REAL ID Act of 2005, Pub. L. No. 109-13, 119 Stat. 302 (May 11, 2005).
Congress passed the Act to set minimum requirements for state issuance of drivers' licenses and identification cards required for "official purposes." The rulemaking and implementation continued to be an important policy area for the DHS Privacy Office. The rule seeks to combat false forms of identification by implementing uniform standards that enhance the integrity and reliability of drivers' licenses and identification (ID) cards, strengthen identity verification capabilities, and increase security at drivers' license and ID card production facilities.
Final Rule Edit
The DHS Privacy Office participated in the review of more than 20,000 public comments filed in response to the Department’s NPRM and initial PIA issued in March 2007. DHS issued the final rule on January 11, 2008. The REAL ID final rule sought to lower the cost of REAL ID and set a phased implementation schedule for the states. States were required to apply for an extension by March 31, 2008, and full compliance was extended to December 1, 2017.
These regulations set standards for states to meet the requirements of the REAL ID Act, including (1) information and security features that must be incorporated into each card; (2) proof of identity and lawful status of an applicant; (3) verification of the source documents provided by an applicant; and (4) security standards for the offices that issue licenses and identification cards.
The final rule also addressed a number of the concerns that were raised in the NPRM PIA. First, it assured the public that the rule would not lead to a national ID as the states would continue to issue the drivers’ licenses and each state could set its own numbering system. Second, in response to concerns about the security of the state databases, DHS assured the public that it will monitor state compliance with federal information security standards. Third, the final rule also required states to create and implement security plans for protecting PII.
In conjunction with the final rule, the DHS Privacy Office issued a PIA, which outlined the changes made to the proposed rule and discussed the remaining privacy issues. The PIA identified continuing concern regarding the states’ implementation of the data verification processes resulting from the new rule. Specifically, the PIA inquired how the states’ Departments of Motor Vehicles (DMVs) will conduct and govern the data verification of federal databases and how they will conduct and govern the state-to-state check to determine whether an applicant for a REAL ID card holds a driver’s license in another state. Additionally, the PIA expressed concerns about third parties’ access and use of PII stored on a REAL ID credential, since no encryption is required, and whether third parties will use REAL ID for purposes other than those expressly outlined in the Act.
In tandem with the PIA, the DHS Privacy Office also issued a set of Best Practices for the Protection of PII to provide guidance to the states' DMVs on privacy and security protections consistent with the Privacy Act, FISMA, and the information security standards developed by the National Institute of Standards and Technology (NIST). Both the final rule and the PIA, which includes the Best Practices guide, can be found on the DHS Privacy Office website. The DHS Privacy Office will continue to work with the REAL ID Program Office to ensure the implementation of the final rule is consistent with the FIPPs.