DEPARTMENT OF TRANSPORTATION
PRIVACY IMPACT ASSESSMENT
MARINER OUTREACH SYSTEM (MOS)
June 30, 2009
The Maritime Administration, within the Department of Transportation, has been given the responsibility to improve and strengthen the U.S. marine transportation system. The Maritime Administration programs promote the development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the Nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of service as a naval and military auxiliary in time of war or national emergency.
The Mariner Outreach System (MOS) provides a systematic way to monitor the adequacy of the nation's merchant mariner pool and to track and maintain contact information and qualifications of mariners who participate in the system. MOS is an invaluable tool for MARAD and its partners to make valid vessel and human resource projections identify potential mariner shortfalls, allow mariners to provide up-to-date/accurate contact information, and to facilitate crewing of vessels should a mariner shortage occur.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and Maritime Administration will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing the Maritime Administration to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the Mariner Outreach System to ensure that privacy risks are identified, addressed and documented.
- Organize the resources necessary for the project's goals. Internal Maritime Administration resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing Maritime Administration to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the Maritime Administration project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Information, including Personally Identifiable Information (PII) in the Mariner Outreach System
The Mariner Outreach System (MOS) was developed by the Maritime Administration to monitor the availability of U.S. merchant mariners who through their qualifications, job skills and experiences contribute to the overall economic interests and national security of the United States. Mariners worldwide who have agreed to participate either through the U.S. Coast Guard's Application for a Merchant Mariner Credential (MMC) or the MOS online portal will have an opportunity to review their U.S. Coast Guard qualifications/ sea service and update their contact information. The PII relates to the United States Coast Guard's (USCG) Merchant Marine Licensing and Documentation (MMLD) system and information entered via the online portal.
The Mariner Outreach Systems will contain and allow individual mariners to access through a secure website the following information:
- Personal information (name, citizenship, date of birth).
- Contact information (address, phone, email)
- MMD information to include rating endorsements and expiration date.
- License information to include qualifications and expiration date.
- STCW information to include qualifications and expiration date.
- Sea service on record in the official USCG MMLD database.
Why Mariner Outreach System Collects Information
The ability of the U.S. to respond to major military contingencies worldwide is dependant on adequate U.S. flag active/reserve sealift resources and skilled U.S. maritime labor. The Maritime Administration's National Security Objective, which supports the Department of Transportation's (DOT) Security Initiative, is to assure that sufficient sealift capability and intermodal transportation infrastructure exist to support vital homeland and national security interests. Additionally, the DOT is responsible for determining whether adequate manpower is available to support the operation of sealift ships during a crisis, as set forth in the National Security Sealift Policy - National Security Directive #28 (October 5, 1989).
The primary source of mariners to crew the sealift ships is the pool of U.S. mariners actively sailing in the commercial U.S.-flag shipping industry. The sufficiency (availability, commitment, and skills) of this mariner pool to support a large-scale activation of the sealift fleet depends upon the health and size of the commercial U.S.-flag merchant fleet. A fleet that is sufficiently sized will result in a pool of sufficient qualified merchant mariners to meet the crewing requirements of both the commercial and sealift fleet during national emergencies.
Prior to the development of MOS there was no single database or system available that contains the information required to produce accurate and timely analysis of mariners' willingness and availability to sail on U.S. government and commercial vessels to meet peacetime and contingency requirements. MOS will capture mariner contact information and evaluate mariners willingness and availability to sail. The system is user friendly and allows access by mariners via a secure internet website.
Mariners who agree to participate have the opportunity to review their qualifications/sea service and provide updated and more detailed contact information. Detailed contact information provided by mariners will improve the Maritime Administration's ability to communicate with mariners. Should normal crewing practices ever prove to be inadequate, the system could also be used as a tool to assist those in need of mariners.
MOS provides a systematic way to monitor the adequacy of our nation's merchant mariner pool and to track and maintain contact information and qualifications of mariners. The MOS also includes a component that incorporates vessel data to allow analysis and projection of mariner requirements. At a minimum, the MOS will allow MARAD and its partners to make valid vessel and human resources projections, identify potential mariner shortfalls, allow mariners to provide up-to-date/accurate contact information, and to facilitate crewing of vessels should a mariner shortage occur.
Legal Authority for Information Collection
The Maritime Domain Awareness (MDA) program and the Maritime Security Act of 2003 are the legal authority for information collection for MARAD systems.
How Mariner Outreach System Uses Information
Routine use of information is for resource projection, maintain contact information and facilitate filling shortages.
How Mariner Outreach System Shares Information
Mariner Outreach System is a web-based application that is centrally housed at the NASA Stennis Space Center in Mississippi.
How Mariner Outreach System Provides Notice and Consent
Mariner Outreach System data usage is specified in the MOA/MOU with the USCG. The USCG is the owner of the data and provides the data to Mariner Outreach System.
How Mariner Outreach System Ensures Data Accuracy
Data quality and relevance are the sole responsibility of the information providers. Mariner Outreach System has incorporated data integrity techniques into its infrastructure.
The data elements are described in detail in the interface control documents as well as the logical data model.
How Mariner Outreach System Provides Redress
Data used in Mariner Outreach System is obtained from the Coast Guard and the individual mariners. The source of data and the possible ability to decline would be at the data sources level.
Mariner Outreach System data usage is specified in the MOA/MOU with the USCG. The data providers are the owners of the data and will have license to provide the data to Mariner Outreach System or not to.
How Mariner Outreach System Secures Information
Mariner Outreach System takes appropriate security measures to safeguard PII and other sensitive data. Mariner Outreach System applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of Maritime Administration employees and contractors.
Data access is determined by permission levels and role based access controls. Users have certain rights based on account type. Users register for an account on the Mariner Outreach System application by providing unique information that must match perfectly with data received from the USCG. Once registered, users entering Mariner Outreach System are required to authenticate with a unique identification and password. System security policy guidelines provide for the creation of secure complex passwords.
|System Administrator||Full Access||Administrators have permissions to provide management of the infrastructure|
|Maritime Administration Manager||Read, Write||Modify Managers have limited permissions based on roles, they have the ability to manage the application|
|Maritime Administration User||Read, Write||Users are limited by role based permissions that allow them to view data|
|Other Federal Entity||Read||Other federal agency users are restricted by role based permissions to only view data|
|USCG Credentialed Merchant Mariners||Read||Industry Partners are restricted by role based permissions to only view data and run reports|
After initial certification and accreditation, Mariner Outreach System will have a Certification and Accreditation performed every 3 years to ensure it meets agency and Federal requirements. Additional activities are performed more frequently to ensure Mariner Outreach System meets regulatory security requirements.
A favorable risk assessment was performed in 2008 for the Mariner Outreach System system. Unacceptable risks found during this risk assessment were noted in a plan of action and milestones document that was subsequently remediated by the system owner.
The Maritime Administration IT Security team performs continuous monitoring activities for the Mariner Outreach System at different frequencies. Operating system and application patches are verified on a weekly basis. Application scanning is used to identify insecure coding practices, improper configurations, and areas of non-compliance with privacy laws. Furthermore, an Intrusion Prevention System aids in the detection of potential intruders and minimizes their impact if success is achieved.
How Long Mariner Outreach System Retains Information
Data retention will be based on legal requirements pertaining contractual service obligations.
System of Records
Mariner Outreach System contains information that is part of a System of Records subject to the Privacy Act, because it is searched by an individual's social security number. In some cases, such as DOT/OST, the Department of Transportation controls the data and maintains System of Records responsibilities.
The Maritime Administration is developing MOS to utilize a reference number which will facilitate the elimination of social security numbers.