usrap overseas processing manual control number: integrity
TRANSCRIPT
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 1 ]
Integrity & Compliance Effective: 05 February, 2021 Version: 2.0 Approver: Nicole Patel
Summary: This is the Integrity & Compliance module of the USRAP Overseas Processing
Manual.
For access to a link or to report a broken link, please contact the RPC Help
Desk.
All USRAP Overseas Processing Manual documents are for Resettlement
Support Center (RSC) use only and are not for further or public distribution.
Any information sharing is governed by specific limitations and requirements in
the cooperative agreements, the Memorandum of Understanding with the
International Organization for Migration (IOM), and this module. Any requests
to forward outside your organization, including to your subsidiaries, should be
made to your Program Officer. This guidance cannot be shared outside your
organization without prior written approval by the Department of State’s
Bureau of Refugees, Population, and Migration (PRM).
Audience: RSCs (including RSC Headquarters as appropriate for monitoring purposes)
Table of Contents: 1.0 Guidelines for the Treatment of Refugee Records .............................................................. 2 1.1 Terms Defined ...................................................................................................................... 3
1.1.1 Case Status Information Defined .................................................................................. 4 1.2 Records Covered .................................................................................................................. 5 1.3 Personally Identifiable Information (PII) ................................................................................ 5
1.3.1 Unique Identifier Chart .................................................................................................. 7 1.3.2 PII & SPII Determination Chart ..................................................................................... 7 1.3.3 Protecting PII/SPII ........................................................................................................ 9
2.0 General Principles Governing Access to Records ............................................................ 10 2.1 Authorized Unrestricted Access.......................................................................................... 11
2.1.1 Authorized Access to Applicant Records .................................................................... 11 2.1.2 Requests for Authorization ......................................................................................... 12
2.2 Authorized Limited Disclosures .......................................................................................... 12 2.2.1 Disclosure of Limited Information ............................................................................... 12 2.2.2 Disclosure of Limited Information to Non-RSC Interlocutors ...................................... 14
3.0 Data Sharing and Communication in the USRAP .............................................................. 24 3.1 Receiving, Sending, and Disclosing Applicant Data ........................................................... 24
3.1.1 Tableau Reports and START Filters (For RSCs Using START) ................................ 24 3.1.2 RSharenet .................................................................................................................. 25 3.1.3 Email/Written Communication .................................................................................... 25 3.1.4 Telephone/In-Person .................................................................................................. 27 3.1.5 Communication with Applicants .................................................................................. 28
3.2 Protecting Data ................................................................................................................... 30 3.2.1 Protecting Media ......................................................................................................... 30
3.3 Data Breaches .................................................................................................................... 30 3.4 Handling of Records ........................................................................................................... 31
3.4.1 Maintenance of Records ............................................................................................. 31
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 2 ]
3.4.2 Retention and Disposition of Records ........................................................................ 32
4.0 Integrity and Compliance ..................................................................................................... 32 4.1 Roles and Responsibilities ................................................................................................. 32
4.1.1 RSC ............................................................................................................................ 32 4.1.2 Procedures for Responding to Allegations of Fraud or Malfeasance ......................... 34
4.2 Guidelines for Staff, Interpreters, and Workspaces ............................................................ 34 4.2.1 Staff Screening (international/national full- and part-time RSC employees) .............. 34 4.2.2 Translator, Interpreter, and Other Contractor Screening (contract, not RSC
employees) .......................................................................................................................... 35 4.2.3 Workspace Compliance .............................................................................................. 36 4.2.4 Visual Identification ..................................................................................................... 38 4.2.5 Electronic Systems and Processing Requirements .................................................... 38 4.2.6 Staff Orientation and Training ..................................................................................... 42 4.2.7 RSC Management Oversight ...................................................................................... 42
1.0 Guidelines for the Treatment of Refugee Records
Government records, including data and information on refugees, may not be used, disclosed, or
disseminated, except in connection with the administration of the U.S. Refugee Admissions Program
(USRAP) and only with the prior written consent of the Department of State. All sharing of individual
information is subject to the Privacy Act, 5 U.S.C. §552a, privacy policies of the Department of State and,
for Special Immigrant Visas (SIV), Section 222(f) of the Immigration and Nationality Act (INA), 8
U.S.C.§ 1202(f). In accordance with these laws and relevant implementing regulations, refugee records,
information, and data originating from WRAPS may not be shared, disclosed, or disseminated without
prior written consent of the Department of State, no matter whether those records, information, or data
have been transferred into another database and/or de-identified. Refugee data originating from the PRM
refugee case processing system may not be used for research purposes without the prior written consent of
the Department of State. The policies and regulations of other government agencies, including the
Department of Health and Human Services (HHS) and Department of Homeland Security (DHS), do not
replace or supersede the laws, regulations, and policies of the Department of State regarding restrictions
on the sharing of refugee records, information, and data. The Bureau of Population, Refugees, and
Migration (PRM) of the U.S. Department of State owns all data maintained in WRAPS except for
information and records in WRAPS originating from and owned by another U.S. government agency,
such as DHS.
PRM has compiled the guidelines below for all Resettlement Support Centers (RSCs) that process
applicants for refugee resettlement and SIV status in the United States with funding from PRM. Pursuant
to the cooperative agreements or Memorandum of Understanding (MOU) under which the RSCs
participate in the USRAP, all RSC employees must adhere to these guidelines.
The guidelines are intended to ensure that records on applicants, and affiliated persons, including U.S.
Ties, maintained by RSCs on behalf of PRM are treated in accordance with the requirements of U.S. law.
These laws include the Freedom of Information Act (FOIA), 5 U.S.C. §552; the Privacy Act, 5 U.S.C.
§552a; 5 FAM §469; and the Federal Records Management Statutes, 44 U.S.C. Chapters 21, 29, 31, and
33.
In addition, SIVs are covered by Section 222(f) of the INA, as amended; this is in addition to the
guidelines included below.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 3 ]
RSC files and file rooms are covered by these guidelines as long as they contain USRAP files, even if
they also contain resettlement files for other, non-U.S. destinations. These guidelines apply as soon as an
RSC receives an application, whether or not the application is deemed complete and regardless of whether
the applicant is eventually approved for admission to the United States as a refugee. The guidelines also
apply to files opened on individuals who were eventually referred for resettlement in countries other than
the United States. Should an RSC have a separate facility/file room/location for non-U.S. resettlement
that does not include any USRAP files, that location is not covered by this guidance.
The guidelines in this document supplement the following published information:
The Foreign Affairs Handbook (FAH), including 5 FAH-4, Records Management Handbook, 100
and 300, related to the management and disposition of State Department records.
The Privacy Act Systems of Record Notice State-59, Refugee Case Records, published in the
Federal Register on February 6, 2012.
The U.S. Department of State Privacy Policy
The Refugee Processing Center Privacy Impact Assessment
The U.S. Department of State Records Schedule:
o Chapter 12: Refugee and Migration, including B-12-001-05, approved by the National
Archivist on August 28, 2008, under Records Disposition Authority N1-84-08-2; and
o Chapter 25: Population, Refugees, and Migration, including A-25- 003-03, approved May 30,
2008 under GRS20, Item 2 and N1-059-08-3. (Note: This chapter applies to PRM staff, not
RSCs.)
For SIVs, the Foreign Affairs Manual (FAM), including 9 FAM 203.5-3, Confidentiality in
Refugee, Asylee, V92, and V93 Casework.
RSC Inquiry Response Template
Third Party Authorization Form
USRAP Objectives and Indicators
RSC Style Guidelines
Questions or concerns related to refugee records should be addressed to the Program Officer in PRM’s
Office of Admissions (PRM/A).
1.1 Terms Defined
1. For the purposes of this document and the USRAP, “fraud” is defined as intentional deceit or
misrepresentation by a USRAP partner staff member, applicant, or other persons that is used to
benefit oneself or someone else through the USRAP.
2. “Malfeasance” is any intentional conduct that is wrongful or unlawful, conducted by a USRAP
partner staff member.
3. The term “applicant” includes individuals seeking admission under the USRAP, individuals
referred to the USRAP by others for consideration, and individuals seeking special immigrant
status who are eligible for travel and refugee benefits.
4. The terms “USRAP data,” “USRAP case management,” and “USRAP processing” include
data, the database, physical files, case documents, and processing of applicants, as defined
above, including SIV, Resettlement Agency (RA), and travel processing.
5. “Volunteer workers” includes all volunteer refugee assistants (e.g., incentive worker).
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 4 ]
6. The terms “applicant records” and “refugee records” refer to stored information (both
electronic and hard copy), including applications, supporting documentation, and
correspondence related to individual applicants.
7. “Research partner” refers to any third party—including an individual, academic institution, or
organization—that requests refugee records, data, or information for research purposes or that
RSCs or the International Organization for Migration (IOM) engages with for the purpose of
conducting research.
8. The “ordinary course of business” refers to RSC and IOM activities that are routine to fulfill
the terms of a cooperative agreement or MOU with PRM. Privacy Act Notice Systems of
Record Notice State-59, Refugee Case Records (“State-59”), covers records held overseas and
electronic records in WRAPS.
9. In these guidelines, a “need to know” is defined as when access to the information is necessary
for that party to conduct assigned duties related to the administration or implementation of the
USRAP.
10. “Access” includes visual inspection of the records, oral or written disclosures of information
from a record, or provision of copies of documents in a record. “Access” also includes bulk
dissemination of multiple records through reports generated from WRAPS data. (Reports on
refugee arrivals or other overview reports that do not include any personally identifiable
information (PII), are not restricted by these guidelines. Contact PRM/A for a separate
determination if there are access restrictions to specific reports.)
11. “Sharing” includes allowing visual inspection, providing oral or written disclosures, or
transmitting copies of refugee records or data.
12. “Remote access” and “remotely” include device(s) that are not physically part of the RSC
network, but connect to the aforementioned network (e.g., an RSC-issued device that uses a
private network (e.g. home network) to connect to the RSC network and/or WRAPS through a
Virtual Private Network (VPN)).
1.1.1 Case Status Information Defined
For the purposes of these guidelines, “case status information” may include:
Confirmation that an applicant has/has not been pre-screened.
Confirmation that an application is/is not currently being processed because the principal
applicant does/does not fall within categories of people currently being processed by the
United States.
Verification that specified documents/information/counseling must be received/conducted
to complete the applicant’s file or to attempt to resolve inconsistencies in the file.
Confirmation that the application has been approved or denied.
Reason for case closure if PRM conducted the case closure, except when case closure is
related to security checks.
The outcome of the USCIS decision only if the denial letter has been transmitted.
Other statuses as detailed on the RSC Inquiry Response Template and/or statuses approved
by the Refugee Coordinator (RefCoord) or Program Officer.
Under these guidelines “case status information” may not include:
Details of an individual’s personal history or characteristics, including details of the
persecution claim.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 5 ]
Details concerning the substantive basis for actions taken on the application. This
restriction means, for instance, that someone who is authorized to receive only case status
information may not be told that a woman was raped during her escape from her country of
origin.
Results of any security checks on a case.
Any information regarding reasons for USCIS decisions (e.g., reasons for approval, denial),
beyond the information already provided in the decision letter. Note: If a decision letter has
not yet been provided to the applicant, the information in the decision letter should not be
provided to third parties.
Any information about security check processes under any circumstances.
Authorization to receive limited disclosures of information in applicant records does not
provide the recipient the authority to disclose information to persons who are not otherwise
entitled to receive it under these guidelines.
1.2 Records Covered
These guidelines apply to any information obtained by the RSCs from employees, contract workers,
volunteer workers, applicants, international organizations, or any other source that relates to
individuals identified for possible admission to the United States under the USRAP or SIV program.
The guidelines apply regardless of the form in which information is stored (e.g., paper or electronic
media).
As part of annual training, any RSC staff with access to physical and/or electronic records that
contain refugee data must acknowledge, in writing, having read the entire Integrity and Compliance
module. All RSC staff who use an RSC computer connected to the internet must annually
acknowledge, in writing, they have read the WRAPS Rules of Behavior, even if they do not have
access to the WRAPS database. This is due to the fact that the WRAPS Rules of Behavior contain
useful information about protecting the network/computer while using the internet. RSC Management
should keep a record of these acknowledgements to ensure staff compliance – an electronic
signature/record of acknowledgement is acceptable.
1.3 Personally Identifiable Information (PII)
PII is characterized as “any information about an individual maintained by an agency, including 1)
any information that can be used to distinguish or trace an individual's identity, such as name, social
security number, date and place of birth, mother's maiden name, or biometric records; and 2) any
other information that is linked or linkable to an individual, such as medical, educational, financial,
and employment information.
PII by itself, or when combined with specific identifying factors for an individual, may cause harm to
the individual. RSCs must protect all PII in their possession, whether it pertains to refugees, SIVs,
applicant relatives and relations, including U.S. persons and U.S. Ties, etc.
Some PII information when used alone may not appear to be identifiable to a person. However, such
pieces of information are considered PII because the information belongs to a real person, and if
combined with other PII information, could provide a substantial personal description of an
individual. Examples of PII, whether used alone or with other PII, include but are not limited to:
Full name, maiden name, mother's maiden name, or alias
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 6 ]
Personal identification number, such as social security number (SSN), passport number,
driver's license number, national ID number, or alien number
Contact information, including physical address, email address, or telephone numbers
Personal characteristics/biographic information, including photographic image (especially of
face or other identifying characteristic), fingerprints, handwriting, or other biometric data
(e.g., retina scan, facial geometry)
Information about an individual that is linked or linkable to one of the above (e.g., date of
birth, place of birth, race, religion, nationality, ethnicity, family relationships, geographical
indicators, employment information, medical information, etc.)
Sensitive PII (SPII) is PII, which if lost, compromised, or disclosed without authorization, could
result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. All SPII is
considered PII, however, not all PII is considered SPII. While both PII and SPII breaches should be
avoided using due caution (e.g. exercising good judgement and consulting your supervisor if you are
not sure whether to share something or how to store it), SPII requires additional security measures to
be taken. Specifically, all SPII must be encrypted when transmitted (see Section 1.3.1).
SPII consists of one or more pieces of information that are considered particularly sensitive on their
own as well as multiple pieces of PII that when combined become SPII. The following information is
considered SPII even when used alone because it is very clearly unique to the individual:
Social security number
National ID number
Driver’s license number
Passport number
Alien number
Biometric identification information
Note: Given the type and amount of personal information the following documents contain,
treat them as SPII and therefore ensure they are encrypted if emailed:
o Immigration or refugee processing documents – e.g. I-590
o Persecution claim history documents – e.g. Case History Template, USCIS Worksheet,
Request for Review (RFR), and UNHCR Resettlement Registration Form (RRF)
o Health information documentation – e.g. medical assessment forms, medical exam forms,
significant medical condition forms, and activities of daily living form
Groupings of information are considered SPII when they contain an individual's name (or other
unique identifier) plus one or more examples of non-sensitive PII. The following examples of non-
sensitive PII become SPII if a unique identifier is included with them:
Truncated SSN (such as last 4 digits)
Date of birth (month, day, and year)
Citizenship or immigration status
Ethnic or religious affiliation
Gender
Criminal history
Medical information
Examples of PII and SPII along with encryption instructions are provided in the charts below. This
list may not include all possible examples of PII or SPII regarding applicants and applicant relations.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 7 ]
When in doubt, play it safe by encrypting the transmission, or ask your supervisor or the RPC Help
Desk for clarification.
1.3.1 Unique Identifier Chart
Types of Unique Identifiers
(these are “unique” because
they belong to only one person
in the world)
Constitutes SPII when used
alone
Constitutes non-sensitive PII
when used alone
Name (full or partial) X
Social Security Number (full #) X
National ID number X
Driver’s license
number/document X
Passport number X
Alien registration
number/document X
Biometric identification
information (including photo) X
1.3.2 PII & SPII Determination Chart
Types of PII
Non-Sensitive PII:
Does not require
encryption when
used alone or with
other non-sensitive
PII
Sensitive PII:
Requires encryption
when used alone (i.e.
is sensitive alone)
Sensitive PII:
Requires encryption
when paired with
name or other
unique identifier (i.e.
is sensitive when
paired with unique
identifier)
Social Security
Number (SSN) X
National ID
number/document X
Driver’s license
number/document X
Passport
number/document X
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 8 ]
Alien registration
number/document X
Biometric
identification
information
X
Applicant photographs X
Immigration or refugee
processing documents X
Persecution claim
history documentation X
Health information
documentation X
Truncated SSN X X
Date of birth or place
of birth X X
Citizenship,
nationality, or
immigration status
X X
Ethnic or religious
affiliation X X
Gender X X
Family relationships X X
Criminal History X X
Results of security
checks or interviews X X
Results of DNA testing X X
Employment or
education history X X
Contact information
(physical or virtual
address)
X X
Significant medical
condition X X
Basic medical
information X X
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 9 ]
Practices for handling PII depend on accessibility to the information, including level of access:
1. electronically (e.g., on WRAPS or through email communication) or
2. in hard-copy (e.g., printed notes, completed forms such as but not limited to I-590, AOR,
UNHCR Referral, and Medical Exam Forms).
Please refer to relevant sections of this document for further details on required practices for
handling PII according to level of access to records and methods of transmitting records.
1.3.3 Protecting PII/SPII
Documentation Classification and Storage Requirements
All documentation containing PII – both non-sensitive and sensitive PII – should be placed in the
RSC’s highest document “classification” category. Such documents should be stored in secure
physical and encrypted electronic locations that are only accessible to those with a need-to-know
for business operations.
Encryption Requirements for WRAPS and Applicant Data
All USRAP partners, including RSCs, RAs, UNHCR, IOM, panel physicians, etc. are required to
encrypt Sensitive PII (SPII) transmitted over email. This includes encrypting emails with SPII
between RSC staff within the same RSC, between RSCs and PRM or USCIS, between the RSC
and applicants when practical, etc. SPII in emails can be encrypted by 1) using an email software
with an encryption feature that has been approved by RPC Security for encryption, or 2) moving
SPII information into an attachment using a separate software that complies with FIPS 140-2
cryptographic specifications. It is a best practice for RSCs to minimize the amount of PII and
SPII sent via email, especially for internal communications, and instead leverage
WRAPS/START, discuss cases by only referencing their case numbers, or place SPII in a shared
drive or RSharenet and refer colleagues to that location to access the information. If SPII must be
included in an email communication to any party, it should be encrypted.
Option 1: Email software with an approved encryption feature (Note: if using an email software
with an encryption feature, the ‘encrypt’ option needs to be selected before sending - emails are
not automatically encrypted):
Microsoft Office 365 - Office 365 Message Encryption (OME)
Microsoft Office 365 and Outlook - S/MIME encryption
Option 2: Attachment encrypted with FIPS 140-2 compliant encryption software:
WinZip 18.5
WinZip Courier version 7.0
WinZip Enterprise
Microsoft Office - “Encrypt with Password” feature
Adobe Acrobat - “Encrypt with Password” feature
Adobe Acrobat and Adobe Reader - FIPS Mode
RSCs should note that simple case status updates in accordance with the standard RSC Inquiry
Response Template and case numbers do not constitute PII and thus do not require encryption.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 10 ]
RSCs should limit to the extent possible the transmission of PII in their communications with
refugee applicants, petitioners, congressional inquiries, and other authorized parties. Only the
minimum necessary identifying information should be included in their communications and case
status updates with authorized parties.
All USRAP partners are required to comply with encryption requirements. RSC staff should
report to the RSC Director or Deputy, or through other identified internal processes, any USRAP
partners who refuse to comply with encryption requirements. In all responses to the original email
that contains unencrypted SPII (from partners or from an applicant), either redact all SPII from
the response chain or follow encryption guidelines if necessary to encrypt the email or
attachment.
As discussed in Section 1.3, the names of applicants and applicant relations (including partial and
full names) are PII but are not considered SPII on their own. However, if the name is combined
with other PII specific to the applicant or applicant relation, this is considered SPII and must be
encrypted if transmitted. For example, if a list comprised just of applicant names is to be emailed,
it is simply PII and encryption is not required. However, if a list of applicant names also includes
date of birth information, the list becomes SPII and must be encrypted before sending. Note:
WRAPS case numbers are not PII. RSCs are encouraged to use case numbers to reference cases
so that PII does not need to be shared.
If an email contains many examples of non-sensitive PII, it is a best practice to err on the side of
caution and encrypt the email even though it does not strictly contain sensitive PII. A multitude of
even non-sensitive PII information can provide a recipient who has malicious intent with enough
information about an applicant to cause damage.
2.0 General Principles Governing Access to Records
The governing principle of these guidelines is that information about applicants and approved refugees
and SIV holders can generally be disclosed only as specifically necessary to process the individual’s
application for admission to the United States. RSC employees, contractors, and volunteer workers may
have access to records only to the extent necessary for them to perform their duties, otherwise referred to
as “need to know.” They may disclose information to third parties only when the third party is authorized
to receive the information under these guidelines and has a “need to know,” or where PRM provides prior
written authorization.
No access may be given to applicant records or information derived from these records except in
accordance with these guidelines. “Access” includes visual inspection of the records, oral or written
disclosures of information from a record, or provision of copies of documents in a record. “Access” also
includes bulk dissemination of multiple records through WRAPS-generated reports. (Dissemination of
WRAPS-generated and other reports on refugee arrivals or other overview reports that do not include any
PII does not constitute “access” to records and is not restricted by these guidelines. Contact PRM/A for a
separate determination if there are access restrictions to those reports.) See Section 1.3 for information on
PII.
The guidelines are intended to give RSCs operational guidance to supplement the FAM, FAH, State-59,
and the U.S. Department of State Records Schedule (links in Section 1.0). If an RSC perceives an
inconsistency between these guidelines and other published information, the RSC should bring the
difference to the attention of the RefCoord and Program Officer responsible for the RSC’s geographic
region.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 11 ]
2.1 Authorized Unrestricted Access
For the purposes of these guidelines, “unrestricted access” means authority to examine and copy any
information in the file for the purpose of carrying out duties for the USRAP or for other authorized
U.S. government business. “Unrestricted access” does not include authority to disclose information to
persons who are not otherwise authorized to receive it under these guidelines.
2.1.1 Authorized Access to Applicant Records
The following people are authorized, as described below, to access applicant records in various
forms:
2.1.1.1 Resettlement Support Center (RSC) Employees
The RSC Director, Deputy, and RSC processing managers are authorized to have unrestricted
access to applicant records in all forms.
For all other RSC processing staff, access must be limited to those records that the staff
member requires to execute his/her job responsibilities. See Section 2.2.1.1.
Any other RSC employee seeking unrestricted access must receive written individual
approval from the local or regional RefCoord after the RSC Director has certified the
employee’s need to have unrestricted access.
2.1.1.2 Department of State Employees
All U.S. Embassy personnel with responsibilities that fall under the USRAP; all PRM and
U.S. Embassy personnel with responsibility for refugee admissions or SIV work; other
Department of State personnel and contractors who have a demonstrated need for unrestricted
access, as determined by PRM.
2.1.1.3 Local U.S. Embassies
RSC management and employees are not permitted to communicate with U.S. Embassies
regarding SIV and refugee case applicants and information, except through the RefCoord or
identified Consular Officer in the Consular Section of the U.S. Embassy in that
country/region.
2.1.1.4 Department of Homeland Security (DHS) Employees
All DHS personnel with responsibility for the USRAP; and other DHS personnel who have a
demonstrated need for unrestricted access, as determined by the Department of State/PRM.
2.1.1.4.1 USCIS
RSC management and employees are permitted to communicate with USCIS (including
all sections of USCIS) regarding refugee case applicants and information, where such
communication is part of routine USRAP processing and on a need to know basis.
Requests for information from USCIS which fall outside normal USRAP processing
steps should be reported to the RefCoord, even if they do not specifically violate USRAP
data sharing and communication guidelines set forth in Section 3.0.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 12 ]
See the Case Management module section on Case Information Exchange with USCIS
for more information on sharing data with USCIS. The RSC should use discretion to
determine if a request falls outside normal USRAP processing and should consult with
the RefCoord if a request falls outside normal USRAP processing.
2.1.1.5 Other U.S. Government Agencies
Representatives of other U.S. government agencies with a responsibility for the USRAP who
have a demonstrated need for unrestricted access, as determined by the Department of
State/PRM.
2.1.1.6 Security Vetting Partners (Non-USCIS)
RSC management and employees are permitted to communicate with security vetting partners
regarding refugee case applicants and information. RSC-specific communication with
security vetting partners should be in line with programmatic requirements (e.g. see Section
2.1.2.3 in the Case Management module on Central America Vetting). All requests for
information from security vetting partners should be shared with the RefCoord, even if they
do not specifically violate USRAP guidelines. Communications with USCIS security entities
should follow the guidance in Section 2.1.1.4.1.
2.1.2 Requests for Authorization
The RSC should refer any unauthorized request for access to an applicant’s records to the
RefCoord. The RefCoord is responsible for requesting PRM’s determination that individuals not
already afforded unrestricted access above have a need to know in order to perform their job
function.
2.2 Authorized Limited Disclosures
2.2.1 Disclosure of Limited Information
In general, RSCs can release only the information necessary for its partner or requestor to
perform its processing function and/or in response to its inquiry, as permitted in the guidelines
below.
2.2.1.1 RSC Employees, Contractors, and Incentive Workers Not
Authorized Unrestricted Access
RSC employees authorized for limited access to records should be given access/permissions
commensurate to those needed to perform their job function. The RefCoord must approve the
employee’s access type based on the employee’s job function in consultation with the RSC
Director and/or Deputy. This approval is subject to such terms and conditions as the
RefCoord may specify in order to ensure that the employee has access only to information
needed to perform the specific job. Note: For RSCs using START, the RefCoord, PO, and
RPC Policy, Performance, and Training Team will review and approve RSC staff’s
permissions in START.
Interpreters, translators, and other assistants, including contract workers or volunteer refugee
assistant, hired or contracted by an RSC, may be given access to information in applicant or
SIV records to the extent necessary to permit them to perform their duties, as determined by
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 13 ]
the RSC Director or Deputy. This also applies to interpreters, translators, and other assistants
supplied by other governments in accordance with arrangements made between the United
States and the other government. They may not be given electronic access to WRAPS unless
specifically authorized by the PRM/A Overseas Section Chief and RPC Director.
2.2.1.2 Other U.S. Government Employees and Contractors
An employee or contractor of the U.S. government not authorized unrestricted access may be
given information needed to perform a specific job function if PRM determines they have a
demonstrated need to know, subject to such terms and conditions as PRM may specify to
ensure that the employee has access only to such information as they need to know to
perform the job. If the RSC is unsure of the U.S. government employee’s need to know or job
function and/or why the information is needed, the RSC should contact the RefCoord and/or
Program Officer for further clarification and/or permission to release the information.
2.2.1.3 International Organization for Migration (IOM)
RSCs may release information from the record of an applicant or SIV to an authorized IOM
representative to the extent necessary to allow IOM to carry out medical examinations, make
travel arrangements for the applicant or SIV, or complete other processing tasks requested by
the U.S. government under the MOU between PRM and IOM. If panel physicians are used in
lieu of IOM medical staff, the same principles apply. Information may be released only to the
extent necessary to carry out the medical examination and facilitate any other related
processing requirements.
RSCs are permitted to communicate with IOM Migration Health Division (MHD), IOM
Operations (Ops), and Panel Physicians regarding refugee applicants or SIV holder and
information in the course of routine USRAP processing and on a need to know basis.
Requests for information from IOM MHD, Ops, or Panel Physicians, or other entities, which
fall outside normal USRAP processing steps should be reported to the RefCoord, even if they
do not specifically violate USRAP data sharing and communication requirements as set forth
in Section 3.0.
2.2.1.4 Resettlement Agencies (RAs) Participating in the PRM-
Funded Reception and Placement (R&P) Program in the
United States
The guidelines in this section apply to information that RSCs may share with RAs in the
United States and their affiliate offices.
2.2.1.4.1 Information on all USRAP Cases
RSC management and employees are permitted to communicate with RA representatives
and affiliates regarding refugee or SIV holder applicants and information in the course of
routine USRAP processing and on a need to know basis. Requests for information from
RA headquarters/affiliates which fall outside normal USRAP processing steps, or if the
RA or affiliate’s need for the information is unclear, should be reported to the RefCoord,
even if they do not specifically violate USRAP guidelines.
The RSC is permitted to correspond with, provide updates to, and request further
information from a U.S. point of contact/petitioner, either directly or through a
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 14 ]
resettlement affiliate or agency, who is filing a petition on behalf of their foreign relative
in certain P2 categories and all P3 categories. No third party authorization is needed to
interact with, provide updates to, or request further information from the U.S. point of
contact and/or resettlement affiliate or agency assisting the petitioner filing for:
P2 Lautenberg Specter applicants in Iran
P2 Lautenberg applicants
P2 I-130 Iraqi and Syrian applicants
P2 Iraq applicants
P3 applicants: DNA testing, AOR discrepancy letters, AOR rejection letters, and
RAVU decision letters
Once the above P2 and P3 cases have been interviewed by USCIS, the RSC should
advise the U.S. points of contact and resettlement agencies that the RSC may not provide
any further information on the case, including case status, without a written third party
authorization from the refugee applicant.
Resettlement agencies and affiliates may receive further information and case status
updates on all cases when the case is allocated to or assured by the RA without a specific
third party authorization.
2.2.1.4.2 Information Sharing during Allocation/Assurance
During the allocation process, after USCIS has approved an applicant’s admission to the
United States either conditionally or finally or if otherwise instructed by PRM/A, the
RSC or the Refugee Processing Center (RPC) may release to the RA to which the case
has been allocated, for refugees or SIV holders, the following: the applicant’s name, age,
family relationships, place of birth, alien number, citizenships, aliases, ethnicity, religion,
nationality, country of asylum, UNHCR submission category, general health condition,
languages, English language ability, U.S. tie information, cross reference information
(hard and soft), dates of commencement and completion of CO training, projected date of
departure for the United States, and other biographic and personal data concerning the
applicant’s special resettlement and placement needs to ensure the refugee applicants or
SIV holders can be received appropriately on arrival in the United States. This can also
include case status information. Such information may also include information on
medical conditions so the RA may plan for special medical interventions upon arrival.
The RSC and RPC should not share any further information with the RA, other than the
information listed above, without consultation and concurrence with PRM.
Following assurance, RSCs may respond to inquiries from the RA in the United States
which has assured the case to respond to case status inquiries and facilitate processing of
the case.
2.2.2 Disclosure of Limited Information to Non-RSC Interlocutors
RSCs have the responsibility to abide by PRM data sharing, communications, and privacy
guidelines and policies in all communications, both internal and external, as set forth in Section
3.0. In the event the RSC receives communications from an outside source which does not abide
by, or violates those guidelines and policies, they should ensure any/all responses still maintain
all applicable communications and privacy guidelines and policies. If the RSC finds one or more
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 15 ]
of its employees has intentionally and/or maliciously violated these guidelines and policies, take
the appropriate disciplinary action and report the issue to the RefCoord immediately.
Specific attention should be paid to the restrictions regarding refugee applicant communications
in this document. Requests for information from refugee applicants which fall outside normal
USRAP processing steps should be reported to the RefCoord, even if they do not specifically
violate USRAP guidelines.
Beyond RSC employees, contractors, and USRAP partners listed in Sections 2.1 and 2.2.1, the
following groups and individuals may be given the right to receive certain USRAP data to
perform a processing function and/or in response to an inquiry. Further information and details on
permissions for these groups can be found below.
1. Applicants, their family members, or other affiliated third parties
2. Attorneys or Accredited Representatives
3. United Nations High Commissioner for Refugees (UNHCR)
4. Heads of RSC Parent Organizations and their Designees
5. Foreign Government Authorities
6. The International Committee of the Red Cross or the American Red Cross (ICRC)
7. Mental Health and Other Counseling Organizations
8. Members of Congress
9. U.S. Government Law Enforcement Entities
10. Non-USRAP Non-Governmental Organizations (NGOs)
11. Media
12. Research
2.2.2.1 Applicants, Family Members, or other Third Parties
RSC employees cannot reveal information regarding the processing status of the refugee
application except as provided herein. A refugee applicant, Follow-to-Join Refugee (FTJ-R),
or SIV applicant may make an inquiry to the RSC concerning the status of their case. FTJ-R
applicants may inquire to an RSC regarding their case under the same guidelines as other
USRAP applicants. The RSC may respond to an FTJ-R inquiry if the RSC is processing the
FTJ-R case. If the FTJ-R case is processed by a U.S. Embassy or Consulate, the RSC should
refer the inquiry to the Consular Section of the relevant U.S. mission. The RSC should not
confirm nor deny the status of the case.
2.2.2.1.1 Applicants with a Shared Email Address
For applicants who share an email address with other, separate individuals not included
on the applicant’s case and/or included in a separate refugee application, the RSC should
make a good faith attempt to establish the identity of the respondent before providing a
case status update. The RSC should strongly encourage all refugee applicants to establish
separate email addresses not accessible to third parties or extended family. Applicants
who share an email address are required to acknowledge the sharing of personal
information. The language of the waiver should resemble the following and the RSC can
determine its own method for receiving and documenting this acknowledgement:
“I take full responsibility for protecting the privacy of my email communications. I
request that the RSC continue to send my confidential case information to
[email protected], although other people may have access to this email account.”
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 16 ]
2.2.2.1.2 Third Party Communication and Authorization
An applicant may elect to sign an authorization for another individual (non-case member)
to receive a case status update on their case. RSC should print the Third Party
Authorization Form on standard RSC letterhead. In the absence of a Third Party
Authorization Form, responses to inquiries or information sharing from an applicant’s
friends, acquaintances, relatives, or others must be limited to general descriptive material
about the USRAP or a description of program procedures that might be of assistance to
the inquirer, and should not confirm or deny that an applicant is in the USRAP pipeline.
FTJ-R petitioners should be treated the same as any other third party family member and
must have written authorization from the applicant before receiving case status
information.
If the third party has a signed Third Party Authorization Form from the refugee applicant
allowing information to be shared with certain family member(s), or with friends in the
case of the P2 Lautenberg Specter program, uploaded into WRAPS, the RSC may
provide those individuals with general case status information. If the form is received in
person, then the RSC staff member should sign the RSC Staff Signature section. Case
status information can be reported as listed in the RSC Inquiry Response Template,
and/or statuses approved by the RefCoord or Program Officer.
Inquiries for other information, apart from what is authorized under Section 1.1.1,
regarding specific refugee cases may not be provided to third parties, even if the
individual has a signed Third Party Authorization Form. For example, the RSC is not
permitted to provide copies of documents to an authorized third party. An authorized
third party is not permitted to accompany a refugee applicant to RSC intake or prescreen
appointments or engage in other types of involvement in refugee processing, except as
described below on Applicants with Impediments.
If the Third Party Authorization Form is received electronically, upload the email
coversheet in addition to the Form in WRAPS. The RSC is not required to print the Third
Party Authorization Form, if received electronically. Additionally, the RSC Staff
Signature section may remain blank if the form is received electronically.
If the person with the third party authorization is not related to the applicant (e.g., non-
family, non-U.S. Tie), the RSC should ask the applicant for an explanation of who the
person on the authorization is, and why that person should be able to receive the
authorization. The RSC should counsel the applicant on the significance/meaning of
Third Party Authorization. Following that discussion, the RSC supervisor should sign the
third party authorization, in addition to the applicant. The RSC supervisor signature is a
measure to ensure applicants fully understand that they are providing their case
information to a third party, as well as a fraud check for RSC employees. If the form is
received electronically, the RSC supervisor must review the form, but is not required to
sign the form. Upload the form in WRAPS, as well as the email from the RSC supervisor
confirming they reviewed the request.
2.2.2.1.3 Documents from Third Parties
The RSC is permitted to receive documents from authorized third parties, including
attorneys, who are writing on behalf of the refugee applicant. The RSC is also permitted
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 17 ]
to confirm receipt of the documents and/or engage in simple communication regarding
document submission and retrieval.
If the RSC receives documents that have relevance to a case (e.g., poison pen letters,
unexpected custody documents, etc.) from an unauthorized third party, the RSC should
upload the documents to WRAPS and notify PRM and the USCIS Desk Officer. If the
unauthorized third party is simply providing information regarding a case, RSC or PRM
personnel may forward the information about the case provided by the inquirer to the
appropriate processing entity if doing so may help facilitate the processing of the case.
2.2.2.1.4 Applicants with Impediments
An authorized third party is permitted to accompany a refugee with an impediment, such
as age, illness, or disability that prevents an applicant from communicating (speaking,
understanding, asking) independently, to RSC intake, prescreening, USCIS interview,
and other processing activities. During the first appointment, the third party should
complete a Third party Authorization Form and RSC staff should note the disability that
prevents the applicant from communicating independently. Third party authorization
forms are not required for refugee applicant on the same case as the applicant with the
disability. Forms are required for any third party not on the same case.
If an applicant has a serious impediment, minimal case status information may be
provided to a third party if the applicant has signed an authorization indicating which
individual(s) have permission to receive the information. If the applicant is not capable of
signing due to disability or illiteracy, an adult who is included on the applicant’s
application for admission or on a cross-referenced case may sign the authorization on
behalf of the applicant.
In the case of child applicants under the age of 14, or unable to sign due to illiteracy, an
adult guardian or relative may sign on behalf of the child. The adult must annotate on the
Third Party Authorization Form their relationship, and why the applicant is not able to
sign for themselves. RSC staff (or Consular officers for FTJ-R and SIV cases processed
at a U.S. Embassy or Consulate) should exercise common sense and caution in
responding to such inquiries and should only provide the minimum information necessary
to respond to the inquiry, and only with the signed authorization of the applicant.
2.2.2.1.5 Other Case Members
The RSC is permitted to share the reasons for administrative case closure with an
applicant or any case member if the case closure was made by PRM (e.g., petitioner
could not demonstrate qualifying employment, petitioner is deceased). Similarly, adult
children who marry and thus lose access to the qualifying family relationship can also be
counseled as to the reasons for the case closure. In cases where a case is administratively
closed for security reasons, the RSC can provide only the case closure language provided
to the principal applicant at the time of closure. The RSC is expressly forbidden from
providing security information directly to applicants or any third parties under any
circumstances.
The RSC is permitted to share only the outcome, but not additional details, of the USCIS
decision with an applicant or any case member. This is limited to information that a case
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 18 ]
is processing/moving forward to another processing step or has been denied if (and only
if) the denial letter has been transmitted.
For more information on sharing documents and case status information with applicants,
family members, or other affiliated third parties, see Section 3.1.4 on communication
with applicants.
2.2.2.2 Attorneys or Accredited Representatives
Written (including e-mail) and in-person inquiries to an RSC for case status information from
attorneys or accredited representatives1 may be answered with the requested information, if
the request is accompanied or preceded by a properly completed and signed G-28 or G-28I
Form, which is issued by DHS. (This form is in lieu of the Third Party Authorization Form,
for third parties who are not attorneys or legal representatives.) G-28/G-28I Forms are
available at https://www.uscis.gov/g-28 and https://www.uscis.gov/g-28i. Other information
regarding specific refugee cases beyond their case status may not be provided. RSC should
treat attorneys and representatives the same as any other third party with a signed waiver on
file.
For example, an authorized attorney may not inquire as to the reason a refugee applicant has
been deemed ineligible for P-2 access. The information that can be provided to an authorized
third party is limited to case status information detailed in Section 1.1.1. Further, except in
the case of Iraqi refugee applicants seeking admission through certain P-2 categories,2 an
authorized third party (including an attorney) is not permitted to accompany a refugee
applicant to RSC intake and prescreen interviews or engage in other forms of involvement in
refugee processing.
The G-28 or G-28I Form must include complete information, including signature from the
refugee applicant, as well as complete information, including signature from the relevant
third party. RSCs should ensure that the applicant’s signature on the form is verified against
his/her signature on file, if available. Responses to case status inquiries may only be sent to
the physical address or email address provided in the original G-28 or G-28I Form. If an
attorney or accredited representative provides on the G-28 or G-28I Form a general email
address that is accessible by other individuals (i.e., [email protected]), the RSC should
request a private email address for the attorney or accredited representative and should only
use that private email address for electronic communication. Case status information in
response to telephonic requests from third parties may not be provided.
1 A person who is approved by the Board of Immigration Appeals (the Board, or BIA) to represent aliens before the
Immigration Courts, the BIA and U.S. Citizenship and Immigration Services. They must work for a specific
nonprofit, religious, charitable, social service, or similar organization. The organization must be authorized by the
Board to represent aliens.
2 The National Defense Authorization Act of 2014 includes provisions authorizing Iraqi refugee applicants seeking
P-2 access pursuant to the Refugee Crisis in Iraq Act to be represented by attorneys or accredited representatives
during the refugee application process, including relevant interviews and examinations. Iraqi P-2 I-130 applicants
are not covered by this provision.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 19 ]
There is not a defined validity period for the G-28 or G-28I.
2.2.2.3 United Nations High Commissioner for Refugees (UNHCR)
RSCs may release individual case information to an authorized representative of UNHCR to
the extent necessary to facilitate the processing of the case. The RSC is authorized to provide
feedback to UNHCR on its resettlement referral processes, provide information to allow
UNHCR to respond to deferred refugee referrals, and provide case status updates on an
individual case for the purpose of resettlement processing and refugee protection. RSCs may
not provide UNHCR with more information about the status of an applicant’s security checks
than the RSC would normally provide to the applicant (see Section 3.1.5.3 for more
information). Instead, RSCs may give UNHCR a general description of the security check
process that all refugees undergo. RSC management and employees are permitted to
communicate with UNHCR regarding refugee case applicants and information in the course
of routine USRAP processing and on a need to know basis. Requests for information from
UNHCR that fall outside normal USRAP processing steps should be reported to the
RefCoord, even if they do not specifically violate USRAP data sharing and communication
requirements as set forth in Section 3.0.
2.2.2.4 Heads of RSC Parent Organizations and their Designees
The immediate supervising official(s) of the RSC Director for the organization which runs the
RSC are permitted to have access to physical applicant files only for the purpose of
monitoring and evaluating the performance of RSC staff and leadership. Other employees and
leadership of the organization which runs the RSC, but who are employed outside the RSC,
are not authorized to access applicant records in any form without explicit prior written
permission from PRM/A. Electronic access to refugee information by the RSC parent
organization is not permitted without explicit prior written permission from PRM/A.
Individuals from the RSC parent organization with electronic access to refugee information
should acknowledge in writing that they have read and understood this Integrity &
Compliance module of the USRAP Overseas Processing Manual. The RSC should send any
requests for access to the RefCoord and Program Officer.
RSC management and employees are not permitted to communicate with RSC headquarters
representatives regarding refugee case applicants and information, where this is not part of
routine USRAP processing and where there is no clear need to know, unless previously
approved by PRM/A. Requests for information from RSC headquarters which fall outside
normal USRAP processing steps should always be reported to the RefCoord, even if they do
not specifically violate USRAP data sharing and communication requirements as set forth in
Section 3.0.
Further questions on access by the parent organization of the RSC should be directed to the
RefCoord and Program Officer.
2.2.2.5 Foreign Government Authorities
RSCs may release to foreign government authorities only such information in applicant
records as necessary to facilitate movement of applicants and SIV holders (e.g., to obtain exit
permits). RSCs should generally limit this information to the names, ages, family
relationships, medical condition (when relevant), dates of arrival and departure, transportation
arrangements, and similar information concerning the applicants involved. When permitted
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 20 ]
by formal written arrangements between the United States and other governments and/or
necessary to finalize departure permission, the RSC may release additional case information
to those governments after requesting and receiving prior written approval from PRM/A.
Requests for information from foreign governments which fall outside normal USRAP
processing steps should be reported to the RefCoord. The RSC should use discretion to
determine if a request falls outside normal USRAP processing and consult with the RefCoord
if it does.
2.2.2.6 The International Committee of the Red Cross or the
American Red Cross (ICRC)
RSCs and the RPC may reveal information in an applicant’s record to the International
Committee of the Red Cross (ICRC) or the American Red Cross to the extent necessary to
assist with international tracing efforts for the purpose of family reunification, if the applicant
has signed an authorization specifically for this purpose. Consult the RefCoord for
information-sharing requests to facilitate an ICRC Travel Document.
RSC management and employees are permitted to communicate with ICRC regarding refugee
case applicants and information where such communication is part of routine USRAP
processing and on a need to know basis. Requests for information from ICRC which fall
outside normal USRAP processing steps should be reported to the RefCoord, even if they do
not specifically violate USRAP guidelines.
2.2.2.7 Mental Health and Other Counseling Organizations
Information from applicant records may be released to government or private mental health
counseling organizations or entities as needed to the extent necessary if the applicant poses a
temporary danger to themselves or others. In addition, information from applicant records
may be released to these mental health counseling organizations, in consultation with
PRM/A, to the extent necessary to permit them to assist in making recommendations on the
suitability (or continued suitability) of placements for children under parental supervision.
The RSC should use discretion to determine if a request falls outside normal USRAP
processing and consult with the RefCoord if it does.
2.2.2.8 Members of U.S. Congress
RSC management and employees are permitted to communicate with Members of the U.S.
Congress and Congressional staff regarding specific refugee case applicants and information
pertinent to that Member’s district. RSCs should always include the RefCoord, Program
Officer, and PRM Congressional Liaison on communications with Members of Congress.
Written inquiries (including e-mail) for case status information or other case-specific refugee
information from Members of Congress or their staff that do not specifically relate to
adjudication decisions by DHS should be answered with only the information necessary to
answer the inquiry. Members of Congress or their staff should not pass such information to
persons outside of Congress, except to the refugee themselves or to an individual the refugee
has authorized to receive such information by signing Form G-28, G-28I, or a third party
authorization form. Information in response to telephonic requests from Members of
Congress or their staff may not be provided. No copies of documents or other items from a
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 21 ]
case file may be provided. Information provided on USRAP refugee resettlement cases and
FTJ-R cases must include the reminder:
“The following information is provided in response to the inquiry, however, due to the need
to protect privacy, the information is provided for the sole purpose of responding to the
inquiry and should not be publicly disclosed except to inform your constituent about this
case.”
For SIV inquiries only, information provided must include a reminder that, pursuant to
Section 222(f) of the INA (8 U.S.C. 1202(f)), such information:
1. is to be treated as confidential,
2. is being provided to them solely for purposes related to “the formulation, amendment,
administration, or enforcement of the immigration, nationality, and other laws of the
United States,”
3. should not be shared with other Members of Congress or their staffs except as
specifically needed for the aforementioned purposes, and
4. should not be released to the public.
If the Congressional letter requests that a response be sent directly to a constituent or other
third party, the requested information will be provided to the Member of Congress or staff
member with an explanation that in accordance with law and policies governing the privacy
or confidentiality of Department of State refugee processing records, the Department cannot
provide case status information or other case-specific refugee information directly to the
constituent, unless the constituent is the refugee applicant themselves or an authorized third
party. In either of the latter cases, the applicant or authorized third party would be able to
obtain case status information by inquiring directly to PRM/A or the RSC handling the case.
See Section 2.2.2.8 for additional details on responding to Congressional letters.
2.2.2.9 U.S. Government Law Enforcement Entities
Written inquiries (including e-mail) for case status information or other case-specific refugee
information from U.S. government law enforcement entities that do not specifically relate to
adjudication decisions by DHS, will generally be answered by PRM with the requested
information when such law enforcement entities can demonstrate a specific need to know.
Questions on such inquiries, as well as any inquiries from U.S. state and U.S. local law
enforcement agencies, should be referred to PRM/A for response.
Information in response to telephonic requests from U.S. government law enforcement
entities may not be provided. Responses must be coordinated with and sent from PRM/A in
Washington, with involvement of the Department of State’s Office of the Legal Adviser.
RSCs may not respond to any such law enforcement inquiries from U.S. federal, state, or
local agencies, directly. RSC should forward the request to their RefCoord and Program
Officer.
2.2.2.10 Non-USRAP Non-Governmental Organizations (NGOs)
RSC management and employees are not permitted to communicate with non-USRAP NGOs
regarding refugee case applicants and information, unless previously approved in writing, by
the RefCoord and/or Program Officer. Only NGOs authorized by PRM to provide refugee
resettlement referrals into the USRAP are permitted to communicate with RSCs regarding
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 22 ]
specific refugee case applicants and information where this is part of routine USRAP
processing and on a need to know basis. Requests for information from NGOs which fall
outside normal USRAP processing steps should always be reported to the RefCoord, even if
they do not specifically violate USRAP guidelines. In instances where an NGO is assisting
the applicant, a Third Party Authorization Form must be on file for the specific NGO staff
member assisting the applicant (see Section 2.2.2.1.2.).
2.2.2.11 Media
RSCs are not permitted to speak with the media concerning any aspect of the USRAP without
prior Program Officer approval. RSCs must relay and discuss any media inquiries with
PRM/A, and follow any guidance provided by PRM/A.
Should media inquiries arrive for or about specific refugee applicants, RSCs are never
permitted to provide any refugee data to any media organization in response. RSCs are also
forbidden from assisting members of the media in finding individual refugee applicants of
any specific population or group, however defined. They are only permitted to pass on
inquiries for a specific, named refugee applicant to the refugee applicant and note that they
may engage with the media independently if they wish, but the RSC should have no further
role in that communication. The RSC is not allowed to speak to the media on behalf of the
refugee. Once the message has been delivered to a refugee applicant, RSCs are permitted
only to tell members of the media inquiring on a refugee case that their message has been
passed. PRM/A should be notified but does not need to approve of passing messages from the
media to refugee(s).
2.2.2.12 Research
PRM understands that sharing refugee records, data, and information with research partners
may further the interests of developing better refugee resettlement programs. Accordingly,
refugee records, data, and information may be shared with research partners only with prior
approval from PRM and on a case-by-case basis, in accordance with these guidelines.
General Principles Governing the Sharing of Refugee Records, Data, and Information
for Research Purposes
1. The sharing of government records, data, and information on refugees for research
purposes is not an activity provided for in PRM’s cooperative agreements with RSCs
or its MOU with IOM, nor is it otherwise performed in the ordinary course of
business. Therefore, refugee data originating from WRAPS may not be shared with
research partners without the prior written consent of PRM/A.
2. PRM owns all data maintained in WRAPS, except for information and records in
WRAPS originating from and owned by another U.S. government agency, such as
DHS. Ownership of this data cannot be changed through de-identification of WRAPS
data or transfer of the data into another database. Any MOU or data use agreement that
an RSC or IOM enters into with a research partner must accurately reflect PRM’s
ownership of WRAPS data.
3. The Department of State has the sole authority to publish research based on refugee
records, data, and information gathered before a refugee’s admission to the United
States. RSCs and USRAP-affiliated IOM staff are not permitted to share refugee
records, data, or information collected before a refugee’s admission with research
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 23 ]
partners for the purpose of publication, as publication by an RSC, IOM, or research
partner does not relate to the “formulation, amendment, administration, or
enforcement” of the laws of the United States.
4. Refugee records, data, and information collected by PRM, an RSC, IOM, or another
implementing partner after a refugee’s admission to the United States are still subject
to the confidentiality provisions of PRM’s cooperative agreements and MOU with
RSCs, and IOM.
5. RSCs, USRAP-affiliated IOM staff, and their research partners may publish
aggregated statistical summaries describing the effectiveness of program innovations
that are based on data collected after a refugee’s admission to the United States, as
long as these reports only disclose WRAPS data that is publicly available and do not
allow individual refugees and their resettlement locations to be identified.
Process for Sharing Refugee Records, Data, and Information for Research Purposes
PRM recognizes that RSCs, and IOM have a strong interest in partnering with researchers in
order to improve their methods of implementing and evaluating the USRAP. For researchers
seeking general information, it is permitted to share public websites and/or resources, such as
CORENav.org or PRM’s website. Before sharing any non-public refugee records, data, or
information with a research partner, RSCs and USRAP-affiliated IOM staff must follow this
process:
1. RSCs and IOM must submit a data sharing proposal to PRM and obtain PRM’s written
approval on a case-by-case basis before sharing WRAPS data with another person or
entity for research purposes. Data sharing proposals must include the following
information:
2. Description of the type and scope of WRAPS data to be shared.
3. Name of the intended research partner.
4. Explanation of how the sharing of WRAPS data will further the implementation of the
USRAP.
5. Draft of the data use agreement to be signed by the intended research partner.
6. PRM will review the data sharing proposal in consultation with the Department of
State’s Office of the Legal Adviser to verify whether the proposal is consistent with
the Department’s privacy policies and guidelines and will issue a written response
approving, denying, or requesting modifications to the data sharing proposal. PRM
will strive to provide a written response within 30 days of receiving the data sharing
proposal.
7. Upon receiving written approval from PRM to proceed with a data sharing proposal,
the RSC, or IOM must sign a data use agreement and non-disclosure agreement with
the intended research partner that specifically prohibits any disclosure of individual
level data and directs the research partner to destroy all shared data after completing
the approved project.
8. The RSC, or IOM must send PRM by email a scanned copy of the data use agreement
signed with the research partner within 5 business days of the date of signing.
9. Upon following the steps described above, the RSC, or IOM may securely share an
appropriately de-identified dataset with research partners. To appropriately de-identify
data, PRM requires the removal of personally identifiable information (PII), including
names, dates of birth, addresses, contact information, personal health and medical
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 24 ]
information, biometric records, full-face photographic images, alien numbers, social
security numbers, and other identification numbers. The data must be hosted on a
secure server that is approved to handle sensitive data, and any refugee records, data,
or information shared via e-mail must be encrypted.
3.0 Data Sharing and Communication in the USRAP
The governing principle of these guidelines is that information about applicants and approved refugees
can generally be disclosed only as specifically necessary to process the individual’s application or Special
Immigrant Visa for admission to the United States. The disclosure of information should contain the least
amount of PII possible to complete official duties.
RSCs must record in the contact log in WRAPS any interaction with an applicant or individual for whom
the PA has signed a Third Party Authorization Form. RSC should record contact with unauthorized
individuals who tried to seek information about the applicant from the RSC as well. Such interactions
must be conducted using RSC phone and/or email addresses. The RSC does not need to enter routine
contacts for processing steps (e.g., the prescreen interview, routine transactions with UNHCR, or regular
scheduling with IOM Ops and MHD for the purposes of processing cases) in the contact log.
The record in WRAPS of any authorized disclosure must include the date, nature, purpose of the
disclosure, written authorization from PRM if applicable, and the name and address of the person or
agency to whom the disclosure was made. Best practice includes attaching the correspondence with third
parties in WRAPS as well.
All USRAP communications should provide efficient and responsive information to the U.S.
Government, USRAP processing partners overseas, domestic resettlement partners, and applicants, while
protecting data and information under all applicable privacy laws and regulations.
Communications in any form should be professional and clear. It is expressly forbidden to be rude,
demeaning, degrading, harassing, threatening, discriminatory, overly familiar, or send inappropriate
materials in conjunction with any USRAP communications.
The guidelines below do not cover every possible scenario for communications regarding a USRAP case.
When in doubt, RSCs and other USRAP partners should contact their Program Officer for further
guidance.
3.1 Receiving, Sending, and Disclosing Applicant Data
3.1.1 Tableau Reports and START Filters (For RSCs Using START)
Access to Tableau should be limited to RSC management, staff who are responsible for RSC
reporting, and staff who have a case processing need. The RPC and RSC reporting staff are
responsible for monitoring the data provided in reports as well as access to use of reports and
Tableau.
Data provided must be on a need-to-know basis to perform a case processing function. PII must
be limited to the greatest extent possible. Reports created in Tableau must be audited quarterly to
ensure that PII is included on a need-to-know basis only, is a must-have in the report, and is
overall limited to the greatest extent possible. The audit must also ensure that data in reports is
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 25 ]
not excessive and is appropriate for user permissions. Results of quarterly audit should be
submitted to RPC Reporting Team.
Sharing of Tableau reports is permitted within the guidelines set forth in this document. Follow
guidelines in Section 2.0 on sharing records and Section 3.1.1 on protecting data when sharing
reports.
Note for RSCs using START: START users currently have the ability to export START filtered
lists as a reporting feature; however, this capability should not be used without authorization from
the RPC. In general, if system data needs to be viewed or shared outside of the START system, it
should be managed through Tableau reports. START filtered lists should not be exported even
though the functionality exists. Tableau reports have gone through an extensive approval
process, and by limiting report creation to Tableau, the USRAP program can enforce its
commitment to data integrity and reduce the distribution of PII outside of system when it is not
necessary. If staff have a justified business need to export data that cannot be met through
Tableau reports but can be met by exporting START filtered lists, an exception may be pursued
by submitting a request for RSC Reporting Team and RPC approval. Additional instructions on
this process will be provided to the RSC once it transitions to START.
In order to enforce the prohibited use of exporting START filtered lists, RSC Compliance/IT or
similar staff must conduct monitoring/spot checks on staff computers and emails to ensure that
START filters containing applicant PII have not been downloaded/ circulated unless explicitly
authorized by the RSC Reporting Team and RPC.
Following the deployment of START, RSCs must log in their GitHub Repository a business case
with a justification for each report created in Tableau and with justification for any PII included
in Tableau reports.
3.1.2 RSharenet
Files containing PII that are uploaded to Rsharenet must only be accessed and used by staff who
have a case processing need or need to know.
3.1.3 Email/Written Communication
The use of personal email is strictly prohibited for receiving, sending, and disclosing applicant
data. Additionally, it is prohibited to forward or enable all messages to be automatically
forwarded to an address outside of WRAPS or RSC systems. Taking screenshots or photographs
of data is strictly prohibited. Should any staff find evidence that any RSC staff has photographed
or taken screenshots of data and transmitted those images to personal email or devices, the RSC
must notify the RSC Director or Deputy immediately for review. RSC Compliance/IT or similar
staff should conduct random monitoring/spot checks of user devices and email accounts to
identify if data has been exported (from START), photographed, screenshot and forwarded to
personal email or devices. Use organizational specific email addresses when interacting with
external partners or applicants regarding case information. Whenever possible, group email boxes
should be used for communications on USRAP cases. This provides oversight and history into
what has been communicated and protects RSC and USRAP partner staff from suspicion of
malfeasance.
Use approved email templates, where available, when corresponding with external partners or
applicants. Emails and letters should clearly identify the sender, the recipient, and the purpose of
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 26 ]
the communication. Use proper care to verify that email recipient addresses are accurate, in order
to avoid sending sensitive information to the wrong sender. This is especially important for email
sent to non @wrapsnet.org, non @uscis.dhs.gov, and non @state.gov email addresses or to many
recipients.
Emails and written communications can be written in any language, but RSCs should always
include accurate and complete English translations in addition to the original language for any
official USRAP communications that are scanned into WRAPS. For internal RSC emails, an
English translation is not required, though RSCs should ensure they have proper oversight over
internal communications through their own regulations and management structure.
When corresponding with USRAP partners and authorized third parties, PII and SPII should
never be included in the email subject. Sensitive PII (SPII) should only be included in the body of
the email if the email is encrypted using an email software encryption feature. SPII should
otherwise be attached to the email with encryption (see Section 3.2). If SPII was included in the
original message, insert “XXXX” in place of the SPII when responding. Per Section 3.2, notify
RSC Director/Deputy when partners commit such breaches.
When corresponding with applicants, it may not be practical or feasible to send SPII as an
encrypted file attachment. Therefore, the RSC should strive to minimize the use of PII in the
email (e.g. ‘Dear Applicant,’). If the RSC is responding to an applicant who provided SPII in
their email, the RSC should place an “XXXX” in place of the SPII when responding. Although
PII does not strictly require this type of redaction, all PII should be minimized when sent via
email, including to USRAP partners, applicants, and internal RSC colleagues.
RSCs can include non-PII in email/written communications, including:
Signatures with contact information
Notices regarding how, when, how-not-to communicate
Privacy regulations and warnings
Customary greetings
Customary signatures/end-of-letter salutations
General information regarding refugee resettlement processing
RSCs should ensure non-PII included in an email or written communication is standardized using
the RSC Inquiry Response Template. If it is included in one refugee case status update, it should
be included in all refugee case status updates. Similarly, information sent to USRAP partners
should be standardized across different partners, as appropriate. These guidelines also cover web-
based communications through secure interfaces with applicants or other USRAP partners.
See Section 3.0 for information on routine correspondence between RSC and other agencies.
3.1.3.1 Short Message Service (SMS) and Other Communication
Platforms
RSCs may communicate the following to refugee applicants via SMS on an RSC-issued
phone or via other RPC-approved messaging services on RSC-issued devices:
anti-fraud warnings,
information on holidays and office closures,
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 27 ]
general resettlement information,
links to additional online resources,
scheduling USRAP events, including appointment date, time, and location.
Approved messaging services to use when communicating with applicants refer to those that
have been explicitly approved by the RPC Security Team for use on RSC-issued devices
(personal devices cannot be used). All requests to use a messaging service to communicate
with applicants must be forwarded to the RPC Security Team for approval prior to use.
Bulk SMS communications that are sent to all applicants do not need to be updated in the
Contact Log. However, case or applicant specific information sent via SMS must be updated
in the case’s Contact Log.
Refugee PII or other sensitive data can only be communicated via RSC email except in
extreme circumstances in which an applicant does not have access to email. RSCs may accept
(i.e. receive) PII from applicants over text or other messaging service by exception –
permission to receive PII documents or PII in text must be granted by the RSC Director or
Deputy Director after presenting a justification for why email, mail, or in person transmission
is not possible. The exception, including the rationale and approval, should be documented in
the WRAPS contact log along with the general message contents. Although receiving PII in
extreme circumstance is permitted by exception, RSCs should never send PII or official case
processing documents (e.g. denial letter) over SMS or another communication platform other
than an RSC email account.
RSCs should encourage applicants to set up a free email account, if possible, during data
collection or prescreen so that documents can be transmitted over an official email channel.
3.1.4 Telephone/In-Person
RSCs should maintain management oversight over telephonic and in-person communications
with USRAP partners and refugee applicants.
Telephonic/in-person communications with refugee applicants should take place in RSC
workspaces, using RPC-approved messaging services on RSC equipment, and must be logged in
WRAPS. For RSC workers conducting circuit rides, telephonic/in-person communications with
refugee applicants should only take place in designated RSC workspace areas. This guidance also
applies to individuals authorized to work from home—such individuals may communicate with
applicants using RPC-approved messaging/communication services on an RSC-issued phone or
while logged into WRAPS via an RSC-issued computer using a VPN.
Telephonic inquiries by refugee applicants, telephonic case counseling, and in-person case
counseling are allowed for:
Scheduling prescreen interviews, case status consultations, USCIS interviews, medical
examinations, or other USRAP processing functions.
Responding to applicant inquiries by phone with case status updates.
The RSC is not required to offer telephonic or in-person case counseling. The RSC should
minimize the transmission of PII and protect refugee case statuses from unauthorized disclosure
when providing telephonic or in-person responses to inquiries.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 28 ]
Please note that telephonic or in-person inquiries or case status counseling is not authorized for
third parties, even if they have a signed authorization.
Refugee applicants must not be contacted using an RSC employee’s personal cell or personal
landline phone, in any circumstance. If an RSC employee is contacted outside work by a refugee
applicant, they should re-direct the applicant to the appropriate RSC phone or email address, and
not provide any further information. RSC employees must report the contact to their RSC
management as soon as possible.
RSC employees may not fraternize with refugee applicants. RSC staff should not be penalized for
simple contact (regular greetings) with refugee applicants if it is reported appropriately.
3.1.5 Communication with Applicants
RSC staff tasked with refugee communication must not take any unsolicited calls, emails, or
visits from applicants except during “open” hours or walk in hours. All visits or conversations
outside of a normal interview or outside of RSC office hours must have the occurrence and
substance of the conversation recorded in the “Contact Log” in WRAPS. Instances of other
unsolicited interactions (including calls or emails outside of official means) must immediately be
reported in writing to supervisors or the RSC fraud email. Staff not tasked with refugee
communication must also report unsolicited interactions to a supervisor or the RSC fraud email
address immediately.
All case-specific information should be made available to refugees by email, secure website (if
available), mail, in person and/or by phone. All refugee documents should be provided on RSC
letterhead to demonstrate authenticity.
RSC staff should not maintain friendships or relationships with applicants, including on social
media, nor should they communicate outside of official means or business hours. If such
relationships are unavoidable, staff and applicants must disclose their relationship. See Section
4.1.3 on how to document the relationship. Any attempts by an applicant to develop a relationship
beyond a professional relationship must be reported to a supervisor.
All written and, when appropriate, verbal communication must emphasize the USRAP is free of
charge, while providing details on how to report fraudulent activity. This information should
appear in all RSC staff email signatures as well. RSCs must display informational posters in
visible locations in target languages(s) in processing locations. Posters should be developed with
consideration for illiterate populations, communicating that the USRAP is free of charge,
including details on what fraud is and how to report any fraudulent activity. Include information
that any reports to the RSC are confidential. Applicants must be made aware of fraud risks and
reporting abilities. Applicants should be told during prescreening what official correspondences
from the RSC look like.
Only RSC email and RPC-approved messaging services are permitted for sending digital
messages to applicants. If an RSC-issued phone/tablet is used to communicate with an applicant,
either RSC email or an RPC-approved app must be used to do so. RSCs may contact the RPC
with any apps that they would like to have approved for applicant communication, and the RPC
will issue a decision.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 29 ]
3.1.5.1 Informing Applicants of USRAP Data Sharing
RSCs must provide each refugee applicant 14 or above (not including SIV holders) with the
Notice on Confidentiality of Personal Information form, printed on standard RSC letterhead
or on blank paper, at the time of the prescreening interview, or the first meeting with an RSC
staff member. This form informs the applicant it may be necessary to release the information
they supply, or the information the U.S. government or RSC gathers about them in
connection with the application in whole or in part.
Note: The SIV holder is informed of data sharing through the Refugee Benefits Election
Form.
Each applicant aged 14 or above is required to sign the Notice on Confidentiality of Personal
Information, acknowledging understanding and acceptance of the terms for release of
personal information. RSCs may have 13 year old applicants sign if the applicant is likely to
travel after turning 14 years old. RSC staff must inform all applicants of the purpose of the
document before the applicant signs the document. If applicant ages into 14 years and
previously did not sign the form, the applicant can still travel, however, RSC should make
every effort to ensure the applicant has received and read the form prior to his/her travel, such
as during a Travel Fingerprint appointment.
If an applicant is unable to sign, a family member on the same case may sign for the applicant
and mark their name and of whom they are signing on behalf. If no family member on the
case is able to sign, the forms should be explained to the applicant in full so they understand
the content, and a family member not on the same case may be allowed to sign for them,
following indications that the principal applicant has understood. Applicants are permitted to
make a mark to indicate their signature if they are able. If they are not able, and no family
member on or off the case is available to sign, the RSC caseworkers should indicate that the
form was explained, and note the reason the applicant is not able to sign.
If an applicant can sign the form, but refuses, the RSC should note the reason for the refusal,
and contact the RefCoord or Program Officer for further guidance.
3.1.5.2 Releasing Documents to Applicants
The RSC may release a copy of documents to an applicant only if that applicant provided the
document (e.g., marriage certificate, death certificate, divorce certificate). If the RSC releases
a copy to the applicant, the RSC shall maintain a copy in the applicant’s record.
Except as permitted above, RSCs should advise any individual requesting copies of
documents in applicant records under FOIA or the Privacy Act to submit the request to:
Director, Office of Information Programs and Services
U.S. Department of State, A/GIS/IPS/RL, SA-2
Suite 8100, Washington, D.C. 20522-0208
Fax: (202) 261-8579
FOIA requests also may be submitted electronically. Individuals requesting their own
personal records under the Privacy Act must provide an original signature and may not
submit electronic requests.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 30 ]
3.1.5.3 Case Status Inquiries
RSCs should use the RSC Inquiry Response Template in response to case status inquiries
from an authorized third party. Alternatively, RSCs can select the appropriate answer from
the form and place it in the body of an email response or use the form and delete all options
except for the relevant case status. The form may be customized with the RSC’s logo (in
accordance with the RSC Style Guidelines) and/or contact information, personalized
greetings, local procedural information, and other personalized language, and additional case
statuses may only be added with advance permission from PRM/A.
The RSC Inquiry Response Template is not intended to be used for responses to
Congressional inquiries. RSCs should respond to Congressional inquiries in the manner in
which they are received. Formal letters signed by the representative should be responded to
with a letter signed by the RSC Director or his/her designee. Email inquiries from
Congressional staff can be responded to via email. Records of Congressional inquiries and
responses must be scanned and attached in WRAPS.
3.2 Protecting Data
3.2.1 Protecting Media
Local administration personnel at RSC locations are not authorized to sanitize SBU media for re-
use as non-sensitive unclassified media. Therefore, any hard drive or non-volatile memory
(secondary storage or long-term persistent storage) that, at one time, contained WRAPS data must
be shipped by RSC local administration personnel through their RefCoord to the RPC via
diplomatic pouch for destruction and disposal as unclassified refuse. This includes for computers,
laptops, printers, copiers, etc. if they contain a hard drive or memory that stored WRAPS data.
RSC-issued phones are not included in this policy as they are not authorized to store WRAPS
data. WRAPS data refers to data specific to refugee applicants that is stored in WRAPS as
defined in the WRAPS Rules of Behavior.
The RSC should contact their RefCoord to arrange for the item to be shipped via diplomatic
pouch. Note that any volatile storage (RAM) will be destroyed once the system is shut down. All
hard drives and non-volatile memory should be sent directly via diplomatic pouch to the
following address:
ATTN: RPC Director or Deputy Director 2201 C STREET, NW
SA-9, PRM/A
Washington DC 20522
Any hard drive or non-volatile memory cannot, for any reason, be sanitized or repurposed by the
RSC.
3.3 Data Breaches
USRAP staff ensure data integrity by following the safeguarding PII practices policy outlined in
Section 3.1 and Section 3.2. However, a breach of PII can occur. A data breach is defined as a loss of
control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any
similar term referring to situations in which persons other than RSC and RPC staff and external
partners, for an other than authorized purpose, have access or potential access to PII (whether
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 31 ]
electronic or hard copy). If a breach has occurred, it is the RSC staff’s responsibility to follow the
below policy.
RSC employees must report any breaches in physical or electronic file security or suspected PII data
loss immediately, and no later than four hours, to the RSC Director (or other senior manager if the
Director is not available), who will notify the RefCoord, the Program Officer, RPC Security Team,
and the RPC Director.
3.4 Handling of Records
3.4.1 Maintenance of Records
The RSC must maintain applicant records under administrative control as specified below. These
standards are the minimum authorized. If an RSC is not able to comply with these standards, the
RSC should notify the RefCoord and PRM/A for further guidance.
The RSC must designate a file library and use a file-tracking database to check files in and out to
specific staff. All files and documents containing personal information of refugees must be
secured in the file library or in a locked filing cabinet overnight and when not in use. Access to
physical files should be restricted to those employees who have a demonstrated need in their
work. Physical files should be maintained in locked containers or restricted access file rooms in a
secure facility at all times when not in use and should always be secured in a locked container at
the end of the day. File rooms should be secured using an access code or card-lock system with
different permission levels. A list of staff with the access code/card access shall be maintained by
management. The code must be changed upon the departure or termination of any employee on
the list. The RSC must audit the physical files two times per year. Transporting applicant
data/files outside of the office is strictly prohibited unless authorized by the RSC Management for
his or her work stream. Develop and follow SOPs to transport files that account for local security
considerations. The SOPs should be reviewed and approved by the RefCoord and Program
Officer.
When on circuit rides, the RSC staff member responsible for file security must ensure files are
stored overnight in a secure, locked area accessible only to designated RSC staff. If possible,
files should be locked in a container (e.g. trunk) in a secure room.
In many cases, hand-carrying is preferable to shipping physical files. If shipped or transported on
a flight, physical files should be placed in secure containers and sealed appropriately and as
securely as feasible. Any breaks in the integrity of the shipping container or files should be
reported as soon as discovered. RSCs must check with their RefCoord to ensure companies used
to ship physical files are deemed acceptable by the U.S. Embassy or Consulate.
The RSC is allowed to travel with refugee case files as checked baggage on a flight if the RSC
has received assurance from the airline that the files will remain secured and untampered with
during the entire journey. Therefore, the RSC should work closely with airline and airport staff to
ensure that appropriate security controls can be conducted without exposing sensitive information
or PII. The RSC should ensure the security and integrity of the physical files is guaranteed by the
airline and airport staff throughout the journey.
Routine file shipping (e.g. sending files to the FOD for wet stamping) does not require PRM
approval. However, the RSC should seek RefCoord or Program Officer approval for non-routine
shipping of USRAP applicant data. See Section 3.4.2 on disposition of records per DOS policy.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 32 ]
For the P2 I-130 Program at the RPC, Expression of Interest Packets are generated from the
USRAP case management system and sent directly to the petitioner via USPS. The envelopes
must be addressed directly to the petitioner if sent via physical mail. Alternatively, these packets
may be emailed to the petitioner or a representative who has provided a signed and completed G-
28 at the email address on file.
Files that are damaged or marked for destruction should be destroyed under approved PRM
destruction methods and not left in normal garbage. See below on disposition of records.
Hardcopies of records and reports should be destroyed accordingly once they are no longer
needed by the RSC. The electronic copy of records and reports that have no further administrative
value may be destroyed or deleted within 180 days after the copy was produced.
Any files left unsecured (i.e., loss of control, not in a designated locked cabinet/drawer) outside
of RSC workspaces should be reported, under the reporting procedures for breaches in PII. See
Section 3.3 for more information on reporting procedures.
3.4.2 Retention and Disposition of Records
The RSC must preserve active case files in a manner that will prevent deterioration of these
records until such time as the applicants are Stateside or denied or the case is closed. See Section
3.4.1 on maintaining a file library. RSCs must then comply with published Department of State
record disposition schedules. Chapters 12 and 25 of the Department of State Records Schedule
describe refugee records and give disposition schedules and authorities. Note: Chapter 25 applies
to PRM staff, not RSCs.
In the event the files are forwarded to an Embassy or the National Records Center (NRC), they
should be forwarded intact and as designated by PRM/A and/or USCIS.
If an RSC needs advice regarding records management or procedures for destroying or retiring
records under the Department of State disposition schedules, or if an RSC is unable to comply
with records requirements, the RSC should contact the RefCoord and Program Officer.
The RPC maintains electronic records of all WRAPS data in case of disaster or accidental
destruction. The RPC will maintain WRAPS records for five years following the individual’s
arrival in the United States and/or the last action is taken on a case before archiving records. The
RSC should contact the RPC and/or PRM should they need to make updates or inquire about
cases that have been archived or otherwise disposed.
The RSC should have in place a contingency plan for safely storing/relocating hard files in the
event of a disaster.
4.0 Integrity and Compliance
4.1 Roles and Responsibilities
4.1.1 RSC
The State Department has a zero-tolerance policy for fraud in the USRAP. Fraud is generally
defined as any intentional deception or misrepresentation used to benefit oneself or someone else.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 33 ]
Malfeasance is generally defined as intentional conduct that is wrongful or unlawful, especially
by officials or public employees, or in this context RSC and other USRAP partner employees.
This document addresses the key roles and responsibilities of RSCs in ensuring the integrity of
the program and guarding against internal malfeasance in the processing of refugees for
resettlement. The following highlights the main PRM-mandated safeguards and responsibilities
RSCs must implement. This summary is not exhaustive, however, RSCs are still required to read
this document in its entirety, comply with all regulations therein, and report on their compliance
annually.
Annual RSC Compliance Report: RSCs must report to PRM on their compliance with all
required RSC program integrity measures through the updated FY21 Integrity & Compliance
Matrix. Compliance matrices are to be submitted by RSCs annually on October 15 for the
previous fiscal year.
Approved adaptations of the guidelines for small sub-offices and satellite offices should be
reported in the annual Compliance Matrix report along with measures taken to implement the
intent of the guideline.
RSC management must establish and maintain a fraud complaints email inbox and a locked
physical box for paper complaints allowing for anonymous tips and must have a whistleblower
protection policy in effect. The email and physical fraud boxes should only be checked by RSC
senior management or dedicated compliance officers (except for translation services) and should
be checked no less than once per day, if possible. Both RSC staff and applicants/non-RSC staff
can use either of these systems to submit a fraud complaint. Senior management/compliance
officers should be trained on how to handle such reports and the headquarters organization should
have an established investigations mechanism in place. RSC agency headquarters are to conduct
annual monitoring that includes fraud vulnerabilities, and submit results to PRM; and ensure
performance review mechanisms adequately evaluate workplace conduct. Compliance officer
should report complaints directly to RSC senior management. In small sub-office locations with
only one or two staff members, the RSC should utilize the larger NGO or IOM country office
infrastructure, if available. The head of office or non-USRAP manager in the country office
should check the physical fraud box and report any allegations to RSC sub-office management, or
to senior management in the main office of the RSC if the allegation is about sub-office
management.
RSCs must create and maintain a Fraud and Ethics Committee of general staff and management
(particularly those who best understand the applicants). The Fraud and Ethics Committee, in
coordination with RSC management, should conduct annual staff fraud risk assessments focusing
on the impact and likelihood of fraud and staff malfeasance, examine the suitability of existing
staff fraud controls, and revise the controls as appropriate. Fraud risk assessments and mitigation
steps should be annually reviewed with the RefCoord, Program Officer, and relevant RPC staff to
jointly examine the suitability of existing staff fraud controls and revise controls as appropriate.
The RSC Director or their designated representative and the Refugee Coordinator should meet
annually with the U.S. Embassy Regional Security Office (RSO) and Consular Section to share
information on local fraud trends and methods, including information on possible attempts to
infiltrate the USRAP. The RSC and RefCoord should establish quarterly fraud trend meetings
with UNHCR, other governments, and other relevant stakeholders in the primary processing
location as well as two to four other locations with significant resettlement activities, if
applicable.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 34 ]
4.1.2 Procedures for Responding to Allegations of Fraud or
Malfeasance
RSC staff must report any observed or alleged instances of fraud or malfeasance, whether internal
or external, immediately to the Director. Within 24 hours of receiving the fraud allegation
information, the RSC is required to inform the RefCoord, Program Officer, and RPC Director.
Notification should be made even if RSC is still gathering information on the malfeasance.
The RSC must also directly inform the State Department Office of the Inspector General (OIG)
after informing PRM/A. Program Officers will also notify OIG as part of the memo to PRM
leadership. For RSC activities being performed in accordance with cooperative agreements
awarded by PRM, this reporting shall be consistent with 2 CFR §200.113 per the Department of
State Standard Terms and Conditions. For RSCs operating under contribution agreements
pursuant to the Memorandum of Understanding between IOM and PRM, IOM shall fulfill the
intention to inform the U.S. Department of State of allegations of fraud or malfeasance where
feasible by also reporting separately to the OIG, in accordance with the OIG’s standards and
instructions, in addition to reporting to PRM. Disclosures to the OIG should be sent through the
OIG website.
Any staff member under investigation due to a suspected breach of confidentiality, commitment
of fraud, or commitment of malfeasance should be suspended immediately if any positive
findings result from investigation of the incident. If a staff member is under investigation for a
serious incident (that does not rise to the level of breach of confidentiality, commitment of fraud,
or commitment of malfeasance), it may be appropriate to suspend the staff member for the
duration of the investigation. The RSC should consult with their Program Officer for further
guidance.
The RSC Director or Deputy, or Headquarters if management is implicated in the allegation, must
ensure proper reporting of any fraud or internal malfeasance. This should be done in consultation
with the RefCoord and the Program Officer, resulting in a written report and appropriate
organization-specific disciplinary measures (as well as additional security enhancements
identified by the RPC for specific incidents), which should be shared with PRM.
4.2 Guidelines for Staff, Interpreters, and Workspaces
4.2.1 Staff Screening (international/national full- and part-time RSC
employees)
The RSC must have a reputable entity complete background checks for international staff prior to
hiring (and retroactively for all currently employed international staff). These checks should
produce RSC-specific risk assessments, and the level/detail of the background check should align
with vulnerabilities identified by RSC management in the RSC-specific risk assessment. The
level of background check should be agreed with PRM/A in advance. In addition, RSCs must
ensure none of their staff are prohibited from receiving federal awards, including making sure
they have no exclusion records listed on www.sam.gov. Note: This includes all staff, whether
local or international hires. International staff background checks must be renewed every five
years.
Prior to hiring, national staff require a local police certificate issued within the last two years (and
retroactively for all currently employed national staff) certifying a clear record. The police
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 35 ]
certificate should be renewed and documented every two years, where possible. In certain
contexts, PRM may ask RSCs to work with the RefCoord and RSO to determine if the Embassy
should conduct additional name checks for national staff prior to hiring.
Staff with any family members or acquaintances under USRAP consideration must immediately
report the connection and recuse themselves from any dealings with the case. Staff must sign the
USRAP Affiliation Declaration (UAD)– Staff & Contractors Form ensuring they understand this
policy; similarly, applicants must also sign the UAD – Applicants Form ensuring they understand
this policy (see Section 5.3.16 Additional Forms in the Case Management module). Create the
form using RSC letterhead and keep all signed forms on physical or electronic file with RSC
management.
Refugee applicants with USRAP-affiliated acquaintances, such as individuals working at the
RSC, must report the connection. All applicants must sign a form during the initial Pre-Screen
interview ensuring they understand the policy. This form should be created by the RSC and be on
RSC letterhead. All signed forms must be kept in the applicant’s file.
4.2.2 Translator, Interpreter, and Other Contractor Screening
(contract, not RSC employees)
Translators
The RSC is responsible for facilitating translation. Depending on the language resources
available, this can be done either internally or from a professional translation service.
Contracted Interpreters
Prior to hiring interpreters, RSCs should obtain background checks and reference checks and a
local police certificate issued within the last two years certifying a clear record. The RSC should
document attempts to obtain local police certificates and discuss with the RefCoord and the
Program Officer if the interpreter is unable to obtain the police certificates. The police certificate
should be renewed every two years, where possible. Additionally, based on local government
regulations, it may be necessary for the RSC to have a record of the legal status of a contract
interpreter. Additionally, a contracted interpreter should disclose if they currently have or
previously had a U.S. refugee or asylum application.
In finding possible interpreters, names should be run through www.sam.gov, while using
UNHCR, IOM, or other partners to source and reference potential hires. The RSC must maintain
consolidated information on interpreters to ensure that any who are barred or problematic are not
rehired. All interpreters must read and sign, at a minimum, the local Interpreter Code of Conduct
form.
Interpreters with any family members or acquaintances under USRAP consideration must
immediately report the connection and recuse themselves from any dealings with the case.
Interpreters must sign a form that they understand this policy; similarly, applicants must also sign
a form that they understand this policy (see Section 5.3.16 Additional Forms in the Case
Management module). At the beginning of any new interaction (interview, appointment, etc.) the
RSC staff should check if the assigned interpreter and applicant are acquaintances.
Interpreters should rotate among staff where possible. As a best practice, interpreters for pre-
screening interviews should be assigned daily so interpreters and caseworkers do not know who
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 36 ]
they will be paired with ahead of time. Interpreters must translate documents at the RSC with
RSC staff present. If it is a challenge to identify multiple interpreters for a language, the same
interpreter may be used at all steps for all cases which speak a certain language with RSC
Director or Deputy approval.
Other Contractors
RSC should run other contractors (e.g., drivers, security, childcare, etc.) through www.sam.gov
and conduct reference checks as practical. Police certificates and additional background checks
are not required.
4.2.2.1 Requirements for Interpreters during USCIS Interviews
The following requirements apply to interpreters for USCIS interviews, and not necessarily
RSC prescreening. Interpreters for USCIS interviews must be proficient in English and either
the native language of the applicants or another language in which the applicants and
interpreters are fluent. It is preferable for applicants and interpreters to use the native
language of applicants, as opposed to another language in which the applicants are proficient.
The first priority for hiring an interpreter for USCIS interview is selecting individuals who
have residency or citizenship in the processing location. If the skill set is not available among
residents/citizens, the RSC can hire asylum seekers or refugees. In such situations, the RSC
may hire refugee interpreters for USCIS interviews who have already been approved for
resettlement to the United States, if there are no other options. To use approved USRAP
refugees as interpreters, RSCs must first receive approval from their Program Officer who
will bring the request to the USCIS Desk Officer prior to the circuit ride. If a USCIS Team
Leader discovers that an interpreter is an approved refugee whose interpretations services was
not previously agreed to at the USCIS headquarters level, the Team Leader will alert the
appropriate USCIS Desk Officer immediately so that alternatives can be considered. This
may delay interview of refugee applicants during a circuit ride.
See USCIS Interpreter Guidance for details.
4.2.3 Workspace Compliance
This section details policy regarding the physical locations from which RSC staff can complete
their work and work privately to ensure only appropriate individuals can see work products
and/or participate in work and case-specific conversations.
At Work
Conversations regarding work and/or case information must be limited to private areas (i.e.,
offices, conference rooms, etc.). RSC staff should not discuss work and/or case information
in shared spaces (i.e., lobby, kitchen, etc.). RSC staff must not leave case information
unattended, visible, and/or easily accessible to others. All work and/or case information
should be stored securely and out of sight when not in use.
Open door policy – i.e., as a rule, office doors must be open except as needed for
confidentiality purposes, such as interviews, personnel discussions, etc. See Section 4.1.9
for information on “line-of-sight.”
At Home
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 37 ]
RSC work from home, which involves accessing the USRAP case management system, should be
limited to senior management positions with remote access, as approved by the RSC
Director/Deputy. In rare or extraordinary situations, and as needed to maintain critical processing
activities, PRM/A may approve in writing temporary remote access to the USRAP case
management system for additional RSC staff on a case by case basis.
Staff with permission to work from home should:
Conduct work-based activities on an RSC-issued computer or phone.
Connect to a private network (e.g. home network), rather than a public connection (e.g.,
coffee shop).
Limit conversations regarding work and/or case information to private areas. This includes
communication with refugee applicants on RSC-issued phones.
Staff should ensure that others in the household do not have line-of-sight visibility of work
products or PII or overhear case information.
RSC staff must not have hard-copy case information, or other PII at home. By rare
exception, such information can be taken home with written approval from the RSC
Director and/or Deputy and it must be clear by which date the RSC staff member must
return the information to the office. Further, RSC staff must request permission in writing
from the RSC Director/Deputy prior to printing/scanning PII or sensitive information while
working from home/remotely. If permitted to do so, all documents with PII or sensitive
information must be stored in a secure location that cannot be accessed by anyone else
when not in use and must be returned to the RSC for storing or destruction as soon as
possible.
Computer equipment and remote access devices should be stored in a secure location where
they are not accessible to others.
Equipment must always be protected from potential theft or unauthorized use.
On Official Travel (including Circuit Rides): RSC staff should limit conversations regarding
work and/or case information to designated work areas (i.e., interview rooms, designated RSC
and/or USCIS work areas, UNHCR official work areas, etc.). RSC staff should not discuss work
and/or case information in shared spaces, (i.e., lobby, kitchen, transportation with non-RSC staff,
etc.) or in hotels, restaurants, etc.
While on official travel, RSC staff must not leave case information unattended, visible, and/or
easily accessible to others. At the end of a workday, all work and/or case information should be
stored securely with a USCIS team leader and out of sight when not in use. The RSC must
designate a person responsible for file security during circuit rides (See Section 3.4.1).
4.2.3.1 Control of Access Points
Security company/guards/receptionist must monitor access to the RSC and its grounds.
Access to the RSC and its grounds must be monitored and controlled at all times, including
with regularly monitored CCTV of building access points and common areas, as allowed by
local privacy laws. CCTV should be regularly monitored by a designated staff member and
recorded with stored backup for 90 days. RSC management should review local or
organizational guidelines for information on disposition of CCTV recordings. If the RSC
office operates in an area where local privacy laws prohibit surveillance/CCTV, the RSC
Director should report this in the annual Compliance Matrix.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 38 ]
Visitors must be escorted in “RSC Only” areas. Access to the “RSC Only” areas must be
controlled. For example, after entering the office, the RSC may have an area for cultural
orientation classes where applicants are not required to be escorted. The RSC must control
access to further areas where staff offices are located and escort visitors in those areas.
Refugees and staff should have separate access points. Refugee access to areas designated for
interviews or cultural orientation should also be limited. Refugee access to the RSC should be
limited to persons with appointments, except during walk-in consultation times.
Prior to entering RSC workspaces (which are defined by locations with access to PII), all
RSC staff, visitors, and refugees must surrender any personal electronic devices which can
take pictures, record, or connect to the internet. RSC staff may keep phones issued by the
organization. Refugees entering RSC facilities should be physically screened for electronics
and items which can be used as weapons. The RSC staff/contractors receiving applicants’
electronics and other items during screening will issue a ticket for the applicants to retrieve
their possessions upon exit. The items will be stored in a safe location accessible only to RSC
staff/contractors/security personnel.
Refugees and interpreters should have separate waiting areas. If there is no dedicated waiting
room available to interpreters, they should be escorted to an area away from refugees while
not engaged in interviews.
For information on securing and maintaining physical files, see Section 3.4.1.
4.2.4 Visual Identification
RSC staff must always wear their identification badges (provided by the RSC) on premises and
while on official RSC business (unless restricted for security reasons). All people (e.g., visitors,
contractors, interpreters, refugees, vendors, etc.) on RSC premises must have adequate
identification that shows their authorized presence or responsibility inside the RSC (i.e., visitors,
contractors, interpreters, refugees, vendors, etc.).
Refugees must be provided with identification to indicate purpose of visit (e.g., cultural
orientation, prescreen interview, USCIS interview, etc.).
4.2.5 Electronic Systems and Processing Requirements
Attaching or Connecting Devices: RSC staff must not connect any personal device to their
workstation or use a personal device to access any work-related content without written
authorization from the IT department and the RSC Director.
Prohibited personal devices include:
Cell phones (except with charge-only cable or adapter; if the workstation detects the
presence of the phone then it is not permitted)
Music players (e.g., iPod)
Thumb drives or external storage devices other than ones issued by the RSC and used only
for information related to WRAPS.
Monitors, headphones, mouse or keyboards, whether wired or wireless
Projectors
CD/DVD players or writers
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 39 ]
RSC staff must not connect any device to the WRAPS network except an RSC, USG, or RPC
provided laptop or desktop computer which is managed by RSC, the USG, or RPC and is up to
date on all patches.
Locked Screens: RSC staff must always lock their computer screens or other devices that
connect to the RSC network (email, WRAPS, RSC websites) when they are not in sight of their
workstation or device. Do not depend on the screensaver to lock the screen. Accounts will be
locked after five or more attempts to log in.
Printer Access: System Administrators at each RSC grant and maintain access for staff to access
printers in shared locations throughout the workspace. It is not permitted to print or scan
documents which contain USRAP data using a personal device without prior authorization from
the RSC Director or Deputy.
Saving Refugee Data: RSC staff must not save refugee data outside of designated electronic
workspaces and drives. This includes in any electronic workspaces that are not designed or
designated to process refugee data. RSCs may use cloud-based storage drives with prior written
approval from RPC Security (e.g., Office 365 tools). The use of such drives, whether cloud-based
or local, is conditional upon the drives being compliant with FIPS 140-2 encryption standards;
RSCs limiting the use of such drives to only RSC staff with need to know; and staff being
explicitly prohibited from downloading or sending documents from the drives to non-RSC issued
workstations, drives, or applications. RSCs must configure electronic workspaces and drives to
limit RSC staff access. Only RSC staff who have a demonstrated need to know should access the
refugee data in order to perform their job function. Only RSC staff should have access to the
platform unless the RSC has express approval from PRM/the RPC for a partner to access as well
(e.g. USCIS). RSCs should not allow refugee data to be downloaded onto non-RSC electronic
workspaces or drives.
All staff must have unique network logins which must be changed every 60 days. The password
must be at least 12 characters long, contain at least one number, one special character and one
upper case letter. Accounts must be immediately deactivated following departure of staff,
including WRAPS, email and any other RSC specific information. Additionally, group email
accounts must have unique network logins which must be changed every 60 days. Account
passwords must be immediately updated following departure of staff with access to the group
email account. Any access points that a departing staff member had access to must be changed
upon departure, to include, but not limited to, codes or passwords for physical access to facility
and all electronic access points. Staff must change all passwords that they use, i.e., door access,
safe access, etc., every 60 days.
For any suspected security incident impacting WRAPS/START data, report to the RPC Help
Desk and the RPC Security Team as soon as possible, and no more than 24 hours after becoming
aware of the incident. If PII data loss is suspected, the incident must be reported immediately, but
no later than four hours after the RSC became aware of the incident. For any suspected security
incident impacting the RSC network, but not impacting WRAPS/START data, report to the RPC
Help Desk and the RPC Security Team as soon as possible.
Access to WRAPS Database: Access to the WRAPS database must be limited to necessary
personnel only, as set forth in Section 2.0. RPC will control all access; all requests must be sent to
the RPC Help Desk. The RPC will review this access semi-annually and revoke when no longer
required.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 40 ]
The RSC Director, in coordination with the RefCoord, must review the WRAPS and Tableau and
START (if applicable) twice a year to ensure robust integrity measures, or upon creation of a new
position, and make any necessary decisions about permissions. Although RefCoords do not need
to approve each individual employee’s access, they should approve the list of positions identified
by the RSC Director as needing WRAPS access, and the level of access required, in consultation
with the Program Officer as necessary. When an RSC is transitioned to START, user role and
group assignments will need to be reviewed and approved by PRM.
Additionally, the RSC must send a notification to the RPC Help Desk when a staff member ends
employment at the RSC to revoke all (WRAPS, Rsharenet, tokens, etc.) access and deactivate the
account.
Only authorized personnel can access the servers. WRAPS circuit ride servers must be physically
protected while in the field and while being returned to the RSC. These servers have to be disc-
encrypted and have anti-virus software installed. WRAPS servers must be physically protected
and secured, including at RSC sites and while on circuit rides.
4.2.5.1 Mobile Access Requirements
RSC management must limit access to office and electronic systems for staff to specific
hours, under supervision. These hours should be posted in an area where they are visible to
all employees in line with local time zones. Staff who need routine access to work email after
business hours must have written permission of the RSC Director/Deputy.
When accessing e-mail offsite using a work-issued computer, users are permitted to do so
using a secured VPN only. Any VPN used for offsite e-mail access should be approved by
RPC Security to ensure that its security features uphold those required by WRAPS. Webmail
should be disabled at the RSC. To limit the unauthorized disclosure of PII, PII information
should remain on the RSC network and should not be stored on personal devices.
The RSC must maintain an updated list of users who have been granted permission to:
Remotely access the RSC workstation and/or USRAP case management system. Note:
PO, RefCoord, and RPC leadership must approve remote access to the USRAP case
management system for RSC staff. RSCs must post the approved list on GitHub.
RSCs that have capability to monitor WRAPS remote log-ins should do so on a
monthly basis to ensure only approved staff are logging into WRAPS remotely and the
hours of log-in are not unusual.
Access VPN outside of normal working hours
Access work email on RSC-issued devices
Phone/Tablets: If the RSC Director/Deputy approves users to access work email and work-
related group email inboxes using an RSC-issued mobile device, those devices must be
remotely managed by the RSC. Any mobile application used to access work email must
follow the encryption standards specified in Section 3.2.
If an RSC-issued phone is used to access work email, a Mobile Device Manager (MDM)
must be installed and configured. MDMs must be approved by RPC Security prior to use. At
a minimum, the MDM should have the ability to carry out the following actions on each
device with e-mail access:
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 41 ]
Locate the device
Lock/unlock the device remotely
Wipe the device remotely
Apply security policies to the device as necessary
Separate emails and attachments from all other RSC phone applications
Prohibit attachments from email to be copied and entered into device applications and
prohibit attachments from device applications to be copied and entered into email
Restrict users from saving attachments locally on their phone
Prohibit copying/pasting from the email application to another application on the device
and vice-a-versa
RSC management may determine policies on limiting which apps can be downloaded and
used on RSC-issued phones/tablets. While the RPC does not restrict which apps may be
downloaded, any app used for communication with applicants must be explicitly approved by
the RPC for such purpose (see Section 3.1.5).
Generally, RSC staff with RSC-issued phones should use the phone for work purposes only.
Limited personal use may be permitted, if authorized by the RSC Director/Deputy, such as
sending a small number of non-work-related emails. Phones must not be used to make a copy
of sensitive information or PII from a screen by taking a picture/screenshot of it, recording a
video, or similar activities. Bluetooth should be disabled on RSC-issued phones. If staff
require the use of Bluetooth to complete RSC work, email your Program Officer with
examples of Bluetooth use to request approval.
Laptop: Staff must always lock the screen on their work laptop in the home office/workspace
area when the laptop is not in their sight. RSC staff must log out of the VPN once the
workday has been completed.
Virtual Private Network (VPN) Access: Access to workstations through a VPN is
authorized for RSC staff on official travel (including circuit rides) during the workday and in
official designated workspaces. Non-senior staff must have access to workstations after work
hours be approved by the RSC Director/Deputy.
The RSC is required to keep an updated list of users who have been granted permission to
access VPN outside of normal working hours.
VPN RSA Token: VPN RSA tokens may be used by staff approved by PRM/RPC to access
WRAPS remotely. If using a hard token, staff should store physical VPN RSA Tokens in a
secure location where it is not accessible by others in their environment if applicable.
Equipment must always be protected from potential theft or unauthorized use.
Work from Home Requirements: RSC Director/Deputy can approve work from home for
staff with a demonstrated need for remote access, and can approve work from home for
senior managers that involves accessing the WRAPS database through the VPN. However,
the RPC Director/Deputy must approve work from home that involves accessing the WRAPS
database for any non-senior managerial staff. RSCs are required to keep an updated list of
users who have been granted permission to work remotely on GitHub. Additional instructions
are available/updated on GitHub. Staff must only access WRAPS remotely through the
RSC’s VPN.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 42 ]
RSCs are responsible for maintaining compliance with RPC requirements regarding the
security of their email systems.
4.2.6 Staff Orientation and Training
As part of annual training, any RSC staff with access to physical and/or electronic records that
contain refugee data must acknowledge, in writing, having read the entire Integrity and
Compliance module. All RSC staff who use an RSC computer connected to the internet must
annually acknowledge, in writing, they have read the WRAPS/START Rules of Behavior, even if
they do not have access to the WRAPS database. This is due to the fact that the WRAPS Rules of
Behavior contain useful information about protecting the network/computer while using the
internet. RSC Management should keep a record of these acknowledgements to ensure staff
compliance – an electronic signature/record of acknowledgement is acceptable.
RSC managers must review the above mentioned forms with new staff, particularly new staff
joining the RSC during remote work/work from home.
All staff with access to WRAPS/START and/or involved in case processing activities must also
receive annual trainings on ethics and fraud prevention, sexual exploitation, abuse prevention,
and, if necessary, the use of interpreters.
All staff are also required to take security training annually, including the RSC security training,
Department of State cyber security awareness training, and RSC headquarters’ security training.
Access to WRAPS may be suspended if training is overdue.
4.2.7 RSC Management Oversight
Where possible, managers must have line-of-sight over staff workspace in their section. If line-of-
sight is not feasible, managers must periodically walk around the premises to physically observe
staff. If staff are working from home, RSC Management must establish a regular check in
schedule with staff.
RSC management is responsible for developing quality controls (QC) and monitoring staff
compliance with SOPs through routine review of staff performance, work product, as well as
regular (at least semi-annual, unannounced pre-screening) observations for each staff member in
accordance with RSC management procedures for performance monitoring. Performance
monitoring should evaluate workplace conduct. RSC agency headquarters are to conduct annual
monitoring that includes fraud vulnerabilities, and submit results to PRM. If staff are found to be
out of compliance, management is to ensure adequate training and/or disciplinary measures.
RSC management is responsible for developing an effective QC process for ensuring different
staff review case files throughout the process, staff are completing the appropriate processing
steps, WRAPS is accurately updated, and maintenance of physical files is being done in a
complete and secure manner. Supervisors and management must develop random QC checks on
cases at key processing points (e.g. after PreScreen, after USCIS interview, before assurance
request, before travel, etc.). Directors should pick a reasonable sample size depending on the
number of cases in the pipeline.
RSC SOPs must be updated as relevant RPC SOPs are updated, at least quarterly, and sent to the
Program Officer for situational awareness. (Note: For RSCs using START, there will be a
different local SOP review/approval process led by the RPC.) SOPs should also be easily
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 43 ]
available to staff. If RSC SOPs deviate from RPC SOPs, the RSC must seek approval from the
Program Officer and the RPC. The change should be noted in the annual Compliance Matrix
report. Regular management and all staff meetings are to be held on monthly and semi-annual
schedules, respectively, at a minimum. If all-staff meetings are not possible due to space
limitations, senior staff should meet with each unit/department regularly and not less than twice a
year.
4.2.7.1 Processing – Quality Control
All case files should be reviewed at different steps by different staff throughout the process.
Quality control checks should be completed after each processing stage. RSCs should work
with the RPC to maintain and regularly update automated quality control reports to run
daily/weekly and catch any anomalies, including regular periodic review of the reports by
senior level managers. To ensure program integrity, staff must verify applicant identity at
every interaction and at the beginning of every activity.
In general, interviews should be scheduled based on application date – i.e., “first come, first
served” – except for urgent cases or other scheduling priorities per local SOPs or in
consultation with RefCoord or the PRM Program Officer. Expedite requests must be
approved in writing by a designated supervisor or manager prior to submission for PRM
authorization. For P-2 caseloads where RSCs grant access, any cases deemed “not qualified”
must be approved by a designated senior level manager, as defined by the RSC and
documented in writing.
USRAP Overseas Processing Manual Control Number: v2.0
Integrity & Compliance
[ 44 ]
Document Change History The table below lists the changes in each version of this document.
Version Date Approved By Summary of Revisions
1.0 30 September
2020
Jen Smith Consolidated Program Integrity &
Compliance, Data Integrity &
Communications, Treatment of Refugee
Records, and Program Integrity Guidelines
into one document and updated information.
2.0 5 February
2021
Nicole Patel Updates to v1.0 based on RSC and RPC
Security Team review and feedback. Final
WRAPS update publication.