DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
PRIVACY IMPACT ASSESSMENT
Delphi Transaction File System (DTF)
April 10, 2010
The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:
- Regulating civil aviation to promote safety;
- Encouraging and developing civil aeronautics, including new aviation technology;
- Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
- Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
- Regulating U.S. commercial space transportation.
One of the systems that helps the FAA fulfill this mission is the DTF system, which serves as a centralized repository of historical financial information for the FAA which facilitates more efficient processing on the part of downstream financial systems.
The Delhi Transaction File (DTF) System serves as a centralized repository of historical financial information for the FAA. The information is extracted from the DOT core accounting system, DELPHI. While DELPHI retains information for all of the Agencies in the DOT, DTF contains only financial information specific to the FAA. The FAA Office of Financial Services (ABA-020) operates DTF to provide an historical extract of budget, financial, and performance management data from the central accounting system of DOT to the FAA systems which collect, interpret, validate, and stage the data rather than requiring separate FAA financial systems to perform these duplicate tasks. The separate systems that are provided with information are detailed in a later section of this document, How DTF Shares Information.
Personally Identifiable Information (PII) and DTF
The DTF system contains personally identifiable information (PII) pertaining to:
- FAA employees
- Businesses and persons who have paid money to or received money from the FAA.
The DTF system contains non-personally identifiable information pertaining to:
- Financial Accounting transactions
- Lists of various accounting codes
PII collected in the DTF system includes:
- The name of the FAA employee who is the project manager of an FAA project.
- The name of the FAA employee who has made a purchase request.
- The name of an FAA employee who has entered or updated a record in the accounting system.
- The name and partial credit card number of an FAA employee who has made a purchase with an FAA purchase card.
- The name of a business that has received payment via an FAA purchase card.
- The name and address of a business or governmental entity that has paid money to the FAA.
- The name and address of a person acting as a business that has paid money to the FAA.
- The name, address, bank name/address, bank account number, and taxpayer's ID of a business or governmental entity that has received money from the FAA.
- The name, address, bank name/address, bank account number, and taxpayer's ID/SSN of a person acting as a business that has received money from the FAA.
- The name, address, bank name/address, bank account number, and taxpayer's ID/SSN of an FAA employee that has received money from the FAA.
The DTF system is a copy of the Delphi accounting system data for the FAA financial transactions. Information is transferred from Delphi and loaded into DTF as an automated electronic data feed. No data is entered into the system by any user.
Why DTF Collects Information
DTF collects information to support other FAA financial systems. Ultimately the users of financial systems interconnected with DTF perform analysis of budget, financial, and performance management functions using the information, DTF has no users other than the downstream financial systems.
How DTF Uses Information
Information in DTF is used by the FAA financial information community who are tasked with budget, financial, and performance management data of FAA financial systems.
How DTF Shares Information
PII contained in DTF is shared with the following financial systems within the FAA:
- Budget Execution Module (BXM)
- Cost Accounting System (CAS)
- Reporting, Analysis and Distribution (RADS)
- Resource Tracking Program (RTP)
- Automated Inventory Tracking System (AITS)
- Air Traffic Organization National Data Center (ATO NDC)
- Consolidated Automated System for Time and Labor Entry (CASTLE)
- Federal Personnel Payroll System (FPPS )
- Document Control file (DCF)
PII contained within DTF is also shared with the FAA's PABACUS Database which feeds the FAA Air Traffic Organizations Suite of Financial Applications, including:
- Regional Information System (REGIS),
- Financial Management System (FMS), and
- Research, Engineering and Development Monitoring, Analysis, and Control System (REDMACS)
Authorized users, or systems, access the finalized DTF data via customized Oracle database views which are read-only and only present the necessary need-to-know data for that user type. In other words, DTF employs a least privilege to safeguard the PII in the database.
How DTF Provides Notice and Consent
For an individual's PII to be included in the DTF system, that individual must:
- Have paid money to the FAA.
- Have received money from the FAA.
- Be an FAA employee who has had travel orders or reimbursement voucher.
- Be an FAA employee who has purchased with an FAA purchase card or made a purchase request.
- Be an FAA employee who has entered data into the Delphi accounting system.
- Be an FAA employee who is the project manager of a FAA project.
The DTF system is a copy of the Delphi accounting system data. No notice or consent is given by the Delphi accounting system in that a financial relationship exists with individuals whose information in contained within that system. DTF has the same limitation regarding notice and consent.
How DTF Ensures Data Accuracy
The DTF system is a copy of the Delphi accounting system data for the FAA financial transactions. Information is transferred from Delphi and loaded into DTF as an automated electronic data feed. No data is entered into the system by any user. As a part of the automated data feed, the data is checked to ensure it loaded properly from the source files. No verification is done regarding the accuracy of the data values in the source file other than what is provided by the Delphi accounting system.
Under the provisions of the Privacy Act, individuals may request searches to determine if any records have been added that may pertain to them. Since the DTF system is merely a copy of the Delphi accounting system data, it is not the official system of record for the data. Any requests under the Privacy Act should be directed to the official system of record, Delphi.
How DTF Provides Redress
Under the provisions of the Privacy Act, individuals may request searches of the DTF files to determine if any records have been added that may pertain to them.
Notification procedure: Individuals wishing to know if their records appear in this system may inquire in person or in writing to the appropriate system manager. Included in the request must be the following:
- Mailing address
- Phone number and/or email address
- A description of the records sought, and if possible, the location of the records
Contesting record procedures: Individuals wanting to contest information about themselves that is contained in this system should make their requests in writing, detailing the reasons for why the records should be corrected. Requests should be submitted to the attention of the FAA official responsible for the record, at the address appearing in this notice.
Federal Aviation Administration
DAFIS Accounting Manager (B-30)
Office of the Secretary
Office of Financial Management
400 Seventh St SW
Washington DC, 20590
How DTF Secures Information
DTF takes appropriate security measures to safeguard PII and other sensitive data.
- DTF utilizes an Oracle database that encrypts the logon process and stores the account passwords in an encrypted format.
- AMI employs automated tools, such as FoundStone Enterprise and Nmap on the AMC Domain to identify technical vulnerabilities and manage system patches.
- Symantec Antivirus Corporate Edition (SAV CE), with the latest virus pattern signatures, protects the DTF's data and program integrity from problems introduced by malicious code.
- The FAA Enterprise Network (ENET) security services defend against external threats (those originating from the Internet) thereby protecting the FAA internal networks infrastructure. This significantly reduces the potential risks introduced by intentional human threats and malicious code threats originating from outside of the FAA's network.
- Implementation of various operational and technical controls assures user accountability, including: annual user security awareness training, user acknowledgement and adherence to the Rules of Behavior, interconnection agreement or Memorandum of Understanding (MOUs) with downstream systems, and the system administrators regularly reviewing the system/application logs for anomalous activity. There have been no known violations that would require disciplinary action to date.
Access to DTF PII is limited according to job function. In addition the requirements of the Federal Information Security Management Act of 2002 (FISMA), a Security Certification and Accreditation (C&A) was completed for DTF. The C&A process is an audit of policies, procedures, controls, and contingency planning, required to be completed for all federal government IT systems every three years. All relevant policies, procedures and guidelines, including NIST Special Publication 800-53, have been followed to ensure the security of the system and the information it contains.
How Long DTF Retains Information
Data in the QLIKVIEW system is maintained as outlined in the FAA Records Management Order 1350.15C. For reporting information relating to financial information in the form of reports and analysis of financial actions the cut off is at the end of the fiscal year in which records supports. The information is to be destroyed seven years after cut off in accordance with applicable federal standards or in accordance with limitations on civil actions by or against the U.S. Government (28 U.S.C. 2401 and 2415) if no longer required for business purposes.
System of Records
DTF is not a system of records subject to the Privacy Act because it is not designed to be searched by name, SSN, address, phone number, or any other personally identifiable field. Although those fields exist in the database, the system is designed to be searched by date.