DEPARTMENT OF TRANSPORTATION
Federal Motor Carrier Safety Administration (FMCSA)
Enforcement Management Information System (EMIS)
PRIVACY IMPACT ASSESSMENT
June 6, 2006
Overview of Federal Motor Carrier Safety Administration (FMCSA) privacy management process for EMIS
FMCSA within the Department of Transportation (DOT) has been given the responsibility to reduce crashes, injuries, and fatalities involving large trucks and buses. In carrying out its safety mandate, FMCSA:
- Develops and enforces data-driven regulations that balance motor carrier (truck and bus companies) safety with industry efficiency;
- Harnesses safety information systems to focus on higher risk carriers in enforcing the safety regulations; and
- Targets educational messages to carriers, commercial drivers, and the public.
To meet these goals, FMCSA partners with stakeholders, including Federal, State, and local enforcement agencies, the motor carrier industry, safety groups, and organized labor on efforts to reduce bus and truck-related crashes. Since the first step to reduce accidents is to understand them, FMCSA collects and maintains commercial vehicle safety data, as well as a national inventory of motor carriers and shippers subject to the Federal Motor Carrier Safety Regulations (FMCSRs) and Federal Hazardous Materials Regulations (FHMRs). EMIS is a tool that helps FMCSA manage this data.
EMIS is a web-based computerized information system utilizing a centralized database to support FMCSA in meeting their responsibilities regarding enforcement of federal laws and regulations designed to insure the safety of commercial motor carriers and shippers engaged in interstate operations within the United States. This system maintains a comprehensive record of FMCSA enforcement actions taken against interstate carriers, hazardous materials shippers, and individuals subject to the FMCSRs or FHMRs.
Privacy management is an integral part of the EMIS project. DOT/FMCSA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FMCSA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FMCSA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the EMIS system to ensure that all uses of PII data, along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project's goals. Internal DOT/FMCSA resources, along with outside experts, are involved in reviewing the technology, data uses and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph immediately above work to develop an effective policy or policies, practices and procedures to ensure that fair information practices are complied with. The policies effectively protect privacy while allowing DOT/FMCSA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process PII. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FMCSA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures will be required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints can be effectively addressed and corrections made if necessary.
PII and EMIS
EMIS records include information on enforcement cases initiated by FMCSA against companies and drivers of commercial motor vehicles (i.e. trucks with a gross combination weight of 10,001 pounds or more, buses used to transport more than 9 passengers, including the driver), and vehicles transporting hazardous materials. It also includes information on cases against shipping and freight forwarding companies registered with FMCSA. Specific information related to individuals is maintained on:
- Drivers associated with enforcement actions resulting from vehicle inspections and crashes investigated by federal and state motor carrier enforcement officials;
- Officials associated with the motor carrier companies and/or drivers who are the subject of enforcement actions recorded in the system; and
- FMCSA and state officials authorized access to EMIS via personally assigned user accounts.
Records and reports in this system are referenced by a unique Enforcement Case Number. Each Enforcement Case Record may include:
- Subject Identification Information: USDOT Number, subject's name, address, and phone numbers, type of operation, Employer Identification or Social security number, etc. The subject of an enforcement action may be a company or an individual.
- General Case Information: Information related to the persons and organizations initiating and managing the action. May include originating Division and/or Safety Investigator, managing Service Center and/or Enforcement Specialist, etc.
- Contact Information: Names, addresses and phone numbers of persons with an interest in the case, including subject's point of contact, legal advisor, etc.
- Violation and Fine Information: Specific federal laws and regulations for which the subject is being prosecuted and the counts and fines being assessed for each.
- Fine Payment Information: Data associated with the subject's payment of fines assessed as a result of an enforcement action.
- Actions Taken Information: Chronological list of activities associated with management of the case with comments and users inputting the data.
- Document References: Link to electronic documents associated with management of the case.
Why EMIS collects information
EMIS collects PII in order to track safety-related data in the hopes of recognizing trends that can be useful when making policy and other changes.
Data is collected to identify individuals involved in enforcement actions, and to track and manage enforcement actions.
For individuals with direct access to EMIS, FMCSA also collects necessary PII to authenticate users and restrict permissions, and EMIS associates these individuals with user-created user IDs and passwords.
How EMIS uses information
FMCSA's field and State enforcement personnel access EMIS to perform operations, analysis, and reporting in support of their responsibilities regarding the enforcement of motor carrier operations within the United States in accordance with the FMCSRs and FHMRS.
How EMIS shares information
Designated and approved State and local compliance officials and data entry representatives have direct access to EMIS data. Different individuals receive different rights in EMIS according to their job role and State. Designated FMCSA staff members also have direct access to EMIS, with different individuals receiving different rights according to their job roles.
FMCSA may also share with other federal agencies PII in EMIS to assist with national security or other compliance activities. FMCSA evaluates each request on an individual basis and oversees the process to ensure all procedures are followed pursuant to the Privacy Act of 1974.
How EMIS provides notice and consent
EMIS contains PII for only drivers of commercial vehicles, contacts for commercial carriers and shippers, and State and local officials requiring access to the system. Drivers and commercial carrier representatives are required by law to provide PII as part of the inspection and crash data collection process and EMIS does not provide additional notice or options for consent.
How EMIS ensures data accuracy
The EMIS system's functionality provides internal data quality and completeness checks. Sources of information, such as State police departments or other officials, are responsible for inputting correct information.
Individuals who must submit PII in order to obtain direct access to EMIS submit this information directly. These individuals may contact their approving supervisor for any corrections to submitted information.
How EMIS provides redress
How EMIS retains and destroys data
Electronic records in EMIS are retained for six years and are securely destroyed in accordance with FMCSA policy.
How EMIS secures information
Physical access to the EMIS system is limited to appropriate personnel through applicable physical security requirements of the agency. FMCSA and contract support personnel with physical access have all undergone and passed DOT background checks.
EMIS data is maintained in an Oracle database on physical systems located inside a secure computer center with limited access at the Volpe Center. Data is backed up regularly and stored both on site and at secure offsite locations.
EMIS information is accessible only to FMCSA federal and state enforcement personnel with specifically assigned user ID's and passwords. Some limited personnel under contract to FMCSA or state agencies responsible for carrying our enforcement activities or supporting the EMIS system also have access via specifically assigned ID's and passwords.
Physical security and access to the hosting facility is managed and maintained by the Volpe Center.
The following matrix describes the privileges and safeguards around each of these roles as they pertain to PII.
|All Users||Variable, determined by job position and location.|
System of Records
EMIS is a system of records subject to the Privacy Act, 5 U.S.C. 552(a) and a System of Records Notice (SORN) for it (DOT/FMCSA 005 - Enforcement Management Information System) was published in the Federal Register.