DEPARTMENT OF TRANSPORTATION
PRIVACY IMPACT ASSESSMENT
MARITIME SERVICE COMPLIANCE SYSTEM (MSCS)
March 8, 2009
The Maritime Administration, within the Department of Transportation, has been given the responsibility to improve and strengthen the U.S. marine transportation system. The Maritime Administration programs promote the development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the Nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of service as a naval and military auxiliary in time of war or national emergency.
Maritime Service Compliance System (MSCS) assists students, maritime academy graduates of the U.S. Merchant Marine Academy and participants/graduates of the Student Incentive Payment (SIP) Program at the State maritime academies (SMA) complete the required annual Compliance Report online for the period of their service obligation following graduation. The application also assists MARAD in monitoring and documenting student's enrollment status while attending the maritime academies, making subsidy payments to SMA SIP students, and maintaining a record of the maritime academy graduates fulfillment of their service obligations. The MSCS also contains the graduate's employment determination waivers.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and Maritime Administration will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing the Maritime Administration to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the Mariner Outreach System to ensure that privacy risks are identified, addressed and documented.
- Organize the resources necessary for the project's goals. Internal Maritime Administration resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing Maritime Administration to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the Maritime Administration project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Information, including Personally Identifiable Information (PII) in the Maritime Service Compliance System
As a leader in transportation-related oversight, DOT's Maritime Administration provides useful information to other agencies responsible for transportation oversight activities. To meet this goal, Maritime Administration seeks to use the Maritime Service Compliance System website to share information on assisting MARAD in monitoring and documenting student's enrollment status while attending the maritime academies, making subsidy payments to SMA SIP students, and maintaining a record of the maritime academy graduates fulfillment of their service obligations.
The Maritime Service Compliance System will contain and publicly post the following information:
Compliance reports for Midshipmen and Cadets in the U.S. Merchant Marine Academy and State Maritime Academies Graduates in the Student Incentive Payment program complete the required reports online on an annual basis for the period of their service obligation after graduation. These individuals are currently identified and tracked by their social security numbers. There is a social security number elimination and reduction program in place and MSCS is expected to either eliminate or reduce SSNs by the start of the new fiscal year.
Why Maritime Service Compliance System Collects Information
The Maritime Service Compliance System assists students, maritime academy graduates of the U.S. Merchant Marine Academy and participants/graduates of the Student Incentive Payment (SIP) Program at the State maritime academies (SMA) complete the required annual Compliance Report online for the period of their service obligation following graduation. The application also assists MARAD in monitoring and documenting student's enrollment status while attending the maritime academies, making subsidy payments to SMA SIP students, and maintaining a record of the maritime academy graduates fulfillment of their service obligations. The MSCS also contains the graduate's employment determination waivers.
Student Incentive Payment System (SIPS) is a database system that was developed to pay stipends to selected cadets on a quarterly basis or as required. The system maintains specific identifying information on each cadet keeps track of authorized and unauthorized leave and whether the cadet is entitled to paid leave, tracks the cadet if he or she moves from one class to another and generates information used to initiate the payment process. The Academies Monitoring System (AMS) was built on the SIPS monitor compliance with the service obligation. The system has built in default dates to determine if cadets who resign or are disenrolled are in breach of their obligation. Additionally, the system monitors compliance with the employment portion of the obligation. The system will generate letters that can be used to identify and rectify nine conditions relative to the status of graduates. It also tracks waivers, deferments and breaches, which may affect obligation status.
The identification of each cadet is through their social security numbers (SSNs). This begins when they enter the United States Merchant Marine Academy (USMMA), and follow on during their service obligation period until fulfillment of that obligation. The identification process within MSCS is co-joined with the USSMA business practice of identification of cadets at the academy.
Legal Authority for Information Collection
The Maritime Domain Awareness (MDA) program and the Maritime Security Act of 2003 are the legal authority for information collection for MARAD systems.
How Maritime Service Compliance System Uses Information
Routine use of information is for student and graduate enrollment status and compliance with obligation requirements.
How Maritime Service Compliance System Shares Information
Maritime Service Compliance System is a web-based application that is centrally housed at the NASA Stennis Space Center in Mississippi.
How Maritime Service Compliance System Provides Notice and Consent
Maritime Service Compliance System data usage is specified in the MOA/MOU with USMMA and state schools. The schools are the owners of the data and are mandated by license to provide the data to Maritime Service Compliance System or not to.
How Maritime Service Compliance System Ensures Data Accuracy
Data quality and relevance are the sole responsibility of the information providers. Maritime Service Compliance System has incorporated data integrity techniques into its infrastructure.
The data elements are described in detail in the interface control documents as well as the logical data model.
How Maritime Service Compliance System Provides Redress
Data used in Maritime Service Compliance System is obtained from colleges. The source of data and the possible ability to decline would be at the data sources' level, not Maritime Service Compliance System's level.
Maritime Service Compliance System data usage is specified in the MOA/MOU defined with colleges. The data providers are the owners of the data and will have license to provide the data to Maritime Service Compliance System or not to.
How Maritime Service Compliance System Secures Information
Maritime Service Compliance System takes appropriate security measures to safeguard PII and other sensitive data. Maritime Service Compliance System applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of Maritime Administration employees and contractors.
Data access is determined by permission levels and role based access controls. Users have certain rights based on account type. Users entering Maritime Service Compliance System are required to authenticate with a unique identification and password. System security policy guidelines provide for the creation of secure complex passwords. Users register for an account on the Maritime Service Compliance System application. The Maritime Service Compliance System accounts manager reviews then approves/denies access to Maritime Service Compliance System.
|System Administrator||Full Access||Administrators have permissions to provide management of the infrastructure|
|Maritime Administration Manager||Read, Write||Modify Managers have limited permissions based on roles, they have the ability to manage the application|
|Maritime Administration User||Read, Write||Users are limited by role based permissions that allow them to write new data and to run reports|
|Other Federal Entity||Read||Other federal agency users are restricted by role based permissions to only view data and run reports|
|USCG Credentialed Merchant Mariners||Read||Industry Partners are restricted by role based permissions to only view data and run reports|
After initial certification and accreditation, Maritime Service Compliance System will have a Certification and Accreditation performed every 3 years to ensure it meets agency and Federal requirements. Additional activities are performed more frequently to ensure Maritime Service Compliance System meets regulatory security requirements.
A favorable risk assessment was performed in 2008 for the Maritime Service Compliance System. Unacceptable risks found during this risk assessment were noted in a plan of action and milestones document that was subsequently remediated by the system owner.
The Maritime Administration IT Security team performs continuous monitoring activities for the Maritime Service Compliance System at different frequencies. Operating system and application patches are verified on a weekly basis. Application scanning is used to identify insecure coding practices, improper configurations, and areas of non-compliance with privacy laws. Furthermore, an Intrusion Prevention System aids in the detection of potential intruders and minimizes their impact if success is achieved.
How Long Maritime Service Compliance System Retains Information
Data retention will be based on legal requirements pertaining to academic and contractual service obligations.
System of Records
Maritime Service Compliance System contains information that is part of a System of Records subject to the Privacy Act, because it is searched by an individual's social security number. In some cases, such as DOT/OST 101, the Department of Transportation controls the data and maintains System of Records responsibilities.
Maritime Service Compliance System has been certified and accredited in accordance with DOT information technology security standard requirements.