Adequate protections of personal information shall be provided to prevent unauthorized access, consistent with the applicable safeguards for sensitive information contained in relevant Executive Orders, proclamations, Presidential directives, Intelligence Community Directives (ICDs), and associated policies.
Access to personal information acquired through SIGINT activities shall be limited to authorized and trained personnel, such as personnel responsible for analyzing and processing the information who have a need to know the information in order to perform their mission, consistent with the personnel security requirements of relevant Executive Orders, ICDs, and associated policies.
Personnel will be provided appropriate and adequate training in the principles set forth in this regulation and any associated guidance before being authorized access to unevaluated and unminimized personal information acquired through SIGINT activities. Training is required for those personnel who engage in collection requirements, targeting, or other disciplines that deal with SIGINT collection. Further, administrators and other support personnel who require access to these collections also must be trained prior to being granted access. Failure to obtain or maintain training requirements will result in the loss of access until requirements are met.
Personnel querying databases containing information acquired through SIGINT activities shall structure query terms and techniques in a manner reasonably designed to identify intelligence relevant to an authorized intelligence requirement and minimize the review of personal information not relevant to an authorized intelligence requirement.
Systems containing SIGINT shall record sufficient details of purges to enable oversight and compliance with retention policies.
Dissemination
Dissemination of personal information concerning foreign persons acquired through SIGINT activities is authorized only if the Agency has lawfully collected or received the information in accordance with FISA or Part I of Executive Order 12333 and the processes established by PPD-28, and the dissemination of comparable information concerning U.S. persons would be permitted under Section 2.3 of Executive Order 12333, as listed in the Retention Section above. If the Agency is disseminating personal information concerning a foreign person because it is foreign intelligence, the information must relate to an authorized intelligence requirement, and cannot be disseminated solely because of the person’s foreign status. Thus, for example, personal information about the routine activities of a foreign person may not be disseminated unless it relates to an authorized foreign intelligence requirement.
The Agency shall establish policies and procedures reasonably designed to minimize the retention and dissemination of personal information acquired through SIGINT activities.
5
