USRAP Integrity & Compliance Guide PDF
Document Details
Uploaded by SharperRealism
2024
Nicole Patel
Tags
Summary
This document is a USRAP Integrity and Compliance Guide, effective April 26, 2024, and provides general program integrity requirements for the U.S. Refugee Admissions Program. It's intended for RSC use only.
Full Transcript
USRAP Integrity & Compliance Guide Effective: April 26, 2024 Version: v1.5 Approved By: Nicole Patel Summary: The USRAP Integrity & Compliance Guide provides general program integrity requirem...
USRAP Integrity & Compliance Guide Effective: April 26, 2024 Version: v1.5 Approved By: Nicole Patel Summary: The USRAP Integrity & Compliance Guide provides general program integrity requirements for the U.S. Refugee Admissions Program (USRAP), in compliance with Department of State Bureau of Population, Refugees, and Migration (DOS/PRM) and Refugee Processing Center (RPC) policies. For general information about the USRAP, refer to the USRAP Policy Guide. For detailed processing guidance, refer to the USRAP Processing Guides in START Knowledge. The USRAP Integrity and Compliance Guide is for Resettlement Support Center (RSC) use only and is not for further or public distribution. Any information sharing is governed by specific limitations and requirements in the cooperative agreements, the Memorandum of Understanding with the International Organization for Migration (IOM), and this Guide. Do not share this guidance outside your organization without written approval by PRM. Report suspected instances of fraud to the PRM/A Fraud Prevention and Integrity Team, PRM Refugee Coordinator (RefCoord), USCIS Desk Officer, and Fraud Detection and National Security Directorate (FDNS/USCIS) immediately. Note: Red text indicates updated information. Topics: 1.0 Guidelines for the Treatment of Refugee Records 3 1.1 Terms Defined 4 1.2 Records Covered 5 1.3 Personally Identifiable Information (PII) 5 2.0 General Principles Governing Access to Records 11 2.1 Authorized Unrestricted Access 11 2.2 Authorized Limited Disclosures 13 3.0 Data Sharing and Communication in the USRAP 23 3.1 Receiving, Sending, and Disclosing Applicant Data 24 3.2 Protecting Data 31 3.3 Data Breaches 31 3.4 Handling of Records 32 4.0 Integrity and Compliance 39 4.1 Roles and Responsibilities 39 4.2 Guidelines for Staff, Interpreters, and Workspaces 40 Appendix A: START Rules of Behavior 52 Introduction 52 Terminology 52 General Rules 53 Appropriate Access 53 1 Email Usage 53 Inappropriate Websites 54 Passwords 54 Downloads and Software 54 Attaching or Connecting Devices 55 Copyrighted Material 55 Data Removal 55 Remote access 56 Training 56 Supplemental Rules for Privileged Users 56 Exceptions and Waivers 57 Continuation of this Agreement 57 Agreement and Consent 57 Appendix B: RSC Style Guidelines 58 Overall Policy 58 Clear Space 58 Scale 59 Guidelines for Staging Events and Programs 59 Frequently Asked Questions 59 2 1.0 Guidelines for the Treatment of Refugee Records Government records, including data and information on refugees, may not be used, disclosed, or disseminated, except in connection with the administration of the U.S. Refugee Admissions Program (USRAP) and only with the prior written consent of the Department of State. All sharing of individual information is subject to the Privacy Act, 5 U.S.C. §552a, privacy policies of the Department of State and, for Special Immigrant Visas (SIV), Section 222(f) of the Immigration and Nationality Act (INA), 8 U.S.C.§ 1202(f). In accordance with these laws and relevant implementing regulations, refugee records, information, and data originating from START may not be shared, disclosed, or disseminated without prior written consent of the Department of State, no matter whether those records, information, or data have been transferred into another database and/or de-identified. Refugee data originating from the PRM refugee case processing system – START – may not be used for research purposes without the prior written consent of the Department of State. The policies and regulations of other government agencies, including the Department of Health and Human Services (HHS) and Department of Homeland Security (DHS), do not replace or supersede the laws, regulations, and policies of the Department of State regarding restrictions on the sharing of refugee records, information, and data. The Bureau of Population, Refugees, and Migration (PRM) of the U.S. Department of State owns all data maintained in START except for information and records in START originating from and owned by another U.S. government agency, such as DHS. PRM has compiled the guidelines below for all Resettlement Support Centers (RSCs) that process applicants for refugee resettlement and SIV status in the United States with funding from PRM. Pursuant to the cooperative agreements or Memorandum of Understanding (MOU) under which the RSCs participate in the USRAP, all RSC employees must adhere to these guidelines. The guidelines are intended to ensure that records on applicants, and affiliated persons, including U.S. Ties, maintained by RSCs on behalf of PRM are treated in accordance with the requirements of U.S. law. These laws include the Freedom of Information Act (FOIA), 5 U.S.C. §552; the Privacy Act, 5 U.S.C. §552a; 5 FAM §469; and the Federal Records Management Statutes, 44 U.S.C. Chapters 21, 29, 31, and 33. In addition, SIVs are covered by Section 222(f) of the INA, as amended; this is in addition to the guidelines included below. RSC files and file rooms are covered by these guidelines as long as they contain USRAP files, even if they also contain resettlement files for other, non-U.S. destinations. These guidelines apply as soon as an RSC receives an application, whether or not the application is deemed complete and regardless of whether the applicant is eventually approved for admission to the United States as a refugee. The guidelines also apply to files opened on individuals who were eventually referred for resettlement in countries other than the United States. Should an RSC have a separate facility/file room/location for non-U.S. resettlement that does not include any USRAP files, that location is not covered by the guidance below. The guidelines in this document supplement the following published information: The Foreign Affairs Handbook (FAH), including 5 FAH-4, Records Management Handbook, 100 and 300, related to the management and disposition of State Department records. The Privacy Act Systems of Record Notice State-59, Refugee Case Records, published in the Federal Register on February 6, 2012. The U.S. Department of State Privacy Policy The Refugee Processing Center Privacy Impact Assessment The U.S. Department of State Records Schedule: Chapter B-12: Refugee and Migration, including B-12-001-05, approved by the National Archivist on August 28, 2008, under Records Disposition Authority N1-84-08-2; and 3 Chapter A-25: Population, Refugees, and Migration, including A-25- 003-03, approved May 30, 2008 under GRS20, Item 2 and N1-059-08-3. (Note: This chapter applies to PRM staff, not RSCs.) For SIVs, the Foreign Affairs Manual (FAM), including 9 FAM 203.5-3, Confidentiality in Refugee, Asylee, V92, and V93 Casework. RSC Inquiry Response Template Third Party Authorization Form RSC Style Guidelines Questions or concerns related to refugee records should be addressed to the Program Officer in PRM’s Office of Admissions (PRM/A). 1.1 Terms Defined 1. “Fraud” is defined by the State Department’s Office of Inspector General (OIG) as “a wrongful or criminal deception that unlawfully deprives the United States of something of value or secures from the United States a benefit, privilege, allowance, or consideration to which an individual is not entitled.” For the purposes of this document and the USRAP, this includes intentional deceit or misrepresentation by a USRAP partner, staff member, applicant, or other persons that is used to benefit oneself or someone else through the USRAP. 2. “Malfeasance” is any intentional conduct that is wrongful or unlawful, conducted by a USRAP partner staff member. 3. The term “applicant” includes individuals seeking admission under the USRAP, individuals referred to the USRAP by others for consideration, and individuals seeking special immigrant status who are eligible for travel and refugee benefits. 4. The terms “USRAP data,” “USRAP case management,” and “USRAP processing” include data, the database, physical files, case documents, and processing of applicants, as defined above, including SIV, Resettlement Agency (RA), and travel processing. 5. “Volunteer workers” includes all volunteer refugee assistants (e.g., incentive workers). 6. The terms “applicant records” and “refugee records” refer to stored information (both electronic and hard copy), including applications, supporting documentation, and correspondence related to individual applicants. 7. “Research partner” refers to any third party—including an individual, academic institution, or organization—that requests refugee records, data, or information for research purposes or that RSCs or the International Organization for Migration (IOM) engages with for the purpose of conducting research. 8. The “ordinary course of business” refers to RSC and IOM activities that are routine to fulfill the terms of a cooperative agreement or MOU with PRM. Privacy Act Notice Systems of Record Notice State-59, Refugee Case Records (“State-59”), covers records held overseas and electronic records in START. 9. In these guidelines, a “need to know” is defined as when access to the information is necessary for that party to conduct assigned duties related to the administration or implementation of the USRAP. 10. “Access” includes visual inspection of the records, oral or written disclosures of information from a record, or provision of copies of documents in a record. “Access” also includes bulk dissemination of multiple records through reports generated from START data. (Reports on refugee arrivals or other overview reports that do not include any personally identifiable information (PII), are not restricted by these guidelines. Contact PRM/A for a separate determination if there are access restrictions to specific reports.) 11. “Sharing” includes allowing visual inspection, providing oral or written disclosures, or transmitting copies of refugee records or data. 12. “Remote access” and “remotely” include device(s) that are not physically part of the RSC network, but connect to the aforementioned network (e.g., an RSC-issued device that uses a private network (e.g. home network to connect to the RSC network and/or START through a Virtual Private Network (VPN)). 4 1.1.0 Case Status Information Defined For the purposes of these guidelines, “case status information” may include: Confirmation that an applicant has/has not been pre-screened. Confirmation that an application is/is not currently being processed because the principal applicant does/does not fall within categories of people currently being processed by the United States. Verification that specified documents/information/counseling must be received/conducted to complete the applicant’s file or to attempt to resolve inconsistencies in the file. Confirmation that the application has been approved or denied. Reason for case closure if PRM conducted the case closure, except when case closure is related to security checks. The outcome of the USCIS decision only if the denial letter has been transmitted. Medical information that may impact resettlement. Other statuses as detailed on the RSC Inquiry Response Template and/or statuses approved by the Refugee Coordinator (RefCoord) or Program Officer for specific cases. Under these guidelines “case status information” may not include: Details of an individual’s personal history or characteristics, including details of the persecution claim. Details concerning the substantive basis for actions taken on the application. This restriction means, for instance, that someone who is authorized to receive only case status information may not be told that a woman was raped during her escape from her country of origin. Results of any security checks on a case. Any information regarding reasons for USCIS decisions (e.g., reasons for approval, denial), beyond the information already provided in the decision letter. Note: If a decision letter has not yet been provided to the applicant, the information in the decision letter should not be provided to third parties. Any information about security check processes under any circumstances. Authorization to receive limited disclosures of information in applicant records does not provide the recipient the authority to disclose information to persons who are not otherwise entitled to receive it under these guidelines. 1.2 Records Covered These guidelines apply to any information obtained by the RSCs from employees, contract workers, volunteer workers, applicants, international organizations, or any other source that relates to individuals identified for possible admission to the United States under the USRAP or SIV program. The guidelines apply regardless of the form in which information is stored (e.g., paper or electronic media). As part of annual training, any RSC staff with access to physical and/or electronic records that contain refugee data must acknowledge, in writing, having read the entire Integrity & Compliance Guide. All RSC staff who use an RSC computer connected to the internet must annually acknowledge, in writing, that they have read the Rules of Behavior, even if they do not have access to the START database. This is due to the fact that the Rules of Behavior contains useful information about protecting the network/computer while using the internet. RSC Management should keep a record of these annual acknowledgements to ensure staff compliance – an electronic signature/record of acknowledgement is acceptable. 1.3 Personally Identifiable Information (PII) PII is characterized as “any information about an individual maintained by an agency, including 1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and 5 place of birth, mother's maiden name, or biometric records; and 2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” PII by itself, or when combined with specific identifying factors for an individual, may cause harm to the individual. RSCs must protect all PII in their possession, whether it pertains to refugees, SIVs, applicant relatives and relations, including U.S. persons and U.S. Ties, etc. Some PII information when used alone may not appear to be identifiable to a person. However, such pieces of information are considered PII because the information belongs to a real person, and if combined with other PII information, could provide a substantial personal description of an individual. Examples of PII, whether used alone or with other PII, include but are not limited to: Full name, maiden name, mother's maiden name, or alias Personal identification number, such as social security number (SSN), passport number, driver's license number, national ID number, or alien number Contact information, including physical address, email address, or telephone numbers Personal characteristics/biographic information, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, facial geometry) Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, nationality, ethnicity, family relationships, geographical indicators, employment information, medical information, etc.) Sensitive PII (SPII) is PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. All SPII is considered PII, however, not all PII is considered SPII. While both PII and SPII breaches should be avoided using due caution (e.g. exercising good judgment and consulting your supervisor if you are not sure whether to share something or how to store it), SPII requires additional security measures to be taken. Specifically, all SPII must be encrypted when transmitted (see Section 1.3.1). SPII consists of one or more pieces of information that are considered particularly sensitive on their own as well as multiple pieces of PII that when combined become SPII. The following information is considered SPII even when used alone because it is very clearly unique to the individual: Social security number National ID number Driver’s license number Passport number Alien number Biometric identification information Note: Given the type and amount of personal information the following documents contain, treat them as SPII and therefore ensure they are encrypted if emailed: o Immigration or refugee processing documents – e.g. I-590 o Persecution claim history documents – e.g. Case History Template, USCIS Worksheet, Request for Review (RFR), and UNHCR Resettlement Registration Form (RRF) o Health information documentation – e.g. medical assessment forms, medical exam forms, significant medical condition forms, and activities of daily living form Groupings of information are considered SPII when they contain an individual's name (or other unique identifier) plus one or more examples of non-sensitive PII. The following examples of non-sensitive PII become SPII if a unique identifier is included with them: 6 Truncated SSN (such as last 4 digits) Date of birth (month, day, and year) Citizenship or immigration status Ethnic or religious affiliation Gender Criminal history Medical information Examples of PII and SPII along with encryption instructions are provided in the charts below. This list may not include all possible examples of PII or SPII regarding applicants and applicant relations. When in doubt, play it safe by encrypting the transmission, or ask your supervisor for clarification on whether a piece of information constitutes PII or SPII. If your supervisor cannot provide clarification, consult higher RSC management. If neither your supervisor nor management can provide clarification, consult the RPC Help Desk. 1.3.0 Unique Identifier Chart Types of Unique Identifiers (these are “unique” because Constitutes SPII when used Constitutes non-sensitive PII they belong to only one person alone when used alone in the world) Name (full or partial) X Social Security Number (full #) X National ID number X Driver’s license X number/document Passport number X Alien registration X number/document Biometric identification X information (including photo) 7 1.3.1 PII & SPII Determination Chart Sensitive PII: Non-Sensitive PII: Requires encryption Does not require Sensitive PII: when paired with encryption when Requires encryption name or other unique Types of PII used alone or with when used alone (i.e. identifier (i.e. is other non-sensitive is sensitive alone) sensitive when paired PII with unique identifier) Social Security X Number (SSN) National ID X number/document Driver’s license X number/document Passport X number/document Alien registration X number/document Biometric identification X information Applicant photographs X Immigration or refugee processing X documents Persecution claim X history documentation Health information X documentation Truncated SSN X X Date of birth or place X X of birth 8 Sensitive PII: Non-Sensitive PII: Requires encryption Does not require Sensitive PII: when paired with encryption when Requires encryption name or other unique Types of PII used alone or with when used alone (i.e. identifier (i.e. is other non-sensitive is sensitive alone) sensitive when paired PII with unique identifier) Citizenship, nationality, or X X immigration status Ethnic or religious X X affiliation Gender X X Family relationships X X Criminal History X X Results of security X X checks or interviews Results of DNA testing X X Employment or X X education history Contact information (physical or virtual X X address) Significant medical X X condition Basic medical X X information Practices for handling PII depend on accessibility to the information, including level of access: 1. Electronically (e.g., in START or through email communication) or 2. In hard-copy (e.g., printed notes, completed forms such as but not limited to I-590, AOR, UNHCR Referral, and Medical Exam Forms). 9 Please refer to relevant sections of this document for further details on required practices for handling PII according to level of access to records and methods of transmitting records. 1.3.2 Protecting PII/SPII Documentation Classification and Storage Requirements All documentation containing PII – both non-sensitive and sensitive PII – should be placed in the RSC’s highest document “classification” category. Such documents should be stored in secure physical and encrypted electronic locations that are only accessible to those with a need-to-know for business operations. Encryption Requirements for START and Applicant Data All USRAP partners, including RSCs, RAs, UNHCR, IOM, panel physicians, etc. are required to encrypt Sensitive PII (SPII) transmitted over email. This includes encrypting emails with SPII between RSC staff within the same RSC, between RSCs and PRM or USCIS, between the RSC and applicants when practical, etc. SPII in emails can be encrypted by 1) using an email software with an encryption feature that has been approved by RPC Security for encryption, or 2) moving SPII information into an attachment using a separate software that complies with FIPS 140-2 cryptographic specifications. It is a best practice for RSCs to minimize the amount of PII and SPII sent via email, especially for internal communications, and instead leverage START, discuss cases by only referencing their case numbers, or place SPII in a shared drive or FileCloud (RPC’s replacement for RSharenet) and refer colleagues to that location to access the information. If SPII must be included in an email communication to any party, it should be encrypted. If sending an email already encrypted under one of the methods specified below in Option 1, Microsoft file formats (such as Word or Excel documents) will remain encrypted even if downloaded, however non-Microsoft file formats (such as PDFs or image files) will not. Therefore, if sending an already encrypted email with a Microsoft file format attachment, encrypting the email is sufficient and additionally encrypting the attachment is not required. However, if sending an already encrypted email with a non-Microsoft file format, the attachment must be encrypted under one of the methods specified under Option 2. Option 1: Email software with an approved encryption feature (Note: if using an email software with an encryption feature, the ‘encrypt’ option needs to be selected before sending - emails are not automatically encrypted): Microsoft Office 365 - Office 365 Message Encryption (OME) Microsoft Office 365 and Outlook - S/MIME encryption Option 2: Attachment encrypted with FIPS 140-2 compliant encryption software: WinZip 18.5 WinZip Courier version 7.0 WinZip Enterprise Microsoft Office - “Encrypt with Password” feature Adobe Acrobat - “Encrypt with Password” feature Adobe Acrobat and Adobe Reader - FIPS Mode Password protecting a document is not the same as encrypting it, and password protection without encryption does not satisfy these requirements if the document contains SPII. If an RSC wishes to use password protection to protect documents, they may, but if a document contains SPII, the RSC must encrypt the document itself or encrypt the message through an email software. When sending an attachment encrypted with an “Encrypt with Password” feature, the password may be sent in a separate email. 10 RSCs should note that simple case status updates in accordance with the standard RSC Inquiry Response Template and case numbers do not constitute PII and thus do not require encryption. RSCs should limit to the extent possible the transmission of PII in their communications with refugee applicants, petitioners, congressional inquiries, and other authorized parties. Only the minimum necessary identifying information should be included in their communications and case status updates with authorized parties. All USRAP partners are required to comply with encryption requirements. RSC staff should report to the RSC Director or Deputy Director, or through other identified internal processes, any USRAP partners who refuse to comply with encryption requirements. In all responses to the original email that contains unencrypted SPII (from partners or from an applicant), either redact all SPII from the response chain or follow encryption guidelines if necessary to encrypt the email or attachment. As discussed in Section 1.3, the names of applicants and applicant relations (including partial and full names) are PII but are not considered SPII on their own. However, if the name is combined with other PII specific to the applicant or applicant relation, this is considered SPII and must be encrypted if transmitted. For example, if a list consisting just of applicant names is to be emailed, it is simply PII and encryption is not required. However, if a list of applicant names also includes date of birth information, the list becomes SPII and must be encrypted before sending. RSCs are encouraged to use case numbers to reference cases so that PII does not need to be shared (START case numbers are not PII). If an email contains many examples of non-sensitive PII, it is a best practice to err on the side of caution and encrypt the email even though it does not strictly contain sensitive PII. A multitude of even non-sensitive PII information can provide a recipient who has malicious intent with enough information about an applicant to cause damage. 2.0 General Principles Governing Access to Records The governing principle of these guidelines is that information about applicants and approved refugees and SIV holders can generally be disclosed only as specifically necessary to process the individual’s application for admission to the United States. RSC employees, contractors, and volunteer workers may have access to records only to the extent necessary for them to perform their duties, otherwise referred to as “need to know.” They may disclose information to third parties only when the third party is authorized (Third Party Authorization) to receive the information under these guidelines and has a “need to know,” or where PRM provides prior written authorization. No access may be given to applicant records or information derived from these records except in accordance with these guidelines. “Access” includes visual inspection of the records, oral or written disclosures of information from a record, or provision of copies of documents in a record. “Access” also includes bulk dissemination of multiple records through START-generated reports. (Dissemination of START-generated and other reports on refugee arrivals or other overview reports that do not include any PII does not constitute “access” to records and is not restricted by these guidelines. Contact PRM/A for a separate determination if there are access restrictions to those reports.) See Section 1.3 for information on PII. The guidelines are intended to give RSCs operational guidance to supplement the FAM, FAH, State-59, and the U.S. Department of State Records Schedule (links in Section 1.0). If an RSC perceives an inconsistency between these guidelines and other published information, the RSC should bring the difference to the attention of the RefCoord and Program Officer responsible for the RSC’s geographic region. 11 2.1 Authorized Unrestricted Access For the purposes of these guidelines, “unrestricted access” means authority to examine and copy any information in the file for the purpose of carrying out duties for the USRAP or for other authorized U.S. government business. “Unrestricted access” does not include authority to disclose information to persons who are not otherwise authorized to receive it under these guidelines. 2.1.0 Authorized Access to Applicant Records The following people are authorized, as described below, to access applicant records in various forms: 2.1.0.1 Resettlement Support Center (RSC) Employees The RSC Director, Deputy, and RSC processing managers are authorized to have unrestricted access to applicant records in all forms. For all other RSC processing staff, access must be limited to those records that the staff member requires to execute his/her job responsibilities. See Section 2.2.1.1. Any other RSC employee seeking unrestricted access must receive written individual approval from the local or regional RefCoord after the RSC Director has certified the employee’s need to have unrestricted access. 2.1.0.2 Department of State Employees All U.S. Embassy personnel with responsibilities that fall under the USRAP; all PRM and U.S. Embassy personnel with responsibility for refugee admissions or SIV work; other Department of State personnel and contractors who have a demonstrated need for unrestricted access, as determined by PRM. 2.1.0.3 Local U.S. Embassies RSC management and employees are not permitted to communicate with U.S. Embassies regarding SIV and refugee case applicants and information, except through the RefCoord (or with RefCoord in copy) or identified Consular Officer in the Consular Section of the U.S. Embassy in that country/region. 2.1.0.4 Department of Homeland Security (DHS) Employees All DHS personnel with responsibility for the USRAP; and other DHS personnel who have a demonstrated need for unrestricted access, as determined by the Department of State/PRM. 2.1.0.4.1 USCIS RSC management and employees are permitted to communicate with USCIS (including all sections of USCIS) regarding refugee case applicants and information, where such communication is part of routine USRAP processing and on a need to know basis. Requests for information from USCIS which fall outside normal USRAP processing steps should be reported to the RefCoord, even if they do not specifically violate USRAP data sharing and communication guidelines set forth in these guidelines. Case and applicant data is automatically shared with USCIS’ system – “Global” – through the START-Global interface connection, and is activated by RSCs through the “USCIS Data Transfer” Case Task in START. Therefore, case and applicant data should not be shared with USCIS outside of START. 12 2.1.0.5 Other U.S. Government Agencies Representatives of other U.S. government agencies with a responsibility for the USRAP who have a demonstrated need for unrestricted access, as determined by the Department of State/PRM. 2.1.0.6 Security Vetting Partners (Non-USCIS) RSC management and employees are permitted to communicate with security vetting partners regarding refugee case applicants and information. RSC-specific communication with security vetting partners should be in line with programmatic requirements. Prior to RSC responding, all requests for information from security vetting partners should be shared with the RefCoord, even if they do not specifically violate USRAP guidelines. Communications with USCIS security entities should follow the guidance in the section on USCIS communication. 2.1.1 Requests for Authorization The RSC should refer any unauthorized request for access to an applicant’s records to the RefCoord. The RefCoord is responsible for requesting PRM’s determination that individuals not already afforded unrestricted access above have a need to know in order to perform their job function. 2.2 Authorized Limited Disclosures 2.2.0 Disclosure of Limited Information In general, RSC employees, RefCoords, and all other personnel handling case information/PII/SPIIcan release only the information necessary for its partner or requestor to perform its processing function and/or in response to its inquiry, as permitted in the guidelines below. 2.2.0.1 RSC Employees, Contractors, and Incentive Workers Not Authorized Unrestricted Access RSC employees authorized for limited access to records should be given access/permissions commensurate to those needed to perform their job function. In consultation with the RSC Director/Deputy, the RefCoord must annually review and approve the permissions granted to the RSC standard positions, certifying the roles/permissions assigned to different position titles are appropriate for the related job functions. This approval is subject to such terms and conditions as the RefCoord may specify in order to ensure that various RSC positions have access only to information needed to perform the specific job description. For employees that require first-time access to START, the RSC point of contact for requesting access (SSC in most locations) will complete this Template that specifies requested permissions based on job functions, obtain RSC Deputy or RSC Director review/approval, and then submit to the RPC Help Desk with the RPC Deputy Director copied. RPC Deputy Director must approve new account creation requests. Please note: Only the User Acceptance Testing (UAT) environment account will be granted at first. Once the RSC caseworker has completed training in the USRAPUAT environment, the RSC can follow up to ask Help Desk to create a Production environment (USRAPPROD) account without seeking RPC Deputy Director approval. Also note, RPC Deputy Director approval is not required to reactivate accounts which have previously been approved, but were deactivated due to inactivity. For employees that require changes to their existing START accounts (e.g., due to position change/promotion), the RSC point of contact for requesting access (SSC in most locations) will complete this Template that specifies requested permission changes based on job functions, obtain RSC Deputy or RSC Director review/approval, and then submit to the RPC Hep Desk with the RPC Deputy Director copied. RPC Deputy Director approvals are not required for account changes sent to RPC Help Desk provided RSC is requesting permissions that align with the 13 agreed upon permissions for the specific job title and the RSC staff submitting request includes proof of the RSC Deputy or Director’s approval. Interpreters, translators, and other assistants, including contract workers or volunteer refugee assistants, hired or contracted by an RSC, may be given access to information in applicant or SIV or for Afghan Parolee records to the extent necessary to permit them to perform their duties, as determined by the RSC Director or Deputy. This also applies to interpreters, translators, and other assistants supplied by other governments in accordance with arrangements made between the United States and the other government. They may not be given electronic access to START unless specifically authorized by the PRM/A Overseas Section Chief and RPC Deputy Director. 2.2.0.2 Other U.S. Government Employees and Contractors An employee or contractor of the U.S. government not authorized unrestricted access may be given information needed to perform a specific job function if PRM determines they have a demonstrated need to know, subject to such terms and conditions as PRM may specify to ensure that the employee has access only to such information as they need to know to perform the job. If the RSC is unsure of the U.S. government employee’s need to know or job function and/or why the information is needed, the RSC should contact the RefCoord and/or Program Officer for further clarification and/or permission to release the information. 2.2.0.3 International Organization for Migration (IOM) RSCs may release information from the record of an applicant or SIV to an authorized IOM representative to the extent necessary to allow IOM to carry out medical examinations, make travel arrangements for the applicant or SIV, or complete other processing tasks requested by the U.S. government under the MOU between PRM and IOM. If panel physicians are used in lieu of IOM medical staff, the same principles apply. Information may be released only to the extent necessary to carry out the medical examination and facilitate any other related processing requirements. RSCs are permitted to communicate with IOM Migration Health Division (MHD), IOM Operations (Ops), and Panel Physicians regarding refugee applicants or SIV holders and information in the course of routine USRAP processing and on a need-to-know basis. Requests for information from IOM MHD, Ops, or Panel Physicians, or other entities, which fall outside normal USRAP processing steps should be reported to the RefCoord, even if they do not specifically violate USRAP data sharing and communication requirements as set forth in Section 3.0. 2.2.0.4 Resettlement Agencies (RAs) Participating in the PRM-Funded Reception and Placement (R&P) Program in the United States The guidelines in this section apply to information that RSCs may share with RAs in the United States and their affiliate offices. 2.2.0.4.1 Information on all USRAP Cases RSC management and employees are permitted to communicate with RA representatives and affiliates regarding refugee or SIV holder applicants and information in the course of routine USRAP processing and on a need-to- know basis. Prior to allocation, RSCs may provide to RAs whether an individual has been included as the U.S. Tie (UST) on a case or whether a group of cases has been linked via travel case group to one another. Once cases have been interviewed by USCIS, however, the RSC should advise the U.S. points of contact and RAs that the RSC may not provide any further information on the case, including case status, without a written third party authorization from the refugee applicant unless the applicant is a part of one of the P-2, P-3, or FTJ-R categories below. 14 Post-allocation, RSCs should provide information and updates to RAs per normal USRAP processing steps. RSCs are authorized to provide case updates and information to RAs that have assured a case even if assurance should expire. If a case is assured to one RA, that assurance expires, and then the case is assured to a second RA, the first RA may receive case updates/information up until the point that the case is assured to the second RA. Therefore, the initial RA would no longer have the right to case updates/information after the case is assured to the other RA. Requests for information from RA headquarters/affiliates which fall outside normal USRAP processing steps, or if the RA or affiliate’s need for the information is unclear, should be reported to the RefCoord, even if they do not specifically violate USRAP guidelines. RSCs are permitted to correspond with, provide updates to, and request further information from U.S. Ties, or RAs on behalf of U.S. Ties, that are petitioning for cases in the below categories at any stage in processing without the U.S. Tie having signed a Third Party Authorization Form. The RSC is also permitted to provide case status updates to RAs for cases in the below categories at any stage in the processing even if the RA is requesting this information from the RSC independent of the petitioner, as long as the RA filed the petition on that case. All correspondence of applicant records and data should follow encryption standards. P-2 Lautenberg Specter applicants in Iran or Austria P-2 Lautenberg applicants from the Former Soviet Union (FSU) countries P-2 I-130 Iraqi and Syrian applicants P-2 Central American Minors (CAM) All P-3 categories Follow-to-Join Refugees (FTJ-R) The RA/affiliate may be given updates for applicants in the above categories regardless of whether a U.S point of contact/petitioner is requesting the update through the RA/affiliate or the RA/affiliate is requesting the update independently. Resettlement agencies and affiliates may receive further information and case status updates on all cases when the case is allocated to or assured by the RA without a specific third party authorization. 2.2.0.4.2 Information Sharing during Allocation/Assurance During the allocation process, after USCIS has approved an applicant’s admission to the United States either conditionally or finally or if otherwise instructed by PRM/A, the RSC or the Refugee Processing Center (RPC) may release to the RA to which the case has been allocated, for refugees or SIV holders, the following: the applicant’s name, age, family relationships, place of birth, alien number, citizenships, aliases, ethnicity, religion, nationality, country of asylum, UNHCR submission category, general health condition, languages, English language ability, U.S. Tie information, Case Group information (Resettlement, Travel), dates of commencement and completion of CO training, projected date of departure for the United States, and other biographical and personal data concerning the applicant’s special resettlement and placement needs to ensure the refugee applicants or SIV holders can be received appropriately on arrival in the United States. This can also include case status information. Such information may also include information on medical conditions so the RA may plan for special medical interventions upon arrival. The RSC and RPC should not share any further information with the RA, other than the information listed above, without consultation and concurrence with PRM. Following assurance, RSCs may respond to inquiries from the RA in the United States which has assured the case to respond to case status inquiries and facilitate processing of the case. 15 2.2.1 Disclosure of Limited Information to Non-RSC Interlocutors RSCs have the responsibility to abide by PRM data sharing, communications, and privacy guidelines and policies in all communications, both internal and external, as set forth in Section 3.0. In the event the RSC receives communications from an outside source which does not abide by, or violates those guidelines and policies, they should ensure any/all responses still maintain all applicable communications and privacy guidelines and policies. If the RSC finds one or more of its employees has intentionally and/or maliciously violated these guidelines and policies, take the appropriate disciplinary action and report the issue to the RefCoord immediately. Specific attention should be paid to the restrictions regarding refugee applicant communications in this document. Requests for information from refugee applicants which fall outside normal USRAP processing steps should be reported to the RefCoord, even if they do not specifically violate USRAP guidelines. Beyond RSC employees, contractors, and USRAP partners listed in Sections 2.1 and 2.2.1, the following groups and individuals may be given the right to receive certain USRAP data to perform a processing function and/or in response to an inquiry. Further information and details on permissions for these groups can be found below. 1. Applicants, their family members, or other affiliated third parties 2. Attorneys or Accredited Representatives 3. United Nations High Commissioner for Refugees (UNHCR) 4. Heads of RSC Parent Organizations and their Designees 5. Foreign Government Authorities 6. The International Committee of the Red Cross or the American Red Cross (ICRC) 7. Mental Health and Other Counseling Organizations 8. Members of Congress 9. U.S. Government Law Enforcement Entities 10. Non-USRAP Non-Governmental Organizations (NGOs) 11. Media 12. Research 2.2.1.1 Applicants, Family Members, or other Third Parties RSC employees cannot reveal information regarding the processing status of the refugee application except as provided herein: A refugee applicant, Follow-to-Join Refugee (FTJ-R), or SIV applicant may make an inquiry to the RSC concerning the status of their case and receive case consultation upon verification of identity. FTJ-R applicants may inquire to an RSC regarding their case under the same guidelines as other USRAP applicants. The RSC may respond to an FTJ-R inquiry if the RSC is processing the FTJ-R case. If the FTJ-R case is processed by a U.S. Embassy or Consulate, the RSC should refer the inquiry to the Consular Section of the relevant U.S. mission. The RSC should not confirm nor deny the status of the case. Note: RSC employees may share an applicant’s own alien number with the applicant, or their designated attorney with a signed G-28, so long as it is shared using the approved methods of transmitting SPII within this document. 2.2.1.1.1 Applicants with a Shared Email Address For applicants who share an email address with other, separate individuals not included in the applicant’s case and/or included in a separate refugee application, the RSC should make a good faith attempt to establish the identity of the respondent before providing a case status update. The RSC should strongly encourage all refugee applicants to establish separate email addresses not accessible to third parties or extended family. Applicants who share an email address are required to acknowledge the sharing of personal information. The RSC can document this acknowledgment of responsibility in the Contact Log. in the PA’s Comments tab using the Notes to USCIS category using the following language: 16 “I take full responsibility for protecting the privacy of my email communications. I request that the RSC continue to send my confidential case information to [email protected], although other people may have access to this email account.” See the General Case Processing Guide for additional details on how to record that information. 2.2.1.1.2 Third Party Communication and Authorization An applicant may elect to sign an authorization for another individual (non-case member) to receive a case status update on their case. RSC should print the Third Party Authorization Form on standard RSC letterhead. In the absence of a Third Party Authorization Form, responses to inquiries or information sharing from an applicant’s friends, acquaintances, relatives, or others must be limited to general descriptive material about the USRAP or a description of program procedures that might be of assistance to the inquirer, and should not confirm or deny that an applicant is in the USRAP pipeline. If the third party has a signed Third Party Authorization Form from the refugee applicant allowing information to be shared with certain family member(s), or with friends in the case of the P-2 Lautenberg Specter program, uploaded into START, the RSC may provide those individuals with general case status information. If the form is received in person, then the RSC staff member should sign the RSC Staff Signature section. Case status information can be reported as listed in the RSC Inquiry Response Template, and/or statuses approved by the RefCoord or Program Officer. Inquiries for other information, apart from what is authorized under Section 1.1.1, regarding specific refugee cases may not be provided to third parties, even if the individual has a signed Third Party Authorization Form. For example, the RSC is not permitted to provide copies of documents to an authorized third party. An authorized third party is not permitted to accompany a refugee applicant to RSC intake or PreScreen appointments or engage in other types of involvement in refugee processing, except as described below on Applicants with Impediments. If the Third Party Authorization Form is received electronically, upload the email cover sheet in addition to the Form in START. The RSC is not required to print the Third Party Authorization Form, if received electronically. Additionally, the RSC Staff Signature section may remain blank if the form is received electronically. If the person with the third party authorization is not related to the applicant (e.g., non-family, non-U.S. Tie), the RSC should ask the applicant for an explanation of who the person on the authorization is, and why that person should be able to receive the authorization. The RSC should counsel the applicant on the significance/meaning of Third Party Authorization. Following that discussion, the RSC supervisor should sign the third party authorization, in addition to the applicant. The RSC supervisor signature is a measure to ensure applicants fully understand that they are providing their case information to a third party, as well as a fraud check for RSC employees. If the form is received electronically, the RSC supervisor must review the form, but is not required to sign the form. Upload the form in START, as well as the email from the RSC supervisor confirming they reviewed the request. 2.2.1.1.3 Documents from Third Parties The RSC is permitted to receive documents from authorized third parties, including attorneys, who are writing on behalf of the refugee applicant. The RSC is also permitted to confirm receipt of the documents and/or engage in simple communication regarding document submission and retrieval. If the RSC receives documents that have relevance to a case (e.g., poison pen letters, unexpected custody documents, etc.) from an unauthorized third party, the RSC should upload the documents to START and notify PRM and the USCIS Desk Officer in START. If the unauthorized third party is simply providing information regarding a case, RSC or PRM personnel may forward the information about the case provided by the inquirer to the appropriate processing entity if doing so may help facilitate the processing of the case. 17 2.2.1.1.4 Applicants with Impediments An authorized third party is permitted to accompany a refugee with an impediment, such as age, illness, or disability that prevents an applicant from communicating (speaking, understanding, asking) independently, to RSC intake, prescreen, USCIS interview, and other processing activities. During the first appointment, the third party should complete a Third Party Authorization Form and RSC staff should note the disability that prevents the applicant from communicating independently. Third party authorization forms are not required for refugee applicants in the same case as the applicant with the disability. Forms are required for any third party individual not in the same case. If an applicant has a serious impediment, minimal case status information may be provided to a third party if the applicant has signed an authorization indicating which individual(s) have permission to receive the information. If the applicant is not capable of signing due to disability or illiteracy, an adult who is included on the applicant’s application for admission or in a Case Group with the case may sign the authorization on behalf of the applicant. In the case of child applicants under the age of 14, or unable to sign due to illiteracy, an adult guardian or relative may sign on behalf of the child. The adult must annotate on the Third Party Authorization Form their relationship, and why the applicant is not able to sign for themselves. RSC staff (or Consular officers for FTJ-R and SIV cases processed at a U.S. Embassy or Consulate) should exercise common sense and caution in responding to such inquiries and should only provide the minimum information necessary to respond to the inquiry, and only with the signed authorization of the applicant. 2.2.1.1.5 Other Case Members The RSC is permitted to share the reasons for administrative case closure with an applicant or any case member if the case closure was made by PRM (e.g., petitioner could not demonstrate qualifying employment, petitioner is deceased). Similarly, adult children who marry and thus lose access to the qualifying family relationship can also be counseled as to the reasons for the case closure. In cases where a case is administratively closed for security reasons, the RSC can provide only the case closure language provided to the principal applicant at the time of closure. All personnel working for USRAP partners, including RSC and PRM staff, are expressly forbidden from providing security information directly to applicants or any third parties. The RSC is permitted to share only the outcome, but not additional details, of the USCIS decision with an applicant or any case member. This is limited to information that a case is processing/moving forward to another processing step or has been denied if (and only if) the denial letter has been transmitted. For more information on sharing documents and case status information with applicants, family members, or other affiliated third parties, see Section 3.1.4 on communication with applicants. 2.2.1.2 Attorneys or Accredited Representatives Written (including e-mail) inquiries to an RSC for case status information from attorneys or accredited representatives1 may be answered with the requested information, if the request is accompanied or preceded by a properly completed and signed G-28 or G-28I Form, which is issued by DHS. (This form is in lieu of the Third Party Authorization Form, for third parties who are not attorneys or legal representatives.) G-28/G-28I Forms are available at https://www.uscis.gov/g-28 and https://www.uscis.gov/g-28i. Other information regarding specific 1A person who is approved by the Board of Immigration Appeals (the Board, or BIA) to represent aliens before the Immigration Courts, the BIA and U.S. Citizenship and Immigration Services. They must work for a specific nonprofit, religious, charitable, social service, or similar organization. The organization must be authorized by the Board to represent aliens. 18 refugee cases beyond their case status may not be provided. RSC should treat attorneys and representatives the same as any other third party with a signed waiver on file. For example, an authorized attorney may not inquire as to the reason a refugee applicant has been deemed ineligible for P-2 access. The information that can be provided to an authorized third party is limited to case status information detailed in Section 1.1.1. Further, except in the case of Iraqi refugee applicants seeking admission through certain P-2 categories,2 an authorized third party (including an attorney) is not permitted to accompany a refugee applicant to RSC intake and PreScreen interviews or engage in other forms of involvement in refugee processing. The G-28 or G-28I Form must include complete information, including signature from the refugee applicant or petitioner, as well as complete information, including signature from the relevant third party. RSCs should ensure that the applicant’s signature on the form is verified against his/her signature on file, if available. RSCs may accept a G-28 or G-28I form signed by the petitioner in FTJ-R cases or the US Tie in P-3 Family Reunification, as RSCs are already authorized to share case status information for these categories of individuals in these specific case types. In all other case types, the RSC may only accept G-28 or G-28I forms from the refugee applicant. Responses to case status inquiries may only be sent to the physical address or email address provided in the original G-28 or G-28I Form. If an attorney or accredited representative provides on the G-28 or G-28I Form a general email address that is accessible by other individuals (i.e., [email protected]), the RSC should request a private email address for the attorney or accredited representative and should only use that private email address for electronic communication. Case status information in response to telephonic requests from third parties may not be provided. There is not a defined validity period for the G-28 or G-28I. 2.2.1.3 United Nations High Commissioner for Refugees (UNHCR) RSCs may release individual case information to an authorized representative of UNHCR to the extent necessary to facilitate the processing of the case. The RSC is authorized to provide feedback to UNHCR on its resettlement referral processes, provide information to allow UNHCR to respond to deferred refugee referrals, and provide case status updates on an individual case for the purpose of resettlement processing and refugee protection. RSCs may not provide UNHCR with more information about the status of an applicant’s security checks than the RSC would normally provide to the applicant (see Section 3.1.5.3 for more information). Instead, RSCs may give UNHCR a general description of the security check process that all refugees undergo. RSC management and employees are permitted to communicate with UNHCR regarding refugee case applicants and information in the course of routine USRAP processing and on a need to know basis. Requests for information from UNHCR that fall outside normal USRAP processing steps should be reported to the RefCoord, even if they do not specifically violate USRAP data sharing and communication requirements as set forth in Section 3.0. 2.2.1.4 Heads of RSC Parent Organizations and their Designees The immediate supervising official(s) of the RSC Director for the organization which runs the RSC are permitted to have access to physical applicant files only for the purpose of monitoring and evaluating the performance of RSC staff and leadership. Other employees and leadership of the organization which runs the RSC, but who are employed outside the RSC, are not authorized to access applicant records in any form without explicit prior written permission from PRM/A. Electronic access to refugee information by the RSC parent organization is not permitted without explicit prior written permission from PRM/A. Individuals from the RSC parent organization with electronic 2 The National Defense Authorization Act of 2014 includes provisions authorizing Iraqi refugee applicants seeking P-2 access pursuant to the Refugee Crisis in Iraq Act to be represented by attorneys or accredited representatives. during the refugee application process, including relevant interviews and examinations. Iraqi P-2 I-130 applicants are not covered by this provision. 19 access to refugee information should acknowledge in writing that they have read and understood this Integrity & Compliance module of the USRAP Overseas Processing Manual. The RSC should send any requests for access to the RefCoord and Program Officer. RSC management and employees are not permitted to communicate with RSC headquarters representatives regarding refugee case applicants and information, where this is not part of routine USRAP processing and where there is no clear need to know, unless previously approved by PRM/A. Requests for information from RSC headquarters which fall outside normal USRAP processing steps should always be reported to the RefCoord, even if they do not specifically violate USRAP data sharing and communication requirements as set forth in Section 3.0. Further questions on access by the parent organization of the RSC should be directed to the RefCoord and Program Officer. 2.2.1.5 Foreign Government Authorities RSCs may release to foreign government authorities only such information in applicant records as necessary to facilitate movement of applicants and SIV holders (e.g., to obtain exit permits). RSCs should generally limit this information to the names, ages, family relationships, medical condition (when relevant), dates of arrival and departure, transportation arrangements, and similar information concerning the applicants involved. When permitted by formal written arrangements between the United States and other governments and/or necessary to finalize departure permission, the RSC may release additional case information to those governments after requesting and receiving prior written approval from PRM/A. Requests for information from foreign governments which fall outside normal USRAP processing steps should be reported to the RefCoord. The RSC should use discretion to determine if a request falls outside normal USRAP processing and consult with the RefCoord if it does. 2.2.1.6 The International Committee of the Red Cross or the American Red Cross (ICRC) RSCs and the RPC may reveal information in an applicant’s record to the International Committee of the Red Cross (ICRC) or the American Red Cross to the extent necessary to assist with international tracing efforts for the purpose of family reunification, if the applicant has signed an authorization specifically for this purpose. Consult the RefCoord for information-sharing requests to facilitate an ICRC Travel Document. RSC management and employees are permitted to communicate with ICRC regarding refugee case applicants and information where such communication is part of routine USRAP processing and on a need-to-know basis. Requests for information from ICRC which fall outside normal USRAP processing steps should be reported to the RefCoord, even if they do not specifically violate USRAP guidelines. 2.2.1.7 Mental Health and Other Counseling Organizations Information from applicant records may be released to government or private mental health counseling organizations or entities as needed to the extent necessary if the applicant poses a temporary danger to themselves or others. In addition, information from applicant records may be released to these mental health counseling organizations, in consultation with PRM/A, to the extent necessary to permit them to assist in making recommendations on the suitability (or continued suitability) of placements for children under parental supervision. The RSC should use discretion to determine if a request falls outside normal USRAP processing and consult with the RefCoord if it does. 20 2.2.1.8 Members of U.S. Congress RSC management and employees are permitted to communicate with Members of the U.S. Congress and Congressional staff regarding specific refugee case applicants and information pertinent to that Member’s district. RSCs should always include the RefCoord, Program Officer, and PRM Congressional Liaison on communications with Members of Congress. Written inquiries (including e-mail) for case status information or other case-specific refugee information from Members of Congress or their staff that do not specifically relate to adjudication decisions by DHS should be answered with only the information necessary to answer the inquiry. Members of Congress or their staff should not pass such information to persons outside of Congress, except to the refugee themselves or to an individual the refugee has authorized to receive such information by signing Form G-28, G-28I, or a third party authorization form. Information in response to telephonic requests from Members of Congress or their staff may not be provided. No copies of documents or other items from a case file may be provided. Information provided on USRAP refugee resettlement cases and FTJ-R cases must include the reminder: “The following information is provided in response to the inquiry, however, due to the need to protect privacy, the information is provided for the sole purpose of responding to the inquiry and should not be publicly disclosed except to inform your constituent about this case.” For SIV inquiries only, the following language should be used: “Information provided must include a reminder that, pursuant to Section 222(f) of the INA (8 U.S.C. 1202(f)), such information: 1. is to be treated as confidential, 2. is being provided to them solely for purposes related to “the formulation, amendment, administration, or enforcement of the immigration, nationality, and other laws of the United States,” 3. should not be shared with other Members of Congress or their staffs except as specifically needed for the aforementioned purposes, and 4. should not be released to the public.” If the Congressional letter requests that a response be sent directly to a constituent or other third party, the requested information will be provided to the Member of Congress or staff member with an explanation that in accordance with law and policies governing the privacy or confidentiality of Department of State refugee processing records, the Department cannot provide case status information or other case-specific refugee information directly to the constituent, unless the constituent is the refugee applicant themselves or an authorized third party. In either of the latter cases, the applicant or authorized third party would be able to obtain case status information by inquiring directly to PRM/A or the RSC handling the case. See Section 2.2.2.8 for additional details on responding to Congressional letters. 2.2.1.9 U.S. Government Law Enforcement Entities Written inquiries (including e-mail) for case status information or other case-specific refugee information from U.S. government law enforcement entities that do not specifically relate to adjudication decisions by DHS, will generally be answered by PRM with the requested information when such law enforcement entities can demonstrate a specific need to know. Questions on such inquiries, as well as any inquiries from U.S. state and U.S. local law enforcement agencies, should be referred to PRM/A for response. Information in response to telephonic requests from U.S. government law enforcement entities may not be provided. Responses must be coordinated with and sent from PRM/A in Washington, with involvement of the Department of State’s Office of the Legal Adviser. RSCs may not respond to any such law enforcement inquiries 21 from U.S. federal, state, or local agencies, directly. RSC should forward the request to their RefCoord and Program Officer. 2.2.1.10 Non-USRAP Non-Governmental Organizations (NGOs) RSC management and employees are not permitted to communicate with non-USRAP NGOs regarding refugee case applicants and information, unless previously approved in writing, by the RefCoord and/or Program Officer. Only NGOs authorized by PRM to provide refugee resettlement referrals into the USRAP are permitted to communicate with RSCs regarding specific refugee case applicants and information where this is part of routine USRAP processing and on a need-to-know basis. Requests for information from NGOs which fall outside normal USRAP processing steps should always be reported to the RefCoord, even if they do not specifically violate USRAP guidelines. In instances where an NGO is assisting the applicant, a Third Party Authorization Form must be on file for the specific NGO staff member assisting the applicant (see Section 2.2.2.1.2.). 2.2.1.11 Media RSCs are not permitted to speak with the media concerning any aspect of the USRAP without prior Program Officer approval. RSCs must relay and discuss any media inquiries with PRM/A, and follow any guidance provided by PRM/A. For media inquiries about specific refugee applicants, RSCs are not permitted to provide any refugee data to any media organization in response. RSCs are also forbidden from assisting members of the media in finding individual refugee applicants of any specific population or group, however defined. They are only permitted to pass on inquiries for a specific, named refugee applicant to the refugee applicant and note that they may engage with the media independently if they wish, but the RSC should have no further role in that communication. The RSC is not allowed to speak to the media on behalf of the refugee. Once the message has been delivered to a refugee applicant, RSCs are permitted only to tell members of the media inquiring on a refugee case that their message has been passed. PRM/A should be notified but does not need to approve of passing messages from the media to refugee(s). 2.2.1.12 Research PRM understands that sharing refugee records, data, and information with research partners may further the interests of developing better refugee resettlement programs. Accordingly, refugee records, data, and information may be shared with research partners only with prior approval from PRM and on a case-by-case basis, in accordance with these guidelines. General Principles Governing the Sharing of Refugee Records, Data, and Information for Research Purposes 1. The sharing of government records, data, and information on refugees for research purposes is not an activity provided for in PRM’s cooperative agreements with RSCs or its MOU with IOM, nor is it otherwise performed in the ordinary course of business. Therefore, refugee data originating from START may not be shared with research partners without the prior written consent of the Department of State. 2. PRM owns all data maintained in START, except for information and records in START originating from and owned by another U.S. government agency, such as DHS. Ownership of this data cannot be changed through de-identification of START data or transfer of the data into another database. Any MOU or data use agreement that an RSC or IOM enters into with a research partner must accurately reflect PRM’s ownership of START data. 3. The Department of State has the sole authority to publish research based on refugee records, data, and information gathered before a refugee’s admission to the United States. RSCs and USRAP-affiliated IOM staff are not permitted to share refugee records, data, or information collected before a refugee’s admission with research partners for the purpose of publication, as publication by an RSC, IOM, or research 22 partner does not relate to the “formulation, amendment, administration, or enforcement” of the laws of the United States. 4. Refugee records, data, and information collected by PRM, an RSC, IOM, or another implementing partner after a refugee’s admission to the United States are still subject to the confidentiality provisions of PRM’s cooperative agreements and MOU with RSCs, and IOM. 5. RSCs, USRAP-affiliated IOM staff, and their research partners may publish aggregated statistical summaries describing the effectiveness of program innovations that are based on data collected after a refugee’s admission to the United States, as long as these reports only disclose START data that is publicly available, or data that was explicitly approved in writing by PRM for such use, and does not allow individual refugees and their resettlement locations to be identified. Process for Sharing Refugee Records, Data, and Information for Research Purposes PRM recognizes that RSCs, and IOM have a strong interest in partnering with researchers in order to improve their methods of implementing and evaluating the USRAP. For researchers seeking general information, it is permitted to share public websites and/or resources, such as Settleinus.org or PRM’s website. Before sharing any non-public refugee records, data, or information with a research partner, RSCs and USRAP-affiliated IOM staff must follow this process: 6. RSCs and IOM must submit a data sharing proposal to PRM and obtain PRM’s written approval on a case- by-case basis before sharing START data with another person or entity for research purposes. Data sharing proposals must include the following information: Description of the type and scope of START data to be shared. Name of the intended research partner. Explanation of how the sharing of START data will further the implementation of the USRAP. Draft of the data use agreement to be signed by the intended research partner. 7. PRM will review the data sharing proposal in consultation with the Department of State’s Office of the Legal Adviser to verify whether the proposal is consistent with the Department’s privacy policies and guidelines and will issue a written response approving, denying, or requesting modifications to the data sharing proposal. PRM will strive to provide a written response within 30 days of receiving the data sharing proposal. 8. Upon receiving written approval from PRM to proceed with a data sharing proposal, the RSC, or IOM must sign a data use agreement and non-disclosure agreement with the intended research partner that specifically prohibits any disclosure of individual level data and directs the research partner to destroy all shared data after completing the approved project. 9. The RSC, or IOM must send PRM by email a scanned copy of the data use agreement signed with the research partner within 5 business days of the date of signing. 10. Upon following the steps described above, the RSC, or IOM may securely share an appropriately de- identified dataset with research partners. To appropriately de-identify data, PRM requires the removal of personally identifiable information (PII), including names, dates of birth, addresses, contact information, personal health and medical information, biometric records, full-face photographic images, alien numbers, social security numbers, and other identification numbers. The data must be hosted on a secure server that is approved to handle sensitive data, and any refugee records, data, or information shared via e-mail must be encrypted. 3.0 Data Sharing and Communication in the USRAP The governing principle of these guidelines is that information about applicants and approved refugees can generally be disclosed only as specifically necessary to process the individual’s application or Special Immigrant 23 Visa for admission to the United States. The disclosure of information should contain the least amount of PII possible to complete official duties. RSCs must record in the Contact Log in START any interaction with an applicant or individual for whom the PA has signed a Third Party Authorization Form. RSC should record contact with unauthorized individuals who tried to seek information about the applicant from the RSC as well. Such interactions must be conducted using RSC phone and/or email addresses. The RSC does not need to enter routine contacts for processing steps (e.g., the PreScreen interview, routine transactions with UNHCR, or regular scheduling with IOM Ops and MHD for the purposes of processing cases) in the Contact Log. RSCs should avoid attaching emails between the RSC and RPC or the RSC and PRM to cases as much as possible and instead copy and paste emails into the Contact Log to document (unless the email contains an attachment or image). The record in START of any authorized disclosure must include the date, nature, purpose of the disclosure, written authorization from PRM if applicable, and the name and address of the person or agency to whom the disclosure was made. Best practice includes attaching the correspondence with third parties in START as well. All USRAP communications should provide efficient and responsive information to the U.S. Government, USRAP processing partners overseas, domestic resettlement partners, and applicants, while protecting data and information under all applicable privacy laws and regulations. Communications in any form should be professional and clear. It is expressly forbidden to be rude, demeaning, degrading, harassing, threatening, discriminatory, overly familiar, or send inappropriate materials in conjunction with any USRAP communications. The guidelines below do not cover every possible scenario for communications regarding a USRAP case. When in doubt, RSCs and other USRAP partners should contact their Program Officer for further guidance. 3.1 Receiving, Sending, and Disclosing Applicant Data 3.1.0 Tableau Reports and START Filters Access to Tableau and individual reports within Tableau should be limited to RSC management, staff who are responsible for RSC reporting, and staff who have a case processing need. The RPC and RSC reporting staff are responsible for monitoring the data provided in reports as well as access to use of reports and Tableau. Data provided must be on a need-to-know basis to perform a case processing function. PII must be limited to the greatest extent possible. Reports created in Tableau must be reviewed yearly to ensure that PII is included on a need-to-know basis only, is a must-have in the report, and is overall limited to the greatest extent possible. The review must also ensure that data in reports is not excessive and is appropriate for user permissions. Results of yearly review should be submitted to the RPC Reporting Team for auditing. Sharing of Tableau reports is permitted within the guidelines set forth in this document. Follow guidelines in Section 2.0 on sharing records and this section on protecting data when sharing reports. Common Data Models (CDMs) are the sets of data provided to the RSCs for reporting in Tableau that act as a ‘Data Source’ for Tableau. The CDM defines the model for the data that will be included in the data source. In an effort to protect applicant PII within CDM data sets, the RPC is restricting the exposure of CDM fields containing PII. Fields with PII will only be exposed to RSCs if the RSC has a valid business need for access to the field and if the RSC does not have another feasible workaround. RSCs should request for certain CDM fields to be exposed by submitting with a justification of the business need. Approval to add the field is provided by PRM. Use of the fields provided will be reviewed in detail during report reviews. 24 RSCs must provide a business case with a justification for each report created in Tableau and with justification for any PII included in Tableau reports. START users currently have the ability to export START filtered lists as a reporting feature; however, this capability should not be used without authorization from the RPC. START filtered lists should not be exported even though the functionality exists. In general, if system data needs to be viewed or shared outside of the START system, it should be managed through Tableau reports. Tableau reports have gone through an extensive approval process, and by limiting report creation to Tableau, the USRAP program can enforce its commitment to data integrity and reduce the distribution of PII outside of the system when it is not necessary. If staff have a justified business need to export data that cannot be met through Tableau reports but can be met by exporting START filtered lists, an exception may be pursued by submitting a request to the RPC Help Desk for approval. In order to enforce the prohibited use of exporting START filtered lists, RSC Compliance/IT or similar staff must conduct monitoring/spot checks on staff computers and emails to ensure that START filters containing applicant PII have not been downloaded/ circulated unless explicitly authorized. 3.1.1 FileCloud Files containing PII that are uploaded to FileCloud must only be accessed and used by staff who have a case processing need or need to know. 3.1.2 Email/Written Communication The use of personal email is strictly prohibited for receiving, sending, and disclosing applicant data. Additionally, it is prohibited to forward or enable all messages to be automatically forwarded to an address outside of START or RSC systems. Taking screenshots or photographs of PII or sensitive data is strictly prohibited. However, RSC personnel may share their screen internally within the course of regular duties (such as training or management monitoring of pre- screenings), so long as they are doing so through an authorized video-chat application, and employing the VPN. RSCs may also screenshare or provide screenshots of the START UAT environment (which does not contain real PII or SPII) for training or related purposes. Should any staff find evidence that any RSC staff has photographed or taken unauthorized screenshots of data and transmitted those images to personal email or devices, the RSC must notify the RSC Director or Deputy immediately for review. RSC Compliance/IT or similar staff should conduct random monitoring/spot checks of user devices and email accounts to identify if data has been exported (from START), photographed, screenshot and forwarded to personal email or devices. Use organizational specific email addresses when interacting with external partners or applicants regarding case information. Whenever possible, group email boxes should be used for communications on USRAP cases. You must include your name on every email unless the anonymity has been approved by a supervisor. Per the RSC Style Guidelines, email signatures must include the RSC logo. Other standards for email "signatures" may also apply. This provides oversight and history into what has been communicated and protects RSC and USRAP partner staff from suspicion of malfeasance. Use approved email templates, where available, when corresponding with external partners or applicants. Emails and letters should clearly identify the sender, the recipient, and the purpose of the communication. Use proper care to verify that email recipient addresses are accurate, in order to avoid sending sensitive information to the wrong sender. This is especially important for emails sent to non @wrapsnet.org, non @uscis.dhs.gov, and non @state.gov email addresses or emails sent to many recipients. Emails and written communications can be written in any language, but RSCs should always include accurate and complete English translations in addition to the original language for any official USRAP communications that are 25 scanned into START. For internal RSC emails, an English translation is not required, though RSCs should ensure they have proper oversight over internal communications through their own regulations and management structure. RSCs should ensure that emails are never harassing, threatening, or discriminatory. START or RSC systems cannot be used to send commercial email, such as for auctions or home businesses. Mass mailings cannot be sent to large numbers of people unless it is business related. The distribution of greeting cards, humorous pictures and videos, or political messages. Is prohibited. Emails supporting terror, pornography, gambling, weapons, or illegal drugs are also prohibited. When corresponding with USRAP partners and authorized third parties, PII and SPII should never be included in the email subject. Sensitive PII (SPII) should only be included in the body of the email if the email is encrypted using an email software encryption feature. SPII should otherwise be attached to the email with encryption (see Section 3.2). If SPII was included in the original message, insert “XXXX” in place of the SPII when responding. Per Section 3.2, notify RSC Director/Deputy when partners commit such breaches. When corresponding with applicants, it may not be practical or feasible to send SPII as an encrypted file attachment. Therefore, the RSC should strive to minimize the use of PII in the email (e.g. ‘Dear Applicant,’). If the RSC is responding to an applicant who provided SPII in their email, the RSC should place an “XXXX” in place of the SPII when responding. Although PII does not strictly require this type of redaction, all PII should be minimized when sent via email, including to USRAP partners, applicants, and internal RSC colleagues. RSCs can include non-PII in email/written communications, including: Signatures with contact information Notices regarding how, when, how-not-to communicate Privacy regulations and warnings Customary greetings Customary signatures/end-of-letter salutations General information regarding refugee resettlement processing Case status updates, although not considered PII, should only be sent over official RSC email. RSCs should ensure non-PII included in an email or written communication is standardized using the RSC Inquiry Response Template. If it is included in one refugee case status update, it should be included in all refugee case status updates. Similarly, information sent to USRAP partners should be standardized across different partners, as appropriate. These guidelines also cover web-based communications through secure interfaces with applicants or other USRAP partners. See Section 3.0 for information on routine correspondence between RSC and other agencies. 3.1.2.1 Short Message Service (SMS) and Other Communication Platforms RSCs may communicate the following to refugee applicants via SMS on an RSC-issued phone or via other RPC- approved messaging services (i.e., web or phone applications, software, etc.) on RSC-issued devices: anti-fraud warnings, information on holidays and office closures, general resettlement information, links to additional online resources, scheduling USRAP events, including appointment date, time, and location. 26 RSCs should not send case status updates to applicants via phone or other RPC-approved messaging services. Case status updates, although not considered PII, should only be sent over official RSC email and should be standardized using the RSC Inquiry Response Template. Approved messaging services to use when communicating with applicants refer to those that have been explicitly approved by the RPC Security team for use on RSC-issued devices (personal devices cannot be used). All requests to use a messaging service to communicate with applicants must be forwarded to the RPC Security team for approval prior to use. This policy guidance applies retroactively – if an RSC has been using a messaging service to communicate with applicants that has not been approved by the RPC, the RSC must request approval from the RPC in order to continue using it. The following U.S.-based messaging services may be used for routine applicant communication. This list is composed of standard messaging services – the use of any other service for applicant communication must be requested and approved by the RPC per the above guidance. PII must not be discussed or shared over any of these applications (except for those marked with an asterisk – see Section 3.1.4.1). BOTIM (Algento) BlueJeans (Verizon) Google video and chat services (e.g. Duo, Hangouts, Voice) iMessage (Apple) Facebook Messenger WhatsApp Messenger (Facebook) WhatsApp Business (Facebook)* Skype (Microsoft) WebEx (Cisco)* Zoom Video Communications* Only apps that are intended to be used for communication with refugee applicants need to be approved by the RPC. RSC users can download and use any app on their RSC issued phone as long as it is in line with any existing RSC Management rules of behavior for phones and MDM is configured on the device per the Integrity and Compliance module. Bulk SMS communications that are sent to all applicants do not need to be updated in the START Contact Log. However, case or applicant specific information sent via SMS must be updated in the case’s Contact Log. Refugee PII or other sensitive data can only be communicated via RSC email except in extreme circumstances in which an applicant does not have access to email. RSCs may accept (i.e. receive) PII from applicants over text or other messaging service by exception – permission to receive PII documents or PII in text must be granted by the RSC Director or Deputy Director after presenting a justification for why email, mail, or in person transmission is not possible. The exception, including the rationale and approval, should be documented in the START Contact Log along with the general message contents. Although receiving PII in extreme circumstances is permitted for certain situations by exception, RSCs should never send PII or official case processing documents (e.g. denial letter) over SMS or another communication platform other than an RSC email account. RSCs should encourage applicants to set up a free email account, if possible, during data collection or PreScreen so that documents can be transmitted over an official email channel. RSCs should keep a record of the email addresses and inform applicants via an official email communication how future communication will occur. This includes providing numbers and accounts that will be used. The official communication should include anti-fraud messaging to prevent payment or applicant transmission of PII or other sensitive information through other channels. 27 3.1.3 Telephone/In-Person RSCs should maintain management oversight over telephonic and in-person communications with USRAP partners and refugee applicants. Telephonic/in-person communications with refugee applicants should take place in RSC workspaces, using RPC- approved messaging services on RSC equipment, and must be logged in the Contact Log within START as described in USRAP Processing Guide 10: General Case Processing. For RSC workers conducting circuit rides, telephonic/in- person communications with refugee applicants should only take place in designated RSC workspace areas. This guidance also applies to individuals authorized to work from home—such individuals may communicate with applicants using RPC-approved messaging/communication services (i.e., web or phone applications, software, etc.) on an RSC-issued phone or while logged into START via an RSC-issued computer using a VPN. Telephonic inquiries by refugee applicants,