PIA - Maritime Service Compliance System
DEPARTMENT OF TRANSPORTATION
Maritime Administration
PRIVACY IMPACT ASSESSMENT
Maritime Service Compliance System
August 4, 2006
TABLE OF CONTENTS
Overview of Privacy Management Process
Personally Identifiable Information (PII) and MSCS
Why MSCS Collects Information
How MSCS uses information
How MSCS Shares Information
How MSCS Provides Notice and Consent
How MSCS Ensures Data Accuracy
How MSCS Provides Redress
How MSCS Secures Information
How Long MSCS Retains Information
System of Records
Overview of Privacy Management Process
The Maritime Administration (MARAD), within the Department of Transportation, has been given the responsibility to improve and strengthen the U.S. marine transportation system. MARAD programs promote the development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the Nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of service as a naval and military auxiliary in time of war or national emergency.
One of the systems that facilitates MARAD's mission to promote the development and maintenance of an adequate, highly skilled, and well-balanced United States merchant marine is the Maritime Service Compliance System (MSCS). MSCS serves two purposes: allows MARAD to maintain an accurate database of students and to monitor and assess graduates compliance of their service obligations; and allows MARAD to track payments made to State maritime academy (SMA) students who participate in the Student Incentive Payment (SIP) Program.
Privacy management is an integral part of MSCS. DOT/MARAD has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is based on a methodology developed and implemented in agencies throughout government. The methodology is designed to help ensure that the MARAD has the information, tools and technology necessary to manage privacy effectively and employ fair information practices while allowing MARAD to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology implements the following steps:
- Establish priority, authority, and responsibility. Establish a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the MSCS to ensure that privacy risks are identified, addressed and documented.
- Organize the resources necessary for the project's goals. Internal MARAD resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing MARAD to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the MARAD project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Maritime Service Compliance System (MSCS)
MSCS contains student and graduate information and allows MARAD to track maritime academy students receiving Federal financial support. MSCS contains the names and other personal data for all students (midshipmen) attending the Federally-funded U.S. Merchant Marine Academy (USMMA). State maritime academy (SMA) students who participate in the Student Incentive Payment (SIP) Program receive limited Federal tuition assistance, and are also tracked in the MSCS.
MARAD provides financial assistance to six SMAs to train U.S. merchant marine officers pursuant to the Maritime Education and Training Act of 1980. In addition to the financial assistance provided to each of the State maritime academies, MARAD also offers financial subsistence to a limited number of candidates selected to participate in the SIP Program. Students in the SIP Program receive quarterly financial subsistence for a maximum of 4 years. In exchange for financial educational assistance the SIP students incur a national service obligation. MSCS track students participating in the SIP Program to ensure they fulfill their national service obligation.
Personally Identifiable Information (PII) and MSCS
MARAD's MSCS facilitates the processing of Service Obligation Requirements for USMMA and SMA (SIP) maritime academy graduates. The graduates' information is provided by the individual institutions they attend, and is verified by the graduate. No information about a graduate is published. It is available only to the graduate her/himself and selected internal MARAD users.
MSCS contains the following information:
USMMA and SMA (SIP) Student and Graduate Information
- Name
- Date of birth
- Social Security Number
- Mother's Maiden Name
- Mailing Address
- Telephone Numbers
- E-mail Address
- SMA students SIP payment information
- Military Status and/or Records
- Active
- Reserve
- Past Posts
- Training
- Employment Status
- Current Employer (to analyze compliance)
The data above is used by internal users to perform the compliance and SIPS functions of the program.
Maritime Academy graduates who are new users are asked to verify their identities by providing the following information as a security check:
- Name
- Date of birth
- Social security number
- Mother's maiden name
All graduates are asked to login and update the following information on an annual basis or as needed.
- Mailing address
- Telephone numbers
- E-mail address
- Military status and/or records
- Active
- Reserve
- Employment status
- Current employer (to analyze compliance)
If the information provided by the graduate on the MSCS site does not match the information contained within the database, as provided by the graduate�s educational institution, then the graduate is not allowed access to the system. A reconciliation and verification of the information provided by the graduate and the information provided by the school is then performed by MARAD personnel. When this reconciliation is complete, the student/graduate is granted access to enter the system.
Subsequently, USMMA and State Maritime Academy SIP Graduates are asked to verify the information within the system on an annual basis. The verification process requires them to log into the system and provide updated information, if necessary. The information they are requested to update is as follows.
- Mailing address
- Telephone numbers
- E-mail address
- Military status and/or records
- Employment Status
Why MSCS Collects Information
Title XIII of the Merchant Marine Act, as amended, requires MARAD to monitor compliance of the service obligations of maritime academy graduates. MSCS provides a web-based internet system that graduates can access from virtually anywhere and report their service obligation compliance annually to MARAD. The information gathered allows MARAD to review and measure compliance and communicate effectively with USMMA and SMA (SIP) graduates. Also, MSCS is utilized to process State maritime academy SIP payments.
MSCS is a web site that has completely restricted access. Therefore, MSCS contains usernames and passwords for designated and authenticated MSCS users and associates that data with individuals accessing MSCS.
How MSCS uses Information
MSCS is a management tool used to track compliance. The information contained within it is strictly limited to the processing of student incentive payments, monitoring students and subsequent graduates compliance with their service obligations. No entity outside of MARAD or the graduate has access to the information contained within MSCS. Access to all functionality is managed through user IDs and passwords maintained by MSCS and associated with user accounts.
How MSCS Shares Information
MARAD does not share MSCS information with any entity other than the USMMA graduate or SMA SIP Graduate and the US Department of Justice (DOJ). DOJ is only contacted if the student is in default of his/her service obligations. No information contained within the system is publicly posted. MARAD does not share access information from MSCS outside of the Federal government. However information regarding students or graduates in default of their service obligations may be provided to the Department of Defense.
How MSCS Provides Notice and Consent
For a Maritime Academy Graduate's PII to be contained within MSCS, he or she must have graduated from a designated Maritime Academy or Program.
As the information contained within MSCS is not published in any forum, an individual's name and agency contact information are available only to that individual or designated MARAD employees. He or she must have provided this information to the educational institution. This information is then passed on to MSCS for use in compliance. Users will verify the information provided by performing their compliance tasks.
For an individual's PII to be retained in conjunction with a MSCS user account, that individual will have signed an agreement subjecting him/her to MSCS. MSCS users are provided a pamphlet describing their service obligations and how it relates to MSCS. Upon first registration with the system, the user is presented with the privacy policy as it regards MSCS.
Notice is additionally provided through a privacy policy posted in another area on MSCS website, as well as the applicable Privacy Act System of Records notice, currently being developed.
How MSCS Ensures Data Accuracy
MSCS receives most PII either directly through interactions with the individual in and submissions from recognized educational institutions. MSCS primarily relies on the designated individuals representing the maritime academies to provide accurate data and provide updates as needed.
To help ensure that data in the system is accurate and timely, MARAD staff will periodically review submissions according to documented data quality procedures. Also in accordance with documented procedures, MARAD will contact designated representatives of the maritime academies to request updated information.
The annual compliance function performed by the graduates further helps to maintain data accuracy. Graduates are encouraged to keep their information up to date in order to receive correspondence from MARAD in a timely fashion. Graduates may request searches of their MSCS data to determine if any records have been added.
How MSCS Provides Redress
As provided for by the System of Records notice under the Privacy Act, individuals with questions about privacy and MSCS may contact MARAD's Privacy Officer. The MARAD privacy policy provides contact information for the Privacy Officer on the MSCS website. MSCS also provides conspicuous links on the public website to contact pages through which individuals can point out inaccuracies, concerns about status or reporting, and other issues.
How MSCS Secures Information
MSCS takes appropriate security measures to safeguard PII and other sensitive data. MSCS applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of MARAD employees and contractors.
| Role | Access | Safeguards |
|---|---|---|
| Graduate (Level 2) | Submit information for verification Only able to view their own information | User-set password Account set-up approved by an Administrator (MARAD Employee) Information must match data stored within database to gain access. Accounts are locked after a set number of incorrect log-in attempts |
| MARAD Data Entry | Enter user profile information | User-set user name and password Account set-up approved by MARAD management Accounts are locked after a set number of incorrect attempts Must access system from limited number of computers, each of which also has user name/password access control. Cannot edit existing records Cannot delete records |
| MARAD User | Search and view users and profile information Grant User (Level 2) accounts, reset account passwords, view access log information Delete profiles (without viewing full profile information) View, search, add, change, and delete all information in database | User-set user name and password |
How Long MSCS Retains Information
MSCS is to retain information on Graduates for up to two years after they have fulfilled their requirements. In the best case scenario, this means information is kept for 8 years 3 months. Individual graduates may take longer than 8 years 3 months to fulfill their requirements due to various circumstances; therefore, their information will be kept until it is no longer needed for compliance review.
System of Records
MSCS contains information that is part of an existing System of Records subject to the Privacy Act, because it is searched by an individual's name.
MSCS contains information covered under the following System of Records Notice: DOT/MARAD 13, Cadet Files, State Maritime Academies, SIPSAM.
MARAD is in the process of certifying and accrediting the security of MSCS in accordance with DOT information technology security standard requirements.