PIA - Disability Information Management System (DIMS)
DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)
PRIVACY IMPACT ASSESSMENT
DRC Information Management System (DIMS)
August 14, 2007
TABLE OF CONTENTS
Overview of Privacy Management Process
Personally Identifiable Information (PII) & DIMS
Why DIMS Collects Information
How DIMS uses information
How DIMS Shares Information
How DIMS Provides Notice and Consent
How DIMS Ensures Data Accuracy
How DIMS Provides Redress
How DIMS Secures Information
How Long DIMS Retains Information
System of Records
Overview of Privacy Management Process
The Disability Resource Center (DRC) provides reasonable accommodations, technical assistance and training to employees of and applicants to the Department of Transportation (DOT). DOT's reasonable accommodation order requires accommodations be performed within certain timeframes. DRC works with the Department of Defense Computer and Electronics Accommodation Program (CAP). When CAP is not able to provide accommodations, DRC provides them.
DOT is also required to submit reports to the Equal Employment Opportunity Commission detailing the numbers of accommodations provided by type and by job series and the time frames for fulfilling them. Each DOT agency is responsible for reporting this information to the Departmental Office of Civil Rights.
While DRC does not receive all accommodation requests as many are out of scope, the office does provide information on the accommodation requests received to the agencies and to the Office of Civil Rights.
In order to keep track of the accommodations provided and the time to process, DRC uses a tracking system to record accommodation requests. Access to the system is limited to DRC accommodation specialists only. It is a Microsoft Access based system.
Personally Identifiable Information (PII) & DIMS
The PII recorded in DIMS is the same information available in telephone and email directories and organizational descriptions. The person's name, routing, telephone, email, address and supervisor's name and contact information are requested. They are not required. The information collected by DIMS does not fall into the Sensitive Personally Identifiable Information (SPII) category, or Health Insurance Portability and Accountability Act (HIPAA) category.
Why DIMS Collects Information
DIMS collects information in order to assist DOT agencies in meeting their reporting requirements and to answer general questions such as how many accommodations have been requested during a particular time frame.
How DIMS uses information
While a paper form is available to people requesting services, the form is not required. Email and telephone communications may also be used to collect basic name and contact information.
How DIMS Shares Information
DIMS does not connect with any other system, does not maintain any personnel records, nor does it contain any medical records. User accounts are limited to DRC accommodation specialists. Information is provided to designated agency staff, typically the disability program managers.
How DIMS Provides Notice and Consent
For an individual's name and agency contact information to appear in DIMS, he or she must have submitted his or her own information with a request to be included. Accommodation requests may only be made by the employee and in rare cases by an immediate family member.
Notice will be additionally provided through a privacy policy posted on the accommodation request form, as well as the applicable Privacy Act System of Records notice, currently being developed.
How DIMS Ensures Data Accuracy
DIMS receives most PII either directly through interactions with the individual requesting service and relies on the individual to provide accurate data. DIMS does not require individuals to maintain or update their information once a request has been closed. The information provided is included in an action plan if a request is approved. The employee and/or their supervisor may change the information when the action plan is approved.
Under the provisions of the Privacy Act, individuals may request searches of DIMS data to determine if any records have been added that pertain to them individually. PII about any person in DIMS will only be provided to that individual, or to an authorized official of the agency. DRC does not determine who is authorized, that is the responsibility of the agency Civil Rights Office. This is accomplished by contacting the System Manager as will be directed in the Privacy Act System of Records notice.
How DIMS Provides Redress
As provided for by the System of Records notice under the Privacy Act, individuals with questions about privacy and DIMS may contact the DIMS System Manager. In addition, privacy concerns can be directed to the agency civil rights office.
How DIMS Secures Information
DRC takes appropriate security measures to safeguard PII and other sensitive data. DRC applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of DRC employees and contractors.
Role | Access | Safeguards |
---|---|---|
User | Submit new request information submitted by the individual requesting service Update and close request records | System Manager-set user name and password Account set-up approved by supervisor and Administrator. Minimum length of passwords is 8 characters User must accept rules of behavior before completing logon. Must access system from computers which also have user name/ password access control. Access to data limited by server-based access control lists based on user account. |
Site Administrator | Search and view user names and profile information Grant User accounts, reset account passwords View, search, add, change, and delete all information in database Prepare reports for agencies upon request | User-set user name and password Account set-up approved by management Minimum length of passwords is 8 characters Passwords must be combination of alpha/numeric characters Must access system from computers which also have user name/ password access control Access to data limited by server-based access control lists based on user account |
How Long DIMS Retains Information
Information is retained in accordance with the Records Retention Schedule.
System of Records
DIMS contains information that is part of existing System of Records subject to the Privacy Act, because it is searched by an individual's name. The Department of Transportation controls the data and maintains System of Records responsibilities.
OST is in process of renewing the DIMS certification and accreditation in accordance with DOT information technology security standard requirements.