The bill inserts a new Section 210H into the Homeland Security Act of 2002 requiring the Under Secretary for Intelligence and Analysis (the Under Secretary) to conduct an initial audit within 180 days of enactment and annual audits thereafter of the Office of Intelligence and Analysis’ (OIA) information systems and bulk data holdings. It creates statutory definitions for “bulk data” (data acquired without discriminants and largely unlikely to provide intelligence value) and “discriminants,” and requires the Under Secretary to notify designated congressional committees within 30 days when OIA first analyzes a new bulk dataset or changes the dataset’s terms and conditions.
Audit findings must be delivered to those committees within 30 days of audit close, and the GAO must review implementation within four years.
This bill formalizes internal audit and congressional notice obligations around bulk data acquisitions at DHS rather than creating a public or independent oversight mechanism. For practitioners, it shifts transparency toward congressional oversight, codifies a contested definition of bulk data that could reshape procurement and analytic practices, and raises operational and compliance questions for OIA program offices and data providers.
At a Glance
What It Does
Adds Section 210H to the Homeland Security Act to require the Under Secretary for Intelligence and Analysis to perform an audit of OIA information systems and bulk data within 180 days and annually thereafter; defines key terms including 'bulk data' and 'discriminants'; requires 30‑day congressional notifications for first use of new bulk datasets and for changes to terms; mandates submission of audit findings to specified congressional committees and a GAO review of implementation within four years.
Who It Affects
Directly affects the DHS Office of Intelligence and Analysis and the Under Secretary for Intelligence and Analysis, the House and Senate homeland security and intelligence committees named in the bill, and the Government Accountability Office. Indirectly affects DHS program offices that acquire or analyze large datasets, third‑party data providers, and civil‑liberties stakeholders tracking bulk collection.
Why It Matters
The bill codifies a definition of 'bulk data' and creates routine internal audit and congressional notification requirements that can change how DHS purchases, stores, and analyzes large datasets. It increases oversight visibility inside Congress without prescribing public disclosure or independent external audits, which will shape both compliance burdens and analyst access to data.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill amends the Homeland Security Act by adding Section 210H, which creates a recurring internal audit regime inside DHS focused on information systems and collections that qualify as 'bulk data.' The initial audit must occur within 180 days of enactment and audits must continue annually; the statute ties the content and conduct of those audits to the Office’s own intelligence oversight guidelines rather than prescribing a detailed external standard. The Under Secretary is the entity charged with performing the audits and delivering findings to Congress.
The statutory definitions matter. 'Bulk data' is defined as datasets acquired without discriminants where a substantial portion is unlikely to have intelligence or operational value, and 'discriminants' are identified as selectors or selection terms. Those definitions determine which datasets trigger the audit and notification requirements.
Because the definition hinges on how likely a dataset is to contain intelligence value, program offices and counsel will need to develop processes to classify acquisitions and document the assessment that led to a 'bulk' determination.On notifications and reporting, the bill requires the Under Secretary to notify specified congressional committees within 30 days after OIA first analyzes or otherwise uses any new bulk dataset and to update those committees within 30 days whenever associated terms and conditions change. After each audit concludes, the Under Secretary must provide Congress with the audit’s findings within 30 days.
Four years after enactment the GAO must review how the annual audit requirement has been implemented and recommend improvements.Notably, the statute centralizes oversight reporting to Congress and does not mandate public reporting, an independent inspector‑general audit, or specific remedies for identified problems. It instructs OIA to follow its own oversight guidelines for audits, which preserves classified handling but limits external procedural detail.
The bill therefore moves transparency and accountability inward—toward internal processes and congressional notification—while leaving several implementation choices and practical tradeoffs to DHS and its oversight committees.
The Five Things You Need to Know
The bill adds Section 210H to the Homeland Security Act and requires the Under Secretary for Intelligence and Analysis to run an initial audit within 180 days and annual audits after that.
It defines 'bulk data' as datasets acquired without discriminants where a significant portion is not reasonably likely to have intelligence or operational value, and defines 'discriminants' as identifiers or selection terms.
The Under Secretary must notify named House and Senate homeland security and intelligence committees within 30 days after OIA first analyzes a new bulk dataset and within 30 days of any change to the dataset’s terms and conditions.
Audit findings must be submitted to the same congressional committees within 30 days of audit completion, making audit outcomes available to congressional overseers on a fast timeline.
The GAO must deliver a review of how the annual audit requirement has been implemented, including challenges and recommendations, not later than four years after enactment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the measure the 'DHS Intelligence and Analysis Oversight and Transparency Act.' This is a housekeeping element but signals the bill’s dual focus on oversight and transparency directed at the Office of Intelligence and Analysis.
Definitions—'appropriate congressional committees', 'bulk data', and 'discriminants'
Establishes who receives notifications and reports (the House and Senate homeland security and intelligence committees) and supplies the statutory meaning of 'bulk data' and 'discriminants.' Practically, these definitions determine the scope of the auditing and notification obligations: whether an acquisition is treated as 'bulk' depends on assessments of acquisition method (presence or absence of discriminants) and the judged intelligence utility of the data. That creates a process and evidentiary burden for program offices to justify their classification choices.
Annual audit requirement
Directs the Under Secretary to conduct an audit of OIA information systems and bulk data not later than 180 days after enactment and annually thereafter, and to align those audits with the Office’s intelligence oversight guidelines. The provision makes the audits an explicit statutory duty but leaves substantive audit standards, scope, and public handling to existing internal guidance, which will shape how much of the audit is reviewable outside classified channels.
30‑day notifications for new bulk datasets and changes
Requires prompt notification—within 30 days—to specified congressional committees when OIA first analyzes a new bulk dataset and when the dataset’s terms or conditions change. Timing is tight and will require operational processes to detect first use and to surface contract or legal‑term changes quickly. The requirement focuses transparency toward Congress rather than public disclosure and creates a near‑real‑time reporting duty that program managers must support.
Audit reporting and GAO implementation review
Mandates that the Under Secretary submit audit findings to the appropriate congressional committees within 30 days after each audit concludes, and directs the Comptroller General to deliver a review of implementation and recommendations within four years. The GAO review is retrospective and timing‑limited; it will evaluate how the annual audits have been carried out and what obstacles arose, providing Congress with a longer‑term independent look but not an immediate external audit role.
Table of contents update
Adds an entry for the new Section 210H to the Homeland Security Act table of contents. Purely administrative, but necessary to integrate the new statutory text into the published Act.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Designated congressional oversight committees — gain routine, timely visibility into OIA’s use of large datasets through 30‑day notifications and receipt of audit findings, improving their ability to oversee acquisitions and practices.
- Civil‑liberties and privacy groups — benefit indirectly because the statutory attention to bulk data acquisition and the GAO’s mandated review create new avenues for questions about mass collection practices, even if reports are not public.
- DHS governance and compliance teams — benefit from a clear, recurring audit obligation that can be used to standardize internal controls, document compliance, and defend acquisition choices to Congress.
- GAO and oversight community — benefit from a formal, time‑bounded mandate to evaluate how audits are implemented, which positions GAO to recommend structural fixes or statutory clarifications.
- Communities at risk of indiscriminate collection — benefit from increased congressional visibility into bulk acquisitions that may affect civil liberties, though benefits are mediated by how committees act on information.
Who Bears the Cost
- Office of Intelligence and Analysis and the Under Secretary — shoulder the operational and administrative cost of conducting initial and annual audits and of preparing timely notifications and audit reports.
- DHS program offices that acquire or manage large datasets — face compliance and documentation burdens to classify acquisitions, track use, and respond to audits, which can slow procurement and analytic workflows.
- Third‑party data providers and contractors — may face increased scrutiny and contract renegotiations as DHS documents terms and conditions and justifies bulk purchases to auditors and congressional staff.
- Analysts and operational units — could see reduced access or delayed access to datasets if program offices become more conservative in acquisitions to avoid triggering 'bulk' status or to simplify compliance.
- GAO and congressional staff — will need to allocate personnel and resources to receive, review, and act on notifications and audit findings, and to carry out the statutory four‑year review.
Key Issues
The Core Tension
The bill tries to reconcile two legitimate goals—stronger oversight of large data acquisitions and protection of classified analytic capabilities—by requiring internal audits and prompt congressional notice while preserving internal oversight standards and classified handling; that design improves congressional visibility but leaves open whether internal self‑policing and nonpublic reporting will be sufficient to curb misuse or to provide the transparency advocates seek.
The statute leaves several important implementation choices unresolved. 'Bulk data' hinges on two subjective criteria—acquisition without discriminants and the assessment that a sizeable portion lacks intelligence value—neither of which includes a quantitative test. That invites divergent interpretations across DHS components and could produce inconsistent classification outcomes or encourage behavioral workarounds (for example, inserting minimal discriminants to avoid 'bulk' labeling).
Audits must be 'consistent with the intelligence oversight guidelines of the Office,' a standard that preserves classified handling but limits external clarity about audit scope, methods, and remedial requirements.
The bill centralizes transparency toward congressional committees but does not create public reporting, an independent external audit obligation (for example, an inspector general audit), or mandatory corrective actions when audits identify deficiencies. The GAO review is a useful backstop but is scheduled only once, four years out, and focused on implementation challenges rather than immediate program fixes.
Finally, the 30‑day notification windows are operationally demanding and could reveal sensitive program activity to committee staff in close to real time, raising familiar tensions between oversight timeliness and protection of sensitive sources, methods, and ongoing operations.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.