Some Members of Congress have expressed concern about the Department of Government Efficiency's (DOGE's) access to the Federal Emergency Management Agency's (FEMA's) program data, some of which includes the personally identifiable information (PII) of disaster survivors and other individuals receiving services. Department of Homeland Security (DHS) Secretary Kristi Noem is reported as saying the President authorized DOGE, which is not a DHS component, to access DHS's network; media outlets have reported on DOGE's access to FEMA data.
This Insight discusses the PII collected by FEMA, including what PII is collected and how it is used, how such PII is stored and accessed, and potential data privacy concerns. CRS Report R48423, Access to Agency Data and Information Technology: Frequently Asked Questions, provides additional information on Privacy Impact Assessments and when information can be shared without an individual's written consent.
Background
FEMA requires certain personal information to be collected from individuals in order to determine eligibility for federal assistance. This includes information collected from disaster survivors applying for FEMA assistance through the Individuals and Households Program (IHP), which provides financial and direct assistance to address disaster-caused housing and other needs. It also includes information collected from nonfederal entities on the clients they provided supportive services to through the Shelter and Services Program (SSP), which funds the provision of food, shelter, transportation, and supportive services to noncitizen migrants encountered by and released from DHS custody. PII considerations related to these two programs are addressed below.
What PII does FEMA collect?
IHP applicants must meet general eligibility requirements in order to receive IHP assistance. Requirements include that they must be a U.S. citizen, noncitizen national, or "qualified alien" (or the parent or guardian of such a minor), and FEMA must verify their identity. As part of the IHP application process, a disaster survivor submits an application form, which collects their full name, Social Security number (SSN), annual household income, contact information, bank account information, and insurance information, as well as the names of household members. IHP applicants must also sign a Declaration and Release Form, self-certifying their citizenship status.
SSP funding covers eligible activities and services provided to eligible noncitizen migrants. FY2024 SSP recipients—including nonfederal government and nonprofit organizations—must collect and submit information to FEMA, including Alien Registration Numbers (A-Numbers) or evidence of DHS processing (e.g., forms I-94, I-385, I-860, I-862), names, DHS release dates, and service dates.
What does FEMA use PII for?
In the case of the IHP, disaster survivors' personal information is used to verify eligibility for assistance, prevent a duplication of benefits, allow payment of disaster assistance (in the form of a Treasury check or electronic payment to an eligible IHP applicant), and for internal FEMA review for quality assurance.
In the case of the SSP, people's personal information is used to ensure recipient organizations properly used the SSP funds to support eligible clients when requesting reimbursements or advance funding for services provided.
What FEMA systems store and access PII?
FEMA's Individual Assistance System (formerly National Emergency Management Information System [NEMIS]-IA) collects disaster survivor information when they register for FEMA assistance. The DHS Privacy Impact Assessment for the IA Systems acknowledges that FEMA personnel could use program information "for purposes other than those for which it was originally collected," and notes how FEMA mitigates this privacy risk:
FEMA's Web Integrated Financial Management Information System (Web-IFMIS) is its "official accounting and financial system." It "maintains all FEMA financial data" and pulls information from other systems, including the Individual Assistance System, through the Emergency Support System (ES) interface, which transmits disaster survivors' applicant information, including their SSN, name, contact information, financial and debt information, and bank account and routing numbers to Web-IFMIS to process disaster assistance payments.
For the SSP, FEMA uses a different system—FEMA Grants Outcome (GO)—to manage requests for reimbursement and recipient information; it is possible that such information may be accessible through Web-IFMIS, which pulls information from other FEMA/DHS systems to make payments.
Can people withhold PII when requesting assistance?
IHP applicants may choose not to enter their PII, and IHP applicants can exit the registration process prior to submitting an application, in which case DHS states that "their personally identifiable information will be deleted." However, failure to submit required PII or an application may result in disaster assistance being delayed or denied.
FEMA requires SSP recipients to collect and submit client information to FEMA, including A-Numbers and names of individuals, in order to receive grant funding for eligible services.
When can third-parties access PII collected by FEMA?
FEMA's IHP application includes a "Privacy Notice" at the bottom, which describes
FEMA may share the PII of U.S. citizens and lawful permanent residents in accordance with the Privacy Act (5 U.S.C. §552a(b)), and of noncitizens as permitted and in accordance with the relevant DHS/FEMA Privacy Impact Assessments. Additionally, IHP applicants may authorize FEMA to share their information with a third party of their choice. For example, information could be shared with state agencies and nonprofits to make additional disaster recovery resources available, or Members of Congress and their staff to help with a case.
Has survivor PII been accessed for other reasons in the past?
FEMA unnecessarily released the PII of approximately 2.5 million disaster survivors who applied for assistance between 2008 and 2018 to a contractor executing FEMA's Transitional Sheltering Assistance Program—which violated the Privacy Act. To rectify this, FEMA changed its data-sharing process; conducted a security assessment of the contractor's computer system; notified the affected disaster survivors; and provided credit monitoring. While this was not a "hack," incidents like this increase risk of identity theft and fraud, and undermine public confidence in the government's privacy protections.
Document ID: IN12511