DEPARTMENT OF TRANSPORTATION
Federal Highway Administration
PRIVACY IMPACT ASSESSMENT
National Highway Institute's Contract Management and Tracking System (CMTS) and Web site (NHIW)
May 27, 2009
TABLE OF CONTENTS
Overview of NHI's privacy management process for CMTS and the NHIW
Personally Identifiable Information (PII) related to CMTS and the NHIW
Why CMTS and the NHIW Collect Information
How CMTS and the NHIW use information
How CMTS and the NHIW will share Information
How NHI Provides Notice and Consent
How CMTS and the NHIW Ensure Data Accuracy
How CMTS and the NHIW Provide Redress
How CMTS and the NHIW Secure Information
System of Records
The Federal Highway Administration (FHWA), within the Department of Transportation (DOT), has been given the responsibility of enhancing the highway movement of people and goods, while also ensuring the safety of the traveling public, promoting the efficiency of the transportation system, and protecting the environment. One vital component involved in reaching those goals is providing training pertaining to highway activities, making sure that professionals and members of the public have access to the best, most accurate information. Towards this goal, the National Highway Institute (NHI) within FHWA develops and implements applicable training programs. To manage this increasingly complex task and to make the training process more accessible and useful, NHI uses the Contract Management and Tracking System (CMTS) and the NHI Web Site (NHIW).
CMTS is NHI's primary management information system. It is the repository of operational information for all aspects of NHI's business and is designed to aid NHI in the development, administration, and maintenance of its training events. Through CMTS, the user tracks courses from concept to discontinued stages. CMTS also maintains contracts and accounts payable, tracks sessions that are offered for each course, manages instructor and customer records, and serves as the tracking mechanism for accounts receivable invoices.
The NHIW is part of a publicly available web site, www.nhi.fhwa.dot.gov. Through this system, members of the public can sign up for and take NHI-developed training, link to a separate government web site to pay for that training, schedule and participate in a Web conference, request to host a session, and purchase materials related to the trainings offered.
These two systems (CMTS and the NHIW) are directly connected, with CMTS being the back-end to the NHIW. The course and session data stored in CMTS is displayed on the NHIW. The information collected via the NHIW, such as customer purchases or instructor registrations, is transferred and stored in CMTS, and the User Profile and Access Control System (UPACS) if it is a customer's account. UPACS is a Web-enabled system designed to set and manage appropriate access to various FHWA systems, as well as detect unauthorized access.
Privacy management is an integral part of CMTS and the NHIW. Privacy management utilizes proven technology, sound policies and procedures, and proven methodologies. The FHWA and DOT Privacy Offices and FHWA Information System Security Officer (ISSO) have been involved in on-going privacy and security reviews of these systems. This involves interviews with key individuals involved with these systems to ensure that all uses of personally identifiable data, along with the risks involved with such use, are identified, documented, and managed securely.
The information gathered by and supporting CMTS and NHIW requires Office of Management and Budget (OMB) approval under the Paperwork Reduction Act. FHWA has obtained the OMB approval (#2125-0590).
CMTS and the NHIW use PII data from and about members of the public who take NHI-developed training. To understand the PII data stored in CMTS, we first explain how it is collected through the NHIW. NHIW users may:
- Search for available training and scheduled sessions, as well as browse general information regarding NHI and developing courses;
- Sign-up to participate in a Web conference by providing first name, last name, organization name and e-mail address;
- Register as an instructor by providing a minimum of first name, last name, and e-mail address. Other, non-required fields include: middle initial, organization name and contact information, instructor bio, supervisor name, supervisor organization name and contact information.
- Register to use the Web site for controlled functions via UPACS. Controlled functions include: purchasing a seat in a session, submitting a host request, purchasing material, and requesting/managing a Web conference.
After an individual user registers with the NHIW other features are available, including:
- Updating profiles,
- Enrolling in training,
- Ordering training materials,
- Requesting to host an Instructor-led session (class), and
- Requesting to host a Web conference.
The only PII data displayed in NHIW is for the web conference administrator to view the participant list for Web conferences. This list includes name, work e-mail and work phone number. Those listed sign up for a Web conference without logging into the NHIW.
The data collected through the NHIW for user accounts is stored in UPACS and accessed via CMTS. The information collected includes: first name, last name, work e-mail address, work address, and work phone number. NHI uses data submitted through the NHIW to administer training and deliver requested information.
In order to track participant records for session completion to maintain International Association for Continuing Education and Training (IACET) accreditation, NHI is required to maintain learner histories. The learner histories for FHWA participants are maintained in eLMS per the requirement of DOT. This data is manually entered based on hard copy forms 3 weeks after an FHWA participant completes a session. For participants external to FHWA, CMTS maintains this data from paper forms that are stored in a locked room. Only limited personnel whose job functions require access to these files have access. These files are maintained according to IACET rules and regulations. CMTS contains the following PII on training participants: first name, last name, work e-mail address, work address, work phone number and training history information. To manage the instructor registration process, Instructor information is also stored in CMTS. The PII data for instructors include: first name, last name, work e-mail address. Instructor work address, and work phone number may also be collected.
Authorized NHI staff has access to the NHIW data through CMTS, with system access rights and privileges managed by the system owner. CMTS and NHIW user account information is stored in UPACS. CMTS can only be accessed by authorized users who have a UPACS User ID and password.
In general, the NHIW collects PII in order to register users. The information collected is stored in UPACS and CMTS, and contact information is used to communicate with participants, and track and manage the training process for individuals who have taken or will take NHI courses.
Specifically, UPACS collects through the NHIW:
- First Name and Last Name - - to uniquely identify a user
- Work Address, Work Phone Number, and Work e-mail Address - - to communicate with the user and to fulfill student requests for training and materials
Though students are able to purchase NHI training and materials online, the e-commerce transaction is fulfilled through a link to www.pay.gov.
Information in an identifiable form is used to provide NHI and its customers with an enhanced, efficient training process. NHI does not use PII in CMTS or the NHIW for any purposes outside of the training management process, except as may be authorized by law. The NHIW system collects PII only with express permission of users, and only for activities associated with the training process.
CMTS and NHIW will not share PII in any way with external agencies or entities, except as described above or as may be required by law. Only authorized FHWA staff and contractors will have access to the systems.
CMTS stores and the NHIW collect most PII via UPACS directly from individuals who register with the NHIW. Customers can change their personal information, and request removal of their account access from NHIW, CMTS, and UPACS at any time.
If a customer has provided a non-functional email address or other contact information an authorized NHI staff member contacts that customer by phone or postal letter, requesting that he or she update the information. In addition, if during the training process an authorized NHI staff member realizes that an item of PII is incorrect, he or she may request that the student change the information online.
CMTS and the NHIW are housed in a facility run by FHWA staff. Physical access to these systems is limited to authorized personnel through building key cards and room-access key pads.
In addition to physical access, electronic access to PII in CMTS is limited to job function. CMTS is divided into modules and users of the system have specific access authorization to these modules based on the responsibilities of their job function.
CMTS and the NHIW are Privacy Act Systems of Records, as they are searched by name and unique identifier. NHI received its Certification and Accreditation for both CMTS and the NHIW in 2006. These systems are undergoing re-certification and accreditation as of May 2009.