PIA - On Line Publications (OLP) System / Transportation Inventory Management System (TIMS)
DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)
PRIVACY IMPACT ASSESSMENT
Transportation Inventory Management System (TIMS) and Online Publications System (OLP)
October 23, 2007
TABLE OF CONTENTS
Overview of OST privacy management process for Transportation Inventory Management System (TIMS) and Online Publications System (OLP)
Personally Identifiable Information (PII) & TIMS/OLP
Why TIMS/OLP Collects Information
How TIMS/OLP Uses Information
How TIMS/OLP Shares Information
How TIMS/OLP Provides Notice and Consent
How TIMS/OLP Ensures Data Accuracy
How TIMS/OLP Provides Redress
How TIMS/OLP Secures Information
How Long TIMS/OLP Retains Information
System of Records
Overview of OST privacy management process for Transportation Inventory Management System (TIMS) and Online Publications System (OLP)
The Office of the Secretary (OST) oversees the formulation of national transportation policy and promotes intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of US airlines, enforcing airline consumer protection regulations, issuance of regulations to prevent alcohol and illegal drug misuse in transportation systems and preparing transportation legislation.
As part of its support function, DOT is responsible for providing information about its programs and initiatives to the public by disseminating publications. To help fulfill this responsibility, DOT uses the Transportation Inventory Management System (TIMS) and Online Publications System (OLP) (TIMS/OLP). TIMS/OLP is used by employees and contractors working on DOT's behalf to send outgoing publications associated with DOT operations to members of the public, and to other Federal agencies, who have requested certain information. Because of the personal information contained within the system, privacy management is an integral part of the TIMS/OLP. DOT has implemented a thorough privacy management program, utilizing proven technology, methodologies, and sound policies and procedures.
Privacy management is an integral part of the TIMS/OLP system. OST has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and established methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involved interviews with key individuals involved in the TIMS/OLP system to ensure that all uses of Personally Identifiable Information (PII), along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project's goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Personally Identifiable Information (PII) & TIMS/OLP
When members of the public make requests to receive publications from DOT, personal information that is required to fulfill their request is collected and maintained in TIMS/OLP. This information includes name and mailing address, along with the publication(s) requested, in order to distribute requested materials through postal mail. TIMS/OLP does not always directly collect PII from individuals, rather Operating Administrations within DOT that have received requests from the public will compile mailing lists for their publications. These lists will be input into TIMS/OLP to facilitate the mailing process for a particular publication.
PII in TIMS/OLP may include name, mailing address, fax number, telephone number, and email address. Once this information has been entered into TIMS/OLP, it can be retrieved by a name-based search or by publication requests. Distribution clerks, system administrators, and system support personnel have access to the PII that is entered in TIMS/OLP. TIMS/OLP uses logon names and passwords to control access and contains the name and password of the DOT users with access to the system.
Why TIMS/OLP Collects Information
TIMS/OLP collects information in order to provide members of the public with information about DOT that they have requested either directly or through one of the DOT Operating Administrations. Logon names and passwords are retained in TIMS/OLP to administer the system and appropriately restrict access to the personal information.
How TIMS/OLP Uses Information
PII in TIMS/OLP is used to generate a mailing label for the mailing of a certain publication. TIMS/OLP uses the logon names and passwords of each DOT user in order to grant those users access to the system.
How TIMS/OLP Shares Information
Names and mailing addresses of individuals who have requested publications from DOT are shared with contractors working on behalf of DOT to administer the mailings. TIMS/OLP is a system of records under the Privacy Act of 1974 and DOT may also share information from TIMS/OLP as allowable under the Act.
How TIMS/OLP Provides Notice and Consent
TIMS/OLP is a system of records under the Privacy Act of 1974 and has published a Privacy Act notice in the Federal Register under the system number DOT/ALL 16, Mailing Management System. Individuals who wish to receive mailings make requests by way of email, telephone, fax or postal mail in an unstructured format. DOT does not use the information in TIMS/OLP for any other purposes then to provide individuals with requested information by postal. Therefore, consent for secondary uses is not applicable.
How TIMS/OLP Ensures Data Accuracy
FBMS employs the data accuracy checks inherit in Oracle database software to ensure data validity and accuracy. The system has been reviewed to ensure, to the greatest extent possible, it is accurate, relevant, timely and complete via security testing and evaluation.
How TIMS/OLP Provides Redress
Validation checks are built into the application software that both prompt the user that an incorrect entry has been entered and must be corrected, and that a user has successfully input data.
How TIMS/OLP Secures Information
TIMS/OLP is housed at DOT Headquarters in Washington, DC. Personnel with access to the building have undergone DOT background checks. Electronic access to the system is limited to those individuals in the Office of Information Services who either administer the system or participate in the distribution process for DOT publications. DOT controls access privileges through the following roles:
- User
- System Administrator
- System Support Personnel
Role | Access | Safeguards |
---|---|---|
User |
|
|
System Administrator |
|
|
System Support Personnel |
|
|
PII in TIMS/OLP is protected by DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of DOT employees and contractors. The system has been certified and accredited in accordance with DOT requirements.
How Long TIMS/OLP Retains Information
TIMS/OLP retains PII for as long as the individual is designated as a recipient of DOT publications and the address provided continues to be valid. Individual requests for removal from the system will be fulfilled in a timely manner.
System of Records
TIMS/OLP contains information that is part of existing System of Records subject to the Privacy Act, because it is searched by an individual's name.
OST has certified and accredited the security of TIMS/OLP in accordance with DOT information technology security standard requirements.