum of Understanding with the International Organization for Migration
(IOM), and this Guide. Do not share this guidance outside your organization without
written approval by PRM.

Report suspected instances of fraud to the PRM/A Fraud Prevention and Integrity
Team, PRM Refugee Coordinator (RefCoord), USCIS Desk Officer, and Fraud Detection
and National Security Directorate (FDNS/USCIS) immediately.

Note: Red text indicates updated information.

Topics:
1.0 Guidelines for the Treatment of Refugee Records 3
1.1 Terms Defined 4
1.2 Records Covered 5
1.3 Personally Identifiable Information (PII) 5
2.0 General Principles Governing Access to Records 11
2.1 Authorized Unrestricted Access 11
2.2 Authorized Limited Disclosures 13
3.0 Data Sharing and Communication in the USRAP 23
3.1 Receiving, Sending, and Disclosing Applicant Data 24
3.2 Protecting Data 31
3.3 Data Breaches 31
3.4 Handling of Records 32
4.0 Integrity and Compliance 39
4.1 Roles and Responsibilities 39
4.2 Guidelines for Staff, Interpreters, and Workspaces 40
Appendix A: START Rules of Behavior 52
Introduction 52
Terminology 52
General Rules 53
Appropriate Access 53

1
 Email Usage 53
Inappropriate Websites 54
Passwords 54
Downloads and Software 54
Attaching or Connecting Devices 55
Copyrighted Material 55
Data Removal 55
Remote access 56
Training 56
Supplemental Rules for Privileged Users 56
Exceptions and Waivers 57
Continuation of this Agreement 57
Agreement and Consent 57
Appendix B: RSC Style Guidelines 58
Overall Policy 58
Clear Space 58
Scale 59
Guidelines for Staging Events and Programs 59
Frequently Asked Questions 59

2
1.0 Guidelines for the Treatment of Refugee Records
Government records, including data and information on refugees, may not be used, disclosed, or disseminated,
except in connection with the administration of the U.S. Refugee Admissions Program (USRAP) and only with the
prior written consent of the Department of State. All sharing of individual information is subject to the Privacy Act,
5 U.S.C. §552a, privacy policies of the Department of State and, for Special Immigrant Visas (SIV), Section 222(f) of
the Immigration and Nationality Act (INA), 8 U.S.C.§ 1202(f). In accordance with these laws and relevant
implementing regulations, refugee records, information, and data originating from START may not be shared,
disclosed, or disseminated without prior written consent of the Department of State, no matter whether those
records, information, or data have been transferred into another database and/or de-identified. Refugee data
originating from the PRM refugee case processing system – START – may not be used for research purposes
without the prior written consent of the Department of State. The policies and regulations of other government
agencies, including the Department of Health and Human Services (HHS) and Department of Homeland Security
(DHS), do not replace or supersede the laws, regulations, and policies of the Department of State regarding
restrictions on the sharing of refugee records, information, and data. The Bureau of Population, Refugees, and
Migration (PRM) of the U.S. Department of State owns all data maintained in START except for information and
records in START originating from and owned by another U.S. government agency, such as DHS.

PRM has compiled the guidelines below for all Resettlement Support Centers (RSCs) that process applicants for
refugee resettlement and SIV status in the United States with funding from PRM. Pursuant to the cooperative
agreements or Memorandum of Understanding (MOU) under which the RSCs participate in the USRAP, all RSC
employees must adhere to these guidelines.

The guidelines are intended to ensure that records on applicants, and affiliated persons, including U.S. Ties,
maintained by RSCs on behalf of PRM are treated in accordance with the requirements of U.S. law. These laws
include the Freedom of Information Act (FOIA), 5 U.S.C. §552; the Privacy Act, 5 U.S.C. §552a; 5 FAM §469; and the
Federal Records Management Statutes, 44 U.S.C. Chapters 21, 29, 31, and 33.

In addition, SIVs are covered by Section 222(f) of the INA, as amended; this is in addition to the guidelines included
below.

RSC files and file rooms are covered by these guidelines as long as they contain USRAP files, even if they also
contain resettlement files for other, non-U.S. destinations. These guidelines apply as soon as an RSC receives an
application, whether or not the application is deemed complete and regardless of whether the applicant is
eventually approved for admission to the United States as a refugee. The guidelines also apply to files opened on
individuals who were eventually referred for resettlement in countries other than the United States. Should an RSC
have a separate facility/file room/location for non-U.S. resettlement that does not include any USRAP files, that
location is not covered by the guidance below.

The guidelines in this document supplement the following published information:

The Foreign Affairs Handbook (FAH), including 5 FAH-4, Records Management Handbook, 100 and 300,
related to the management and disposition of State Department records.
The Privacy Act Systems of Record Notice State-59, Refugee Case Records, published in the Federal Register
on February 6, 2012.
The U.S. Department of State Privacy Policy
The Refugee Processing Center Privacy Impact Assessment
The U.S. Department of State Records Schedule:

Chapter B-12: Refugee and Migration, including B-12-001-05, approved by the National Archivist on
August 28, 2008, under Records Disposition Authority N1-84-08-2; and

3
 Chapter A-25: Population, Refugees, and Migration, including A-25- 003-03, approved May 30, 2008
under GRS20, Item 2 and N1-059-08-3. (Note: This chapter applies to PRM staff, not RSCs.)

For SIVs, the Foreign Affairs Manual (FAM), including 9 FAM 203.5-3, Confidentiality in Refugee, Asylee,
V92, and V93 Casework.
RSC Inquiry Response Template
Third Party Authorization Form
RSC Style Guidelines

Questions or concerns related to refugee records should be addressed to the Program Officer in PRM’s Office of
Admissions (PRM/A).

1.1 Terms Defined
1. “Fraud” is defined by the State Department’s Office of Inspector General (OIG) as “a wrongful or criminal
deception that unlawfully deprives the United States of something of value or secures from the United
States a benefit, privilege, allowance, or consideration to which an individual is not entitled.” For the
purposes of this document and the USRAP, this includes intentional deceit or misrepresentation by a
USRAP partner, staff member, applicant, or other persons that is used to benefit oneself or someone else
through the USRAP.
2. “Malfeasance” is any intentional conduct that is wrongful or unlawful, conducted by a USRAP partner staff
member.
3. The term “applicant” includes individuals seeking admission under the USRAP, individuals referred to the
USRAP by others for consideration, and individuals seeking special immigrant status who are eligible for
travel and refugee benefits.
4. The terms “USRAP data,” “USRAP case management,” and “USRAP processing” include data, the database,
physical files, case documents, and processing of applicants, as defined above, including SIV, Resettlement
Agency (RA), and travel processing.
5. “Volunteer workers” includes all volunteer refugee assistants (e.g., incentive workers).
6. The terms “applicant records” and “refugee records” refer to stored information (both electronic and hard
copy), including applications, supporting documentation, and correspondence related to individual
applicants.
7. “Research partner” refers to any third party—including an individual, academic institution, or
organization—that requests refugee records, data, or information for research purposes or that RSCs or the
International Organization for Migration (IOM) engages with for the purpose of conducting research.
8. The “ordinary course of business” refers to RSC and IOM activities that are routine to fulfill the terms of a
cooperative agreement or MOU with PRM. Privacy Act Notice Systems of Record Notice State-59, Refugee
Case Records (“State-59”), covers records held overseas and electronic records in START.
9. In these guidelines, a “need to know” is defined as when access to the information is necessary for that
party to conduct assigned duties related to the administration or implementation of the USRAP.
10. “Access” includes visual inspection of the records, oral or written disclosures of information from a record,
or provision of copies of documents in a record. “Access” also includes bulk dissemination of multiple
records through reports generated from START data. (Reports on refugee arrivals or other overview reports
that do not include any personally identifiable information (PII), are not restricted by these guidelines.
Contact PRM/A for a separate determination if there are access restrictions to specific reports.)
11. “Sharing” includes allowing visual inspection, providing oral or written disclosures, or transmitting copies of
refugee records or data.
12. “Remote access” and “remotely” include device(s) that are not physically part of the RSC network, but
connect to the aforementioned network (e.g., an RSC-issued device that uses a private network (e.g. home
network to connect to the RSC network and/or START through a Virtual Private Network (VPN)).

4
 1.1.0 Case Status Information Defined
For the purposes of these guidelines, “case status information” may include:

Confirmation that an applicant has/has not been pre-screened.
Confirmation that an application is/is not currently being processed because the principal applicant
does/does not fall within categories of people currently being processed by the United States.
Verification that specified documents/information/counseling must be received/conducted to complete the
applicant’s file or to attempt to resolve inconsistencies in the file.
Confirmation that the application has been approved or denied.
Reason for case closure if PRM conducted the case closure, except when case closure is related to security
checks.
The outcome of the USCIS decision only if the denial letter has been transmitted.
Medical information that may impact resettlement.
Other statuses as detailed on the RSC Inquiry Response Template and/or statuses approved by the Refugee
Coordinator (RefCoord) or Program Officer for specific cases.

Under these guidelines “case status information” may not include:

Details of an individual’s personal history or characteristics, including details of the persecution claim.
Details concerning the substantive basis for actions taken on the application. This restriction means, for
instance, that someone who is authorized to receive only case status information may not be told that a
woman was raped during her escape from her country of origin.
Results of any security checks on a case.
Any information regarding reasons for USCIS decisions (e.g., reasons for approval, denial), beyond the
information already provided in the decision letter. Note: If a decision letter has not yet been provided to
the applicant, the information in the decision letter should not be provided to third parties.
Any information about security check processes under any circumstances.
Authorization to receive limited disclosures of information in applicant records does not provide the
recipient the authority to disclose information to persons who are not otherwise entitled to receive it under
these guidelines.

1.2 Records Covered
These guidelines apply to any information obtained by the RSCs from employees, contract workers, volunteer
workers, applicants, international organizations, or any other source that relates to individuals identified for
possible admission to the United States under the USRAP or SIV program.

The guidelines apply regardless of the form in which information is stored (e.g., paper or electronic media).

As part of annual training, any RSC staff with access to physical and/or electronic records that contain refugee data
must acknowledge, in writing, having read the entire Integrity & Compliance Guide. All RSC staff who use an RSC
computer connected to the internet must annually acknowledge, in writing, that they have read the Rules of
Behavior, even if they do not have access to the START database. This is due to the fact that the Rules of Behavior
contains useful information about protecting the network/computer while using the internet. RSC Management
should keep a record of these annual acknowledgements to ensure staff compliance – an electronic
signature/record of acknowledgement is acceptable.

1.3 Personally Identifiable Information (PII)
PII is characterized as “any information about an individual maintained by an agency, including 1) any information
that can be used to distinguish or trace an individual's identity, such as name, social security number, date and

5
place of birth, mother's maiden name, or biometric records; and 2) any other information that is linked or linkable
to an individual, such as medical, educational, financial, and employment information.”

PII by itself, or when combined with specific identifying factors for an individual, may cause harm to the individual.
RSCs must protect all PII in their possession, whether it pertains to refugees, SIVs, applicant relatives and relations,
including U.S. persons and U.S. Ties, etc.

Some PII information when used alone may not appear to be identifiable to a person. However, such pieces of
information are considered PII because the information belongs to a real person, and if combined with other PII
information, could provide a substantial personal description of an individual. Examples of PII, whether used alone
or with other PII, include but are not limited to:

Full name, maiden name, mother's maiden name, or alias
Personal identification number, such as social security number (SSN), passport number, driver's license
number, national ID number, or alien number
Contact information, including physical address, email address, or telephone numbers
Personal characteristics/biographic information, including photographic image (especially of face or other
identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, facial
geometry)
Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of
birth, race, religion, nationality, ethnicity, family relationships, geographical indicators, employment
information, medical information, etc.)

Sensitive PII (SPII) is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. All SPII is considered PII, however, not all PII
is considered SPII. While both PII and SPII breaches should be avoided using due caution (e.g. exercising good
judgment and consulting your supervisor if you are not sure whether to share something or how to store it), SPII
requires additional security measures to be taken. Specifically, all SPII must be encrypted when transmitted (see
Section 1.3.1).

SPII consists of one or more pieces of information that are considered particularly sensitive on their own as well as
multiple pieces of PII that when combined become SPII. The following information is considered SPII even when
used alone because it is very clearly unique to the individual:

Social security number
National ID number
Driver’s license number
Passport number
Alien number
Biometric identification information
Note: Given the type and amount of personal information the following documents contain, treat them as
SPII and therefore ensure they are encrypted if emailed:

o Immigration or refugee processing documents – e.g. I-590
o Persecution claim history documents – e.g. Case History Template, USCIS Worksheet, Request for
Review (RFR), and UNHCR Resettlement Registration Form (RRF)
o Health information documentation – e.g. medical assessment forms, medical exam forms,
significant medical condition forms, and activities of daily living form

Groupings of information are considered SPII when they contain an individual's name (or other unique identifier)
plus one or more examples of non-sensitive PII. The following examples of non-sensitive PII become SPII if a unique
identifier is included with them:
6
 Truncated SSN (such as last 4 digits)
Date of birth (month, day, and year)
Citizenship or immigration status
Ethnic or religious affiliation
Gender
Criminal history
Medical information

Examples of PII and SPII along with encryption instructions are provided in the charts below. This list may not
include all possible examples of PII or SPII regarding applicants and applicant relations. When in doubt, play it safe
by encrypting the transmission, or ask your supervisor for clarification on whether a piece of information
constitutes PII or SPII. If your supervisor cannot provide clarification, consult higher RSC management. If neither
your supervisor nor management can provide clarification, consult the RPC Help Desk.

1.3.0 Unique Identifier Chart

Types of Unique Identifiers
(these are “unique” because Constitutes SPII when used Constitutes non-sensitive PII
they belong to only one person alone when used alone
in the world)

Name (full or partial) X

Social Security Number (full #) X

National ID number X

Driver’s license
X
number/document

Passport number X

Alien registration
X
number/document

Biometric identification
X
information (including photo)

7
 1.3.1 PII & SPII Determination Chart

Sensitive PII:
Non-Sensitive PII: Requires encryption
Does not require Sensitive PII: when paired with
encryption when Requires encryption name or other unique
Types of PII
used alone or with when used alone (i.e. identifier (i.e. is
other non-sensitive is sensitive alone) sensitive when paired
PII with unique
identifier)

Social Security
X
Number (SSN)

National ID
X
number/document

Driver’s license
X
number/document

Passport
X
number/document

Alien registration
X
number/document

Biometric
identification X
information

Applicant photographs X

Immigration or
refugee processing X
documents

Persecution claim
X
history documentation

Health information
X
documentation

Truncated SSN X X

Date of birth or place
X X
of birth

8
 Sensitive PII:
Non-Sensitive PII: Requires encryption
Does not require Sensitive PII: when paired with
encryption when Requires encryption name or other unique
Types of PII
used alone or with when used alone (i.e. identifier (i.e. is
other non-sensitive is sensitive alone) sensitive when paired
PII with unique
identifier)

Citizenship,
nationality, or X X
immigration status

Ethnic or religious
X X
affiliation

Gender X X

Family relationships X X

Criminal History X X

Results of security
X X
checks or interviews

Results of DNA testing X X

Employment or
X X
education history

Contact information
(physical or virtual X X
address)

Significant medical
X X
condition

Basic medical
X X
information

Practices for handling PII depend on accessibility to the information, including level of access:

1. Electronically (e.g., in START or through email communication) or
2. In hard-copy (e.g., printed notes, completed forms such as but not limited to I-590, AOR, UNHCR Referral,
and Medical Exam Forms).

9
Please refer to relevant sections of this document for further details on required practices for handling PII
according to level of access to records and methods of transmitting records.

1.3.2 Protecting PII/SPII
Documentation Classification and Storage Requirements

All documentation containing PII – both non-sensitive and sensitive PII – should be placed in the RSC’s highest
document “classification” category. Such documents should be stored in secure physical and encrypted electronic
locations that are only accessible to those with a need-to-know for business operations.

Encryption Requirements for START and Applicant Data

All USRAP partners, including RSCs, RAs, UNHCR, IOM, panel physicians, etc. are required to encrypt Sensitive PII
(SPII) transmitted over email. This includes encrypting emails with SPII between RSC staff within the same RSC,
between RSCs and PRM or USCIS, between the RSC and applicants when practical, etc. SPII in emails can be
encrypted by 1) using an email software with an encryption feature that has been approved by RPC Security for
encryption, or 2) moving SPII information into an attachment using a separate software that complies with FIPS
140-2 cryptographic specifications.

It is a best practice for RSCs to minimize the amount of PII and SPII sent via email, especially for internal
communications, and instead leverage START, discuss cases by only referencing their case numbers, or place SPII in
a shared drive or FileCloud (RPC’s replacement for RSharenet) and refer colleagues to that location to access the
information. If SPII must be included in an email communication to any party, it should be encrypted.

If sending an email already encrypted under one of the methods specified below in Option 1, Microsoft file formats
(such as Word or Excel documents) will remain encrypted even if downloaded, however non-Microsoft file formats
(such as PDFs or image files) will not. Therefore, if sending an already encrypted email with a Microsoft file format
attachment, encrypting the email is sufficient and additionally encrypting the attachment is not required.
However, if sending an already encrypted email with a non-Microsoft file format, the attachment must be
encrypted under one of the methods specified under Option 2.

Option 1: Email software with an approved encryption feature (Note: if using an email software with an encryption
feature, the ‘encrypt’ option needs to be selected before sending - emails are not automatically encrypted):

Microsoft Office 365 - Office 365 Message Encryption (OME)
Microsoft Office 365 and Outlook - S/MIME encryption

Option 2: Attachment encrypted with FIPS 140-2 compliant encryption software:

WinZip 18.5
WinZip Courier version 7.0
WinZip Enterprise
Microsoft Office - “Encrypt with Password” feature
Adobe Acrobat - “Encrypt with Password” feature
Adobe Acrobat and Adobe Reader - FIPS Mode

Password protecting a document is not the same as encrypting it, and password protection without encryption
does not satisfy these requirements if the document contains SPII. If an RSC wishes to use password protection to
protect documents, they may, but if a document contains SPII, the RSC must encrypt the document itself or
encrypt the message through an email software. When sending an attachment encrypted with an “Encrypt with
Password” feature, the password may be sent in a separate email.
10
RSCs should note that simple case status updates in accordance with the standard RSC Inquiry Response Template
and case numbers do not constitute PII and thus do not require encryption. RSCs should limit to the extent
possible the transmission of PII in their communications with refugee applicants, petitioners, congressional
inquiries, and other authorized parties. Only the minimum necessary identifying information should be included in
their communications and case status updates with authorized parties.

All USRAP partners are required to comply with encryption requirements. RSC staff should report to the RSC
Director or Deputy Director, or through other identified internal processes, any USRAP partners who refuse to
comply with encryption requirements. In all responses to the original email that contains unencrypted SPII (from
partners or from an applicant), either redact all SPII from the response chain or follow encryption guidelines if
necessary to encrypt the email or attachment.

As discussed in Section 1.3, the names of applicants and applicant relations (including partial and full names) are
PII but are not considered SPII on their own. However, if the name is combined with other PII specific to the
applicant or applicant relation, this is considered SPII and must be encrypted if transmitted. For example, if a list
consisting just of applicant names is to be emailed, it is simply PII and encryption is not required. However, if a list
of applicant names also includes date of birth information, the list becomes SPII and must be encrypted before
sending. RSCs are encouraged to use case numbers to reference cases so that PII does not need to be shared
(START case numbers are not PII).

If an email contains many examples of non-sensitive PII, it is a best practice to err on the side of caution and
encrypt the email even though it does not strictly contain sensitive PII. A multitude of even non-sensitive PII
information can provide a recipient who has malicious intent with enough information about an applicant to cause
damage.

2.0 General Principles Governing Access to Records
The governing principle of these guidelines is that information about applicants and approved refugees and SIV
holders can generally be disclosed only as specifically necessary to process the individual’s application for
admission to the United States. RSC employees, contractors, and volunteer workers may have access to records
only to the extent necessary for them to perform their duties, otherwise referred to as “need to know.” They may
disclose information to third parties only when the third party is authorized (Third Party Authorization) to receive
the information under these guidelines and has a “need to know,” or where PRM provides prior written
authorization.

No access may be given to applicant records or information derived from these records except in accordance with
these guidelines. “Access” includes visual inspection of the records, oral or written disclosures of information from
a record, or provision of copies of documents in a record. “Access” also includes bulk dissemination of multiple
records through START-generated reports. (Dissemination of START-generated and other reports on refugee
arrivals or other overview reports that do not include any PII does not constitute “access” to records and is not
restricted by these guidelines. Contact PRM/A for a separate determination if there are access restrictions to those
reports.) See Section 1.3 for information on PII.

The guidelines are intended to give RSCs operational guidance to supplement the FAM, FAH, State-59, and the U.S.
Department of State Records Schedule (links in Section 1.0). If an RSC perceives an inconsistency between these
guidelines and other published information, the RSC should bring the difference to the attention of the RefCoord
and Program Officer responsible for the RSC’s geographic region.

11
 2.1 Authorized Unrestricted Access
For the purposes of these guidelines, “unrestricted access” means authority to examine and copy any information
in the file for the purpose of carrying out duties for the USRAP or for other authorized U.S. government business.
“Unrestricted access” does not include authority to disclose information to persons who are not otherwise
authorized to receive it under these guidelines.

2.1.0 Authorized Access to Applicant Records
The following people are authorized, as described below, to access applicant records in various forms:

2.1.0.1 Resettlement Support Center (RSC) Employees
The RSC Director, Deputy, and RSC processing managers are authorized to have unrestricted access to applicant
records in all forms.

For all other RSC processing staff, access must be limited to those records that the staff member requires to
execute his/her job responsibilities. See Section 2.2.1.1.

Any other RSC employee seeking unrestricted access must receive written individual approval from the local or
regional RefCoord after the RSC Director has certified the employee’s need to have unrestricted access.

2.1.0.2 Department of State Employees
All U.S. Embassy personnel with responsibilities that fall under the USRAP; all PRM and U.S. Embassy personnel
with responsibility for refugee admissions or SIV work; other Department of State personnel and contractors who
have a demonstrated need for unrestricted access, as determined by PRM.

2.1.0.3 Local U.S. Embassies
RSC management and employees are not permitted to communicate with U.S. Embassies regarding SIV and
refugee case applicants and information, except through the RefCoord (or with RefCoord in copy) or identified
Consular Officer in the Consular Section of the U.S. Embassy in that country/region.

2.1.0.4 Department of Homeland Security (DHS) Employees
All DHS personnel with responsibility for the USRAP; and other DHS personnel who have a demonstrated need for
unrestricted access, as determined by the Department of State/PRM.

2.1.0.4.1 USCIS
RSC management and employees are permitted to communicate with USCIS (including all sections of USCIS)
regarding refugee case applicants and information, where such communication is part of routine USRAP processing
and on a need to know basis. Requests for information from USCIS which fall outside normal USRAP processing
steps should be reported to the RefCoord, even if they do not specifically violate USRAP data sharing and
communication guidelines set forth in these guidelines.

Case and applicant data is automatically shared with USCIS’ system – “Global” – through the START-Global
interface connection, and is activated by RSCs through the “USCIS Data Transfer” Case Task in START. Therefore,
case and applicant data should not be shared with USCIS outside of START.

12
 2.1.0.5 Other U.S. Government Agencies
Representatives of other U.S. government agencies with a responsibility for the USRAP who have a demonstrated
need for unrestricted access, as determined by the Department of State/PRM.

2.1.0.6 Security Vetting Partners (Non-USCIS)
RSC management and employees are permitted to communicate with security vetting partners regarding refugee
case applicants and information. RSC-specific communication with security vetting partners should be in line with
programmatic requirements. Prior to RSC responding, all requests for information from security vetting partners
should be shared with the RefCoord, even if they do not specifically violate USRAP guidelines. Communications
with USCIS security entities should follow the guidance in the section on USCIS communication.

2.1.1 Requests for Authorization
The RSC should refer any unauthorized request for access to an applicant’s records to the RefCoord. The RefCoord
is responsible for requesting PRM’s determination that individuals not already afforded unrestricted access above
have a need to know in order to perform their job function.

2.2 Authorized Limited Disclosures

2.2.0 Disclosure of Limited Information
In general, RSC employees, RefCoords, and all other personnel handling case information/PII/SPIIcan release only
the information necessary for its partner or requestor to perform its processing function and/or in response to its
inquiry, as permitted in the guidelines below.

2.2.0.1 RSC Employees, Contractors, and Incentive Workers Not Authorized
Unrestricted Access
RSC employees authorized for limited access to records should be given access/permissions commensurate to
those needed to perform their job function. In consultation with the RSC Director/Deputy, the RefCoord must
annually review and approve the permissions granted to the RSC standard positions, certifying the
roles/permissions assigned to different position titles are appropriate for the related job functions. This approval is
subject to such terms and conditions as the RefCoord may specify in order to ensure that various RSC positions
have access only to information needed to perform the specific job description.

For employees that require first-time access to START, the RSC point of contact for requesting access (SSC in most
locations) will complete this Template that specifies requested permissions based on job functions, obtain RSC
Deputy or RSC Director review/approval, and then submit to the RPC Help Desk with the RPC Deputy Director
copied. RPC Deputy Director must approve new account creation requests. Please note: Only the User Acceptance
Testing (UAT) environment account will be granted at first. Once the RSC caseworker has completed training in the
USRAPUAT environment, the RSC can follow up to ask Help Desk to create a Production environment
(USRAPPROD) account without seeking RPC Deputy Director approval. Also note, RPC Deputy Director approval is
not required to reactivate accounts which have previously been approved, but were deactivated due to inactivity.

For employees that require changes to their existing START accounts (e.g., due to position change/promotion), the
RSC point of contact for requesting access (SSC in most locations) will complete this Template that specifies
requested permission changes based on job functions, obtain RSC Deputy or RSC Director review/approval, and
then submit to the RPC Hep Desk with the RPC Deputy Director copied. RPC Deputy Director approvals are not
required for account changes sent to RPC Help Desk provided RSC is requesting permissions that align with the

13
agreed upon permissions for the specific job title and the RSC staff submitting request includes proof of the RSC
Deputy or Director’s approval.

Interpreters, translators, and other assistants, including contract workers or volunteer refugee assistants, hired or
contracted by an RSC, may be given access to information in applicant or SIV or for Afghan Parolee records to the
extent necessary to permit them to perform their duties, as determined by the RSC Director or Deputy. This also
applies to interpreters, translators, and other assistants supplied by other governments in accordance with
arrangements made between the United States and the other government. They may not be given electronic
access to START unless specifically authorized by the PRM/A Overseas Section Chief and RPC Deputy Director.

2.2.0.2 Other U.S. Government Employees and Contractors
An employee or contractor of the U.S. government not authorized unrestricted access may be given information
needed to perform a specific job function if PRM determines they have a demonstrated need to know, subject to
such terms and conditions as PRM may specify to ensure that the employee has access only to such information as
they need to know to perform the job. If the RSC is unsure of the U.S. government employee’s need to know or job
function and/or why the information is needed, the RSC should contact the RefCoord and/or Program Officer for
further clarification and/or permission to release the information.

2.2.0.3 International Organization for Migration (IOM)
RSCs may release information from the record of an applicant or SIV to an authorized IOM representative to the
extent necessary to allow IOM to carry out medical examinations, make travel arrangements for the applicant or
SIV, or complete other processing tasks requested by the U.S. government under the MOU between PRM and IOM.
If panel physicians are used in lieu of IOM medical staff, the same principles apply. Information may be released
only to the extent necessary to carry out the medical examination and facilitate any other related processing
requirements.

RSCs are permitted to communicate with IOM Migration Health Division (MHD), IOM Operations (Ops), and Panel
Physicians regarding refugee applicants or SIV holders and information in the course of routine USRAP processing
and on a need-to-know basis. Requests for information from IOM MHD, Ops, or Panel Physicians, or other entities,
which fall outside normal USRAP processing steps should be reported to the RefCoord, even if they do not
specifically violate USRAP data sharing and communication requirements as set forth in Section 3.0.

2.2.0.4 Resettlement Agencies (RAs) Participating in the PRM-Funded
Reception and Placement (R&P) Program in the United States
The guidelines in this section apply to information that RSCs may share with RAs in the United States and their
affiliate offices.

2.2.0.4.1 Information on all USRAP Cases
RSC management and employees are permitted to communicate with RA representatives and affiliates regarding
refugee or SIV holder applicants and information in the course of routine USRAP processing and on a need-to-
know basis.

Prior to allocation, RSCs may provide to RAs whether an individual has been included as the U.S. Tie (UST) on
a case or whether a group of cases has been linked via travel case group to one another.
Once cases have been interviewed by USCIS, however, the RSC should advise the U.S. points of contact and
RAs that the RSC may not provide any further information on the case, including case status, without a
written third party authorization from the refugee applicant unless the applicant is a part of one of the P-2,
P-3, or FTJ-R categories below.

14
 Post-allocation, RSCs should provide information and updates to RAs per normal USRAP processing steps.
RSCs are authorized to provide case updates and information to RAs that have assured a case even if
assurance should expire.
If a case is assured to one RA, that assurance expires, and then the case is assured to a second RA, the first
RA may receive case updates/information up until the point that the case is assured to the second RA.
Therefore, the initial RA would no longer have the right to case updates/information after the case is
assured to the other RA.

Requests for information from RA headquarters/affiliates which fall outside normal USRAP processing steps, or if
the RA or affiliate’s need for the information is unclear, should be reported to the RefCoord, even if they do not
specifically violate USRAP guidelines.

RSCs are permitted to correspond with, provide updates to, and request further information from U.S. Ties, or RAs
on behalf of U.S. Ties, that are petitioning for cases in the below categories at any stage in processing without the
U.S. Tie having signed a Third Party Authorization Form. The RSC is also permitted to provide case status updates
to RAs for cases in the below categories at any stage in the processing even if the RA is requesting this information
from the RSC independent of the petitioner, as long as the RA filed the petition on that case. All correspondence of
applicant records and data should follow encryption standards.

P-2 Lautenberg Specter applicants in Iran or Austria
P-2 Lautenberg applicants from the Former Soviet Union (FSU) countries
P-2 I-130 Iraqi and Syrian applicants
P-2 Central American Minors (CAM)
All P-3 categories
Follow-to-Join Refugees (FTJ-R)

The RA/affiliate may be given updates for applicants in the above categories regardless of whether a U.S point of
contact/petitioner is requesting the update through the RA/affiliate or the RA/affiliate is requesting the update
independently.

Resettlement agencies and affiliates may receive further information and case status updates on all cases when
the case is allocated to or assured by the RA without a specific third party authorization.

2.2.0.4.2 Information Sharing during Allocation/Assurance
During the allocation process, after USCIS has approved an applicant’s admission to the United States either
conditionally or finally or if otherwise instructed by PRM/A, the RSC or the Refugee Processing Center (RPC) may
release to the RA to which the case has been allocated, for refugees or SIV holders, the following: the applicant’s
name, age, family relationships, place of birth, alien number, citizenships, aliases, ethnicity, religion, nationality,
country of asylum, UNHCR submission category, general health condition, languages, English language ability, U.S.
Tie information, Case Group information (Resettlement, Travel), dates of commencement and completion of CO
training, projected date of departure for the United States, and other biographical and personal data concerning
the applicant’s special resettlement and placement needs to ensure the refugee applicants or SIV holders can be
received appropriately on arrival in the United States. This can also include case status information. Such
information may also include information on medical conditions so the RA may plan for special medical
interventions upon arrival. The RSC and RPC should not share any further information with the RA, other than the
information listed above, without consultation and concurrence with PRM.

Following assurance, RSCs may respond to inquiries from the RA in the United States which has assured the case to
respond to case status inquiries and facilitate processing of the case.

15
 2.2.1 Disclosure of Limited Information to Non-RSC Interlocutors
RSCs have the responsibility to abide by PRM data sharing, communications, and privacy guidelines and policies in
all communications, both internal and external, as set forth in Section 3.0. In the event the RSC receives
communications from an outside source which does not abide by, or violates those guidelines and policies, they
should ensure any/all responses still maintain all applicable communications and privacy guidelines and policies. If
the RSC finds one or more of its employees has intentionally and/or maliciously violated these guidelines and
policies, take the appropriate disciplinary action and report the issue to the RefCoord immediately.

Specific attention should be paid to the restrictions regarding refugee applicant communications in this document.
Requests for information from refugee applicants which fall outside normal USRAP processing steps should be
reported to the RefCoord, even if they do not specifically violate USRAP guidelines.

Beyond RSC employees, contractors, and USRAP partners listed in Sections 2.1 and 2.2.1, the following groups and
individuals may be given the right to receive certain USRAP data to perform a processing function and/or in
response to an inquiry. Further information and details on permissions for these groups can be found below.

1. Applicants, their family members, or other affiliated third parties
2. Attorneys or Accredited Representatives
3. United Nations High Commissioner for Refugees (UNHCR)
4. Heads of RSC Parent Organizations and their Designees
5. Foreign Government Authorities
6. The International Committee of the Red Cross or the American Red Cross (ICRC)
7. Mental Health and Other Counseling Organizations
8. Members of Congress
9. U.S. Government Law Enforcement Entities
10. Non-USRAP Non-Governmental Organizations (NGOs)
11. Media
12. Research

2.2.1.1 Applicants, Family Members, or other Third Parties
RSC employees cannot reveal information regarding the processing status of the refugee application except as
provided herein: A refugee applicant, Follow-to-Join Refugee (FTJ-R), or SIV applicant may make an inquiry to the
RSC concerning the status of their case and receive case consultation upon verification of identity. FTJ-R applicants
may inquire to an RSC regarding their case under the same guidelines as other USRAP applicants. The RSC may
respond to an FTJ-R inquiry if the RSC is processing the FTJ-R case. If the FTJ-R case is processed by a U.S. Embassy
or Consulate, the RSC should refer the inquiry to the Consular Section of the relevant U.S. mission. The RSC should
not confirm nor deny the status of the case. Note: RSC employees may share an applicant’s own alien number with
the applicant, or their designated attorney with a signed G-28, so long as it is shared using the approved methods
of transmitting SPII within this document.

2.2.1.1.1 Applicants with a Shared Email Address
For applicants who share an email address with other, separate individuals not included in the applicant’s case
and/or included in a separate refugee application, the RSC should make a good faith attempt to establish the
identity of the respondent before providing a case status update. The RSC should strongly encourage all refugee
applicants to establish separate email addresses not accessible to third parties or extended family. Applicants who
share an email address are required to acknowledge the sharing of personal information. The RSC can document
this acknowledgment of responsibility in the Contact Log. in the PA’s Comments tab using the Notes to USCIS
category using the following language:

16
“I take full responsibility for protecting the privacy of my email communications. I request that the RSC continue to
send my confidential case information to [email protected], although other people may have access to this email
account.” See the General Case Processing Guide for additional details on how to record that information.

2.2.1.1.2 Third Party Communication and Authorization
An applicant may elect to sign an authorization for another individual (non-case member) to receive a case status
update on their case. RSC should print the Third Party Authorization Form on standard RSC letterhead. In the
absence of a Third Party Authorization Form, responses to inquiries or information sharing from an applicant’s
friends, acquaintances, relatives, or others must be limited to general descriptive material about the USRAP or a
description of program procedures that might be of assistance to the inquirer, and should not confirm or deny that
an applicant is in the USRAP pipeline.

If the third party has a signed Third Party Authorization Form from the refugee applicant allowing information to
be shared with certain family member(s), or with friends in the case of the P-2 Lautenberg Specter program,
uploaded into START, the RSC may provide those individuals with general case status information. If the form is
received in person, then the RSC staff member should sign the RSC Staff Signature section. Case status information
can be reported as listed in the RSC Inquiry Response Template, and/or statuses approved by the RefCoord or
Program Officer.

Inquiries for other information, apart from what is authorized under Section 1.1.1, regarding specific refugee cases
may not be provided to third parties, even if the individual has a signed Third Party Authorization Form. For
example, the RSC is not permitted to provide copies of documents to an authorized third party. An authorized third
party is not permitted to accompany a refugee applicant to RSC intake or PreScreen appointments or engage in
other types of involvement in refugee processing, except as described below on Applicants with Impediments.

If the Third Party Authorization Form is received electronically, upload the email cover sheet in addition to the
Form in START. The RSC is not required to print the Third Party Authorization Form, if received electronically.
Additionally, the RSC Staff Signature section may remain blank if the form is received electronically.

If the person with the third party authorization is not related to the applicant (e.g., non-family, non-U.S. Tie), the
RSC should ask the applicant for an explanation of who the person on the authorization is, and why that person
should be able to receive the authorization. The RSC should counsel the applicant on the significance/meaning of
Third Party Authorization. Following that discussion, the RSC supervisor should sign the third party authorization,
in addition to the applicant. The RSC supervisor signature is a measure to ensure applicants fully understand that
they are providing their case information to a third party, as well as a fraud check for RSC employees. If the form is
received electronically, the RSC supervisor must review the form, but is not required to sign the form. Upload the
form in START, as well as the email from the RSC supervisor confirming they reviewed the request.

2.2.1.1.3 Documents from Third Parties
The RSC is permitted to receive documents from authorized third parties, including attorneys, who are writing on
behalf of the refugee applicant. The RSC is also permitted to confirm receipt of the documents and/or engage in
simple communication regarding document submission and retrieval.

If the RSC receives documents that have relevance to a case (e.g., poison pen letters, unexpected custody
documents, etc.) from an unauthorized third party, the RSC should upload the documents to START and notify
PRM and the USCIS Desk Officer in START. If the unauthorized third party is simply providing information regarding
a case, RSC or PRM personnel may forward the information about the case provided by the inquirer to the
appropriate processing entity if doing so may help facilitate the processing of the case.

17
 2.2.1.1.4 Applicants with Impediments
An authorized third party is permitted to accompany a refugee with an impediment, such as age, illness, or
disability that prevents an applicant from communicating (speaking, understanding, asking) independently, to RSC
intake, prescreen, USCIS interview, and other processing activities. During the first appointment, the third party
should complete a Third Party Authorization Form and RSC staff should note the disability that prevents the
applicant from communicating independently. Third party authorization forms are not required for refugee
applicants in the same case as the applicant with the disability. Forms are required for any third party individual
not in the same case.

If an applicant has a serious impediment, minimal case status information may be provided to a third party if the
applicant has signed an authorization indicating which individual(s) have permission to receive the information. If
the applicant is not capable of signing due to disability or illiteracy, an adult who is included on the applicant’s
application for admission or in a Case Group with the case may sign the authorization on behalf of the applicant.

In the case of child applicants under the age of 14, or unable to sign due to illiteracy, an adult guardian or relative
may sign on behalf of the child. The adult must annotate on the Third Party Authorization Form their relationship,
and why the applicant is not able to sign for themselves. RSC staff (or Consular officers for FTJ-R and SIV cases
processed at a U.S. Embassy or Consulate) should exercise common sense and caution in responding to such
inquiries and should only provide the minimum information necessary to respond to the inquiry, and only with the
signed authorization of the applicant.

2.2.1.1.5 Other Case Members
The RSC is permitted to share the reasons for administrative case closure with an applicant or any case member if
the case closure was made by PRM (e.g., petitioner could not demonstrate qualifying employment, petitioner is
deceased). Similarly, adult children who marry and thus lose access to the qualifying family relationship can also be
counseled as to the reasons for the case closure. In cases where a case is administratively closed for security
reasons, the RSC can provide only the case closure language provided to the principal applicant at the time of
closure. All personnel working for USRAP partners, including RSC and PRM staff, are expressly forbidden from
providing security information directly to applicants or any third parties.

The RSC is permitted to share only the outcome, but not additional details, of the USCIS decision with an applicant
or any case member. This is limited to information that a case is processing/moving forward to another processing
step or has been denied if (and only if) the denial letter has been transmitted.

For more information on sharing documents and case status information with applicants, family members, or
other affiliated third parties, see Section 3.1.4 on communication with applicants.

2.2.1.2 Attorneys or Accredited Representatives
Written (including e-mail) inquiries to an RSC for case status information from attorneys or accredited
representatives1 may be answered with the requested information, if the request is accompanied or preceded by a
properly completed and signed G-28 or G-28I Form, which is issued by DHS. (This form is in lieu of the Third Party
Authorization Form, for third parties who are not attorneys or legal representatives.) G-28/G-28I Forms are
available at https://www.uscis.gov/g-28 and https://www.uscis.gov/g-28i. Other information regarding specific

1A person who is approved by the Board of Immigration Appeals (the Board, or BIA) to represent aliens before the Immigration
Courts, the BIA and U.S. Citizenship and Immigration Services. They must work for a specific nonprofit, religious, charitable,
social service, or similar organization. The organization must be authorized by the Board to represent aliens.

18
refugee cases beyond their case status may not be provided. RSC should treat attorneys and representatives the
same as any other third party with a signed waiver on file.

For example, an authorized attorney may not inquire as to the reason a refugee applicant has been deemed
ineligible for P-2 access. The information that can be provided to an authorized third party is limited to case status
information detailed in Section 1.1.1. Further, except in the case of Iraqi refugee applicants seeking admission
through certain P-2 categories,2 an authorized third party (including an attorney) is not permitted to accompany a
refugee applicant to RSC intake and PreScreen interviews or engage in other forms of involvement in refugee
processing.

The G-28 or G-28I Form must include complete information, including signature from the refugee applicant or
petitioner, as well as complete information, including signature from the relevant third party. RSCs should ensure
that the applicant’s signature on the form is verified against his/her signature on file, if available. RSCs may accept
a G-28 or G-28I form signed by the petitioner in FTJ-R cases or the US Tie in P-3 Family Reunification, as RSCs are
already authorized to share case status information for these categories of individuals in these specific case types.
In all other case types, the RSC may only accept G-28 or G-28I forms from the refugee applicant. Responses to case
status inquiries may only be sent to the physical address or email address provided in the original G-28 or G-28I
Form. If an attorney or accredited representative provides on the G-28 or G-28I Form a general email address that
is accessible by other individuals (i.e., [email protected]), the RSC should request a private email address for
the attorney or accredited representative and should only use that private email address for electronic
communication. Case status information in response to telephonic requests from third parties may not be
provided.

There is not a defined validity period for the G-28 or G-28I.

2.2.1.3 United Nations High Commissioner for Refugees (UNHCR)
RSCs may release individual case information to an authorized representative of UNHCR to the extent necessary to
facilitate the processing of the case. The RSC is authorized to provide feedback to UNHCR on its resettlement
referral processes, provide information to allow UNHCR to respond to deferred refugee referrals, and provide case
status updates on an individual case for the purpose of resettlement processing and refugee protection. RSCs may
not provide UNHCR with more information about the status of an applicant’s security checks than the RSC would
normally provide to the applicant (see Section 3.1.5.3 for more information). Instead, RSCs may give UNHCR a
general description of the security check process that all refugees undergo. RSC management and employees are
permitted to communicate with UNHCR regarding refugee case applicants and information in the course of routine
USRAP processing and on a need to know basis. Requests for information from UNHCR that fall outside normal
USRAP processing steps should be reported to the RefCoord, even if they do not specifically violate USRAP data
sharing and communication requirements as set forth in Section 3.0.

2.2.1.4 Heads of RSC Parent Organizations and their Designees
The immediate supervising official(s) of the RSC Director for the organization which runs the RSC are permitted to
have access to physical applicant files only for the purpose of monitoring and evaluating the performance of RSC
staff and leadership. Other employees and leadership of the organization which runs the RSC, but who are
employed outside the RSC, are not authorized to access applicant records in any form without explicit prior written
permission from PRM/A. Electronic access to refugee information by the RSC parent organization is not permitted
without explicit prior written permission from PRM/A. Individuals from the RSC parent organization with electronic

2 The National Defense Authorization Act of 2014 includes provisions authorizing Iraqi refugee applicants seeking P-2 access
pursuant to the Refugee Crisis in Iraq Act to be represented by attorneys or accredited representatives. during the refugee
application process, including relevant interviews and examinations. Iraqi P-2 I-130 applicants are not covered by this provision.

19
access to refugee information should acknowledge in writing that they have read and understood this Integrity &
Compliance module of the USRAP Overseas Processing Manual. The RSC should send any requests for access to the
RefCoord and Program Officer.

RSC management and employees are not permitted to communicate with RSC headquarters representatives
regarding refugee case applicants and information, where this is not part of routine USRAP processing and where
there is no clear need to know, unless previously approved by PRM/A. Requests for information from RSC
headquarters which fall outside normal USRAP processing steps should always be reported to the RefCoord, even if
they do not specifically violate USRAP data sharing and communication requirements as set forth in Section 3.0.

Further questions on access by the parent organization of the RSC should be directed to the RefCoord and Program
Officer.

2.2.1.5 Foreign Government Authorities
RSCs may release to foreign government authorities only such information in applicant records as necessary to
facilitate movement of applicants and SIV holders (e.g., to obtain exit permits). RSCs should generally limit this
information to the names, ages, family relationships, medical condition (when relevant), dates of arrival and
departure, transportation arrangements, and similar information concerning the applicants involved. When
permitted by formal written arrangements between the United States and other governments and/or necessary to
finalize departure permission, the RSC may release additional case information to those governments after
requesting and receiving prior written approval from PRM/A.

Requests for information from foreign governments which fall outside normal USRAP processing steps should be
reported to the RefCoord. The RSC should use discretion to determine if a request falls outside normal USRAP
processing and consult with the RefCoord if it does.

2.2.1.6 The International Committee of the Red Cross or the American Red
Cross (ICRC)
RSCs and the RPC may reveal information in an applicant’s record to the International Committee of the Red Cross
(ICRC) or the American Red Cross to the extent necessary to assist with international tracing efforts for the
purpose of family reunification, if the applicant has signed an authorization specifically for this purpose. Consult
the RefCoord for information-sharing requests to facilitate an ICRC Travel Document.

RSC management and employees are permitted to communicate with ICRC regarding refugee case applicants and
information where such communication is part of routine USRAP processing and on a need-to-know basis.
Requests for information from ICRC which fall outside normal USRAP processing steps should be reported to the
RefCoord, even if they do not specifically violate USRAP guidelines.

2.2.1.7 Mental Health and Other Counseling Organizations
Information from applicant records may be released to government or private mental health counseling
organizations or entities as needed to the extent necessary if the applicant poses a temporary danger to
themselves or others. In addition, information from applicant records may be released to these mental health
counseling organizations, in consultation with PRM/A, to the extent necessary to permit them to assist in making
recommendations on the suitability (or continued suitability) of placements for children under parental
supervision. The RSC should use discretion to determine if a request falls outside normal USRAP processing and
consult with the RefCoord if it does.

20
 2.2.1.8 Members of U.S. Congress
RSC management and employees are permitted to communicate with Members of the U.S. Congress and
Congressional staff regarding specific refugee case applicants and information pertinent to that Member’s district.
RSCs should always include the RefCoord, Program Officer, and PRM Congressional Liaison on communications
with Members of Congress.

Written inquiries (including e-mail) for case status information or other case-specific refugee information from
Members of Congress or their staff that do not specifically relate to adjudication decisions by DHS should be
answered with only the information necessary to answer the inquiry. Members of Congress or their staff should
not pass such information to persons outside of Congress, except to the refugee themselves or to an individual the
refugee has authorized to receive such information by signing Form G-28, G-28I, or a third party authorization
form. Information in response to telephonic requests from Members of Congress or their staff may not be
provided. No copies of documents or other items from a case file may be provided. Information provided on
USRAP refugee resettlement cases and FTJ-R cases must include the reminder:

“The following information is provided in response to the inquiry, however, due to the need to protect privacy, the
information is provided for the sole purpose of responding to the inquiry and should not be publicly disclosed except
to inform your constituent about this case.”

For SIV inquiries only, the following language should be used:

“Information provided must include a reminder that, pursuant to Section 222(f) of the INA (8 U.S.C. 1202(f)), such
information:

1. is to be treated as confidential,
2. is being provided to them solely for purposes related to “the formulation, amendment, administration, or
enforcement of the immigration, nationality, and other laws of the United States,”
3. should not be shared with other Members of Congress or their staffs except as specifically needed for the
aforementioned purposes, and
4. should not be released to the public.”

If the Congressional letter requests that a response be sent directly to a constituent or other third party, the
requested information will be provided to the Member of Congress or staff member with an explanation that in
accordance with law and policies governing the privacy or confidentiality of Department of State refugee
processing records, the Department cannot provide case status information or other case-specific refugee
information directly to the constituent, unless the constituent is the refugee applicant themselves or an authorized
third party. In either of the latter cases, the applicant or authorized third party would be able to obtain case status
information by inquiring directly to PRM/A or the RSC handling the case. See Section 2.2.2.8 for additional details
on responding to Congressional letters.

2.2.1.9 U.S. Government Law Enforcement Entities
Written inquiries (including e-mail) for case status information or other case-specific refugee information from U.S.
government law enforcement entities that do not specifically relate to adjudication decisions by DHS, will generally
be answered by PRM with the requested information when such law enforcement entities can demonstrate a
specific need to know. Questions on such inquiries, as well as any inquiries from U.S. state and U.S. local law
enforcement agencies, should be referred to PRM/A for response.

Information in response to telephonic requests from U.S. government law enforcement entities may not be
provided. Responses must be coordinated with and sent from PRM/A in Washington, with involvement of the
Department of State’s Office of the Legal Adviser. RSCs may not respond to any such law enforcement inquiries

21
from U.S. federal, state, or local agencies, directly. RSC should forward the request to their RefCoord and Program
Officer.

2.2.1.10 Non-USRAP Non-Governmental Organizations (NGOs)
RSC management and employees are not permitted to communicate with non-USRAP NGOs regarding refugee
case applicants and information, unless previously approved in writing, by the RefCoord and/or Program Officer.
Only NGOs authorized by PRM to provide refugee resettlement referrals into the USRAP are permitted to
communicate with RSCs regarding specific refugee case applicants and information where this is part of routine
USRAP processing and on a need-to-know basis. Requests for information from NGOs which fall outside normal
USRAP processing steps should always be reported to the RefCoord, even if they do not specifically violate USRAP
guidelines. In instances where an NGO is assisting the applicant, a Third Party Authorization Form must be on file
for the specific NGO staff member assisting the applicant (see Section 2.2.2.1.2.).

2.2.1.11 Media
RSCs are not permitted to speak with the media concerning any aspect of the USRAP without prior Program Officer
approval. RSCs must relay and discuss any media inquiries with PRM/A, and follow any guidance provided by
PRM/A.

For media inquiries about specific refugee applicants, RSCs are not permitted to provide any refugee data to any
media organization in response. RSCs are also forbidden from assisting members of the media in finding individual
refugee applicants of any specific population or group, however defined. They are only permitted to pass on
inquiries for a specific, named refugee applicant to the refugee applicant and note that they may engage with the
media independently if they wish, but the RSC should have no further role in that communication. The RSC is not
allowed to speak to the media on behalf of the refugee. Once the message has been delivered to a refugee
applicant, RSCs are permitted only to tell members of the media inquiring on a refugee case that their message has
been passed. PRM/A should be notified but does not need to approve of passing messages from the media to
refugee(s).

2.2.1.12 Research
PRM understands that sharing refugee records, data, and information with research partners may further the
interests of developing better refugee resettlement programs. Accordingly, refugee records, data, and information
may be shared with research partners only with prior approval from PRM and on a case-by-case basis, in
accordance with these guidelines.

General Principles Governing the Sharing of Refugee Records, Data, and Information for Research Purposes

1. The sharing of government records, data, and information on refugees for research purposes is not an
activity provided for in PRM’s cooperative agreements with RSCs or its MOU with IOM, nor is it otherwise
performed in the ordinary course of business. Therefore, refugee data originating from START may not be
shared with research partners without the prior written consent of the Department of State.
2. PRM owns all data maintained in START, except for information and records in START originating from and
owned by another U.S. government agency, such as DHS. Ownership of this data cannot be changed
through de-identification of START data or transfer of the data into another database. Any MOU or data
use agreement that an RSC or IOM enters into with a research partner must accurately reflect PRM’s
ownership of START data.
3. The Department of State has the sole authority to publish research based on refugee records, data, and
information gathered before a refugee’s admission to the United States. RSCs and USRAP-affiliated IOM
staff are not permitted to share refugee records, data, or information collected before a refugee’s
admission with research partners for the purpose of publication, as publication by an RSC, IOM, or research

22
 partner does not relate to the “formulation, amendment, administration, or enforcement” of the laws of
the United States.
4. Refugee records, data, and information collected by PRM, an RSC, IOM, or another implementing partner
after a refugee’s admission to the United States are still subject to the confidentiality provisions of PRM’s
cooperative agreements and MOU with RSCs, and IOM.
5. RSCs, USRAP-affiliated IOM staff, and their research partners may publish aggregated statistical summaries
describing the effectiveness of program innovations that are based on data collected after a refugee’s
admission to the United States, as long as these reports only disclose START data that is publicly available,
or data that was explicitly approved in writing by PRM for such use, and does not allow individual refugees
and their resettlement locations to be identified.

Process for Sharing Refugee Records, Data, and Information for Research Purposes

PRM recognizes that RSCs, and IOM have a strong interest in partnering with researchers in order to improve their
methods of implementing and evaluating the USRAP. For researchers seeking general information, it is permitted
to share public websites and/or resources, such as Settleinus.org or PRM’s website. Before sharing any non-public
refugee records, data, or information with a research partner, RSCs and USRAP-affiliated IOM staff must follow this
process:

6. RSCs and IOM must submit a data sharing proposal to PRM and obtain PRM’s written approval on a case-
by-case basis before sharing START data with another person or entity for research purposes. Data sharing
proposals must include the following information:

Description of the type and scope of START data to be shared.
Name of the intended research partner.
Explanation of how the sharing of START data will further the implementation of the USRAP.
Draft of the data use agreement to be signed by the intended research partner.

7. PRM will review the data sharing proposal in consultation with the Department of State’s Office of the
Legal Adviser to verify whether the proposal is consistent with the Department’s privacy policies and
guidelines and will issue a written response approving, denying, or requesting modifications to the data
sharing proposal. PRM will strive to provide a written response within 30 days of receiving the data sharing
proposal.
8. Upon receiving written approval from PRM to proceed with a data sharing proposal, the RSC, or IOM must
sign a data use agreement and non-disclosure agreement with the intended research partner that
specifically prohibits any disclosure of individual level data and directs the research partner to destroy all
shared data after completing the approved project.
9. The RSC, or IOM must send PRM by email a scanned copy of the data use agreement signed with the
research partner within 5 business days of the date of signing.
10. Upon following the steps described above, the RSC, or IOM may securely share an appropriately de-
identified dataset with research partners. To appropriately de-identify data, PRM requires the removal of
personally identifiable information (PII), including names, dates of birth, addresses, contact information,
personal health and medical information, biometric records, full-face photographic images, alien numbers,
social security numbers, and other identification numbers. The data must be hosted on a secure server that
is approved to handle sensitive data, and any refugee records, data, or information shared via e-mail must
be encrypted.

3.0 Data Sharing and Communication in the USRAP
The governing principle of these guidelines is that information about applicants and approved refugees can
generally be disclosed only as specifically necessary to process the individual’s application or Special Immigrant
23
Visa for admission to the United States. The disclosure of information should contain the least amount of PII
possible to complete official duties.

RSCs must record in the Contact Log in START any interaction with an applicant or individual for whom the PA has
signed a Third Party Authorization Form. RSC should record contact with unauthorized individuals who tried to
seek information about the applicant from the RSC as well. Such interactions must be conducted using RSC phone
and/or email addresses. The RSC does not need to enter routine contacts for processing steps (e.g., the PreScreen
interview, routine transactions with UNHCR, or regular scheduling with IOM Ops and MHD for the purposes of
processing cases) in the Contact Log. RSCs should avoid attaching emails between the RSC and RPC or the RSC and
PRM to cases as much as possible and instead copy and paste emails into the Contact Log to document (unless the
email contains an attachment or image).

The record in START of any authorized disclosure must include the date, nature, purpose of the disclosure, written
authorization from PRM if applicable, and the name and address of the person or agency to whom the disclosure
was made. Best practice includes attaching the correspondence with third parties in START as well.

All USRAP communications should provide efficient and responsive information to the U.S. Government, USRAP
processing partners overseas, domestic resettlement partners, and applicants, while protecting data and
information under all applicable privacy laws and regulations.

Communications in any form should be professional and clear. It is expressly forbidden to be rude, demeaning,
degrading, harassing, threatening, discriminatory, overly familiar, or send inappropriate materials in conjunction
with any USRAP communications.

The guidelines below do not cover every possible scenario for communications regarding a USRAP case. When in
doubt, RSCs and other USRAP partners should contact their Program Officer for further guidance.

3.1 Receiving, Sending, and Disclosing Applicant Data

3.1.0 Tableau Reports and START Filters
Access to Tableau and individual reports within Tableau should be limited to RSC management, staff who are
responsible for RSC reporting, and staff who have a case processing need. The RPC and RSC reporting staff are
responsible for monitoring the data provided in reports as well as access to use of reports and Tableau.

Data provided must be on a need-to-know basis to perform a case processing function. PII must be limited to the
greatest extent possible. Reports created in Tableau must be reviewed yearly to ensure that PII is included on a
need-to-know basis only, is a must-have in the report, and is overall limited to the greatest extent possible. The
review must also ensure that data in reports is not excessive and is appropriate for user permissions. Results of
yearly review should be submitted to the RPC Reporting Team for auditing.

Sharing of Tableau reports is permitted within the guidelines set forth in this document. Follow guidelines in
Section 2.0 on sharing records and this section on protecting data when sharing reports. Common Data Models
(CDMs) are the sets of data provided to the RSCs for reporting in Tableau that act as a ‘Data Source’ for Tableau.
The CDM defines the model for the data that will be included in the data source. In an effort to protect applicant
PII within CDM data sets, the RPC is restricting the exposure of CDM fields containing PII. Fields with PII will only be
exposed to RSCs if the RSC has a valid business need for access to the field and if the RSC does not have another
feasible workaround. RSCs should request for certain CDM fields to be exposed by submitting with a justification of
the business need. Approval to add the field is provided by PRM. Use of the fields provided will be reviewed in
detail during report reviews.

24
RSCs must provide a business case with a justification for each report created in Tableau and with justification for
any PII included in Tableau reports.

START users currently have the ability to export START filtered lists as a reporting feature; however, this capability
should not be used without authorization from the RPC. START filtered lists should not be exported even though
the functionality exists. In general, if system data needs to be viewed or shared outside of the START system, it
should be managed through Tableau reports. Tableau reports have gone through an extensive approval process,
and by limiting report creation to Tableau, the USRAP program can enforce its commitment to data integrity and
reduce the distribution of PII outside of the system when it is not necessary. If staff have a justified business need
to export data that cannot be met through Tableau reports but can be met by exporting START filtered lists, an
exception may be pursued by submitting a request to the RPC Help Desk for approval.

In order to enforce the prohibited use of exporting START filtered lists, RSC Compliance/IT or similar staff must
conduct monitoring/spot checks on staff computers and emails to ensure that START filters containing applicant PII
have not been downloaded/ circulated unless explicitly authorized.

3.1.1 FileCloud
Files containing PII that are uploaded to FileCloud must only be accessed and used by staff who have a case
processing need or need to know.

3.1.2 Email/Written Communication
The use of personal email is strictly prohibited for receiving, sending, and disclosing applicant data. Additionally, it
is prohibited to forward or enable all messages to be automatically forwarded to an address outside of START or
RSC systems.

Taking screenshots or photographs of PII or sensitive data is strictly prohibited. However, RSC personnel may share
their screen internally within the course of regular duties (such as training or management monitoring of pre-
screenings), so long as they are doing so through an authorized video-chat application, and employing the VPN.
RSCs may also screenshare or provide screenshots of the START UAT environment (which does not contain real PII
or SPII) for training or related purposes.

Should any staff find evidence that any RSC staff has photographed or taken unauthorized screenshots of data and
transmitted those images to personal email or devices, the RSC must notify the RSC Director or Deputy
immediately for review. RSC Compliance/IT or similar staff should conduct random monitoring/spot checks of user
devices and email accounts to identify if data has been exported (from START), photographed, screenshot and
forwarded to personal email or devices. Use organizational specific email addresses when interacting with external
partners or applicants regarding case information. Whenever possible, group email boxes should be used for
communications on USRAP cases. You must include your name on every email unless the anonymity has been
approved by a supervisor. Per the RSC Style Guidelines, email signatures must include the RSC logo. Other
standards for email "signatures" may also apply. This provides oversight and history into what has been
communicated and protects RSC and USRAP partner staff from suspicion of malfeasance.

Use approved email templates, where available, when corresponding with external partners or applicants. Emails
and letters should clearly identify the sender, the recipient, and the purpose of the communication. Use proper
care to verify that email recipient addresses are accurate, in order to avoid sending sensitive information to the
wrong sender. This is especially important for emails sent to non @wrapsnet.org, non @uscis.dhs.gov, and non
@state.gov email addresses or emails sent to many recipients.

Emails and written communications can be written in any language, but RSCs should always include accurate and
complete English translations in addition to the original language for any official USRAP communications that are

25
scanned into START. For internal RSC emails, an English translation is not required, though RSCs should ensure they
have proper oversight over internal communications through their own regulations and management structure.

RSCs should ensure that emails are never harassing, threatening, or discriminatory. START or RSC systems cannot
be used to send commercial email, such as for auctions or home businesses. Mass mailings cannot be sent to large
numbers of people unless it is business related. The distribution of greeting cards, humorous pictures and videos,
or political messages. Is prohibited. Emails supporting terror, pornography, gambling, weapons, or illegal drugs are
also prohibited.

When corresponding with USRAP partners and authorized third parties, PII and SPII should never be included in the
email subject. Sensitive PII (SPII) should only be included in the body of the email if the email is encrypted using an
email software encryption feature. SPII should otherwise be attached to the email with encryption (see Section
3.2). If SPII was included in the original message, insert “XXXX” in place of the SPII when responding. Per Section
3.2, notify RSC Director/Deputy when partners commit such breaches.

When corresponding with applicants, it may not be practical or feasible to send SPII as an encrypted file
attachment. Therefore, the RSC should strive to minimize the use of PII in the email (e.g. ‘Dear Applicant,’). If the
RSC is responding to an applicant who provided SPII in their email, the RSC should place an “XXXX” in place of the
SPII when responding. Although PII does not strictly require this type of redaction, all PII should be minimized
when sent via email, including to USRAP partners, applicants, and internal RSC colleagues.

RSCs can include non-PII in email/written communications, including:

Signatures with contact information
Notices regarding how, when, how-not-to communicate
Privacy regulations and warnings
Customary greetings
Customary signatures/end-of-letter salutations
General information regarding refugee resettlement processing

Case status updates, although not considered PII, should only be sent over official RSC email. RSCs should ensure
non-PII included in an email or written communication is standardized using the RSC Inquiry Response Template. If
it is included in one refugee case status update, it should be included in all refugee case status updates. Similarly,
information sent to USRAP partners should be standardized across different partners, as appropriate. These
guidelines also cover web-based communications through secure interfaces with applicants or other USRAP
partners.

See Section 3.0 for information on routine correspondence between RSC and other agencies.

3.1.2.1 Short Message Service (SMS) and Other Communication Platforms
RSCs may communicate the following to refugee applicants via SMS on an RSC-issued phone or via other RPC-
approved messaging services (i.e., web or phone applications, software, etc.) on RSC-issued devices:

anti-fraud warnings,
information on holidays and office closures,
general resettlement information,
links to additional online resources,
scheduling USRAP events, including appointment date, time, and location.

26
RSCs should not send case status updates to applicants via phone or other RPC-approved messaging services. Case
status updates, although not considered PII, should only be sent over official RSC email and should be standardized
using the RSC Inquiry Response Template.

Approved messaging services to use when communicating with applicants refer to those that have been explicitly
approved by the RPC Security team for use on RSC-issued devices (personal devices cannot be used). All requests
to use a messaging service to communicate with applicants must be forwarded to the RPC Security team for
approval prior to use. This policy guidance applies retroactively – if an RSC has been using a messaging service to
communicate with applicants that has not been approved by the RPC, the RSC must request approval from the RPC
in order to continue using it.

The following U.S.-based messaging services may be used for routine applicant communication. This list is
composed of standard messaging services – the use of any other service for applicant communication must be
requested and approved by the RPC per the above guidance. PII must not be discussed or shared over any of
these applications (except for those marked with an asterisk – see Section 3.1.4.1).

BOTIM (Algento)
BlueJeans (Verizon)
Google video and chat services (e.g. Duo, Hangouts, Voice)
iMessage (Apple)
Facebook Messenger
WhatsApp Messenger (Facebook)
WhatsApp Business (Facebook)*
Skype (Microsoft)
WebEx (Cisco)*
Zoom Video Communications*

Only apps that are intended to be used for communication with refugee applicants need to be approved by the
RPC. RSC users can download and use any app on their RSC issued phone as long as it is in line with any existing
RSC Management rules of behavior for phones and MDM is configured on the device per the Integrity and
Compliance module.

Bulk SMS communications that are sent to all applicants do not need to be updated in the START Contact Log.
However, case or applicant specific information sent via SMS must be updated in the case’s Contact Log.

Refugee PII or other sensitive data can only be communicated via RSC email except in extreme circumstances in
which an applicant does not have access to email. RSCs may accept (i.e. receive) PII from applicants over text or
other messaging service by exception – permission to receive PII documents or PII in text must be granted by the
RSC Director or Deputy Director after presenting a justification for why email, mail, or in person transmission is not
possible. The exception, including the rationale and approval, should be documented in the START Contact Log
along with the general message contents. Although receiving PII in extreme circumstances is permitted for certain
situations by exception, RSCs should never send PII or official case processing documents (e.g. denial letter) over
SMS or another communication platform other than an RSC email account.

RSCs should encourage applicants to set up a free email account, if possible, during data collection or PreScreen so
that documents can be transmitted over an official email channel. RSCs should keep a record of the email
addresses and inform applicants via an official email communication how future communication will occur. This
includes providing numbers and accounts that will be used. The official communication should include anti-fraud
messaging to prevent payment or applicant transmission of PII or other sensitive information through other
channels.

27
 3.1.3 Telephone/In-Person
RSCs should maintain management oversight over telephonic and in-person communications with USRAP partners
and refugee applicants.

Telephonic/in-person communications with refugee applicants should take place in RSC workspaces, using RPC-
approved messaging services on RSC equipment, and must be logged in the Contact Log within START as described
in USRAP Processing Guide 10: General Case Processing. For RSC workers conducting circuit rides, telephonic/in-
person communications with refugee applicants should only take place in designated RSC workspace areas. This
guidance also applies to individuals authorized to work from home—such individuals may communicate with
applicants using RPC-approved messaging/communication services (i.e., web or phone applications, software, etc.)
on an RSC-issued phone or while logged into START via an RSC-issued computer using a VPN.

Telephonic inquiries by refugee applicants,