DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
PRIVACY IMPACT ASSESSMENT
ATO Application Portal (AAP)
April 10, 2010
The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:
- Regulating civil aviation to promote safety;
- Encouraging and developing civil aeronautics, including new aviation technology;
- Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
- Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
- Regulating United States (U.S.) commercial space transportation.
One of the programs that help the FAA fulfill this mission is the ATO Application Portal (AAP), which is an Oracle-based platform that hosts and provides single sign-on capability for several ATO facility reports and applications.
Information, Including Personally Identifiable Information (PII), in AAP
The ATO Application Portal (AAP) system contains both personally identifiable information (PII) and non-personally identifiable information pertaining to ATO employees. PII contained within the ATO Application Portal (AAP) system includes:
- Date of Birth
- First Name
The following data elements are only requested of the user for validation purposes during the users first login and are not stored in the application:
- Last four digits of the individual's Social Security Number
- Last Name
An individual's PII is entered into the ATO Application Portal (AAP) system by electronic transfer of information from the facility databases.
Why ATO Application Portal (AAP) Collects PII Information
ATO Application Portal (AAP) collects information in order to correctly identify and map a users Nextgen ID with their facility record to provide appropriate access to the employee within an application hosted on the portal.
An individual is prompted to enter their last name and the last four digits of their SSN when they first attempt to enter into the portal. This information is used to map the users NexGen ID with their information obtained from the facility database.
Legal Authority for Information Collection
The legal authority for this collection is 49 U.S.C. 322, 49 U.S.C. 40122(g), 49 U.S.C. 40101, 40 U.S.C. 1441, 5 U.S.C. 302
How ATO Application Portal (AAP) Uses PII Information
Information in the ATO Application Portal (AAP) is used by the system to correctly identify the employee and tie that individual to their facility record. The portal provides single-sign-on access to the list of applications that are available to that specific user. The portal is responsible for passing the user name to those particular applications.
How ATO Application Portal (AAP) Shares PII Information
PII contained in ATO Application Portal (AAP) is not shared with any parties, except for the individual's username being transmitted to the application the individual is looking to use via their single sign-on privileges. The list of systems that the particular user can access will be listed when they sign into the portal.
How ATO Application Portal (AAP) Provides Notice and Consent
How ATO Application Portal (AAP) Ensures Data Accuracy
PII information is obtained electronically from the facility databases via automated processes. These processes were tested and validated when they were implemented. For accuracy of the data, AAP relies on the data that is available in the facility databases. For instance, if an individual leaves the FAA, they automatically lose access to the portal as their NextGen username would be removed.
Under the provisions of the Privacy Act, individuals may request searches of the ATO Application Portal (AAP) file to determine if any records have been added that may pertain to them. This is accomplished by contacting the ATO Application Portal Administration team.
How ATO Application Portal (AAP) Provides Redress
The Privacy Office should be contacted in order to make a request for access to AAP records.
How ATO Application Portal (AAP) Secures Information
ATO Application Portal (AAP) takes appropriate security measures to safeguard PII and other sensitive date.
- No reports are designed or produced that contains the Social security number.
- Access to this information is only available to authorized individuals.
- Only accessible on the FAA LAN
- Authentication occurs over an SSL connection
In addition, access to ATO Application Portal (AAP) PII is limited according to job function.
How Long ATO Application Portal (AAP) Retains PII
Data in ATO Application Portal (AAP) is maintained for as long as the data exists in the upstream facility databases. As staff leaves, their account is automatically removed. Login history maintained permanently within the system. This information includes:
- The users Login ID (NexGen ID)
- The date and time the login/log-off action was taken
- The result of the action - success or failure.
AAP System of Records Notice (SORN)
AAP is not a system of records as a general user cannot search the application.