But Kelly's report, which explains the circumstances of the project and JetBlue's involvement, also acknowledges that government agencies, private-sector businesses, and contractors are all entering uncharted territory with regard to data sharing between the private sector and the federal government for security purposes.
While the TSA's actions "may have been well intentioned and without malice, the employees arguably misused the oversight capacity of the TSA to encourage this data sharing," Kelly says in her report, issued Friday.
To help put businesses and government agencies on firmer footing when dealing with private data, Homeland Security's Privacy Office will establish clear rules for voluntary and compulsory data sharing with private-sector businesses. Such rules are designed to ensure that senior officials in Homeland Security agencies keep a watchful eye over data sharing, that agencies review the privacy policies and applicable laws of their private-sector partners, and that they document compliance with the Privacy Act.
"The report includes the troubling finding that certain TSA employees acted without appropriate regard for individual privacy interests," Sen. Susan Collins, R-Maine, said Friday in a prepared statement. "In this case, the TSA employees involved compromised the privacy interests of individuals without adequate justification." Collins, who also chairs the Governmental Affairs Committee, had co-signed a letter with committee member Sen. Joseph Lieberman, D-Conn., pressing Kelly to issue her report.
The controversy was set in motion shortly after the Sept. 11, 2001, terrorist attacks when Huntsville, Ala., government contractor Torch Concepts approached the Defense Department with the idea for a data-mining tool that would be able to analyze the personal characteristics of people seeking access to military installations. The proposal found support in the Pentagon, which had seen the terrorist attacks firsthand.