DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)
PRIVACY IMPACT ASSESSMENT
Facilities and Building Management System (FBMS)
April 25, 2008
TABLE OF CONTENTS
Overview of Privacy Management Process
Personally Identifiable Information (PII) & FBMS
Why FBMS Collects Information
How FBMS Uses Information
How FBMS Shares Information
How FBMS Provides Notice and Consent
How FBMS Ensures Data Accuracy
How FBMS Provides Redress
How FBMS Secures Information
How Long FBMS Retains Information
System of Records
The Office of the Secretary (OST) oversees the formulation of national transportation policy and promotes intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of US airlines, enforcing airline consumer protection regulations, issuance of regulations to prevent alcohol and illegal drug misuse in transportation systems and preparing transportation legislation.
Privacy management is an integral part of the FBMS system. OST has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and established methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involved interviews with key individuals involved in the FBMS system to ensure that all uses of Personally Identifiable Information (PII), along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project's goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
As a leader in transportation-related oversight, DOT's OST provides useful information to other agencies responsible for transportation oversight activities. To meet this goal, OST seeks to use the FBMS to support a wide variety of DOT facilities infrastructure business functions in Property Management, Fleet Management, Conference Room scheduling, Budget and Financial, Space Management, Shipping and Receiving, Inventory, and Reconciliations. Its purpose is to provide management oversight and reporting capabilities through administration, service requests, asset management and tracking, inventory enhancements to include scanner support, categorization of assets, integration of financial work processes, financial reporting & reconciliation, employee tracking, designing, manipulating and implementing facilities space plans and drawings; managing the day-to-day use of DOT conference/training rooms and associated support requirements; managing and accounting for DOT's fleet of vehicles and drivers; tracking requests for overtime support and billing; tracking requests for personal property and billing for services rendered; invoicing for labor support provided; and tracking and billing for DOT facilities expenditures. FBMS is currently used to track accountability for all OST, STB, and RITA personal property located in the DOT Headquarters Building and RITA Headquarters, and will ultimately be used to track accountability for all DOT Modal agencies.
The FBMS modules will contain and publicly post the following information:
FBMS does not publicly post any PII information.
FBMS collects PII information for identification of real, personal property and assets associated with users in DOT Modal agencies.
FBMS uses PII to account for real, personal property and assets within DOT Modal agencies.
FBMS shares information internally with other FBMS/DOT staff by granting access to FBMS applications via the use of userids/passwords.
FBMS displays the DOT approved system warning banner to alert users of notice and consent to monitoring prior to login.
FBMS employs the data accuracy checks inherit in SQL database software to ensure data validity and accuracy.
Validation checks are built into the application software that both prompt the user that an incorrect entry has been entered and must be corrected, and that a user has successfully input data.
FBMS takes appropriate security measures to safeguard PII and other sensitive data. FBMS applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of OST employees and contractors. Safeguards in place involve requiring userids/passwords for identification and authentication, SSL for data encryption, and protection mechanisms such as firewalls, IDS/IPS, and router/switch ACL configurations inherent within the COE infrastructure.
FBMS retains PII information for a minimum of one year.
FBMS does not contain information that is part of existing System of Records subject to the Privacy Act.
OST has certified and accredited the security of FBMS in accordance with DOT information technology security standard requirements.