PIA - National Driver Register
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety Administration
PRIVACY IMPACT ASSESSMENT
National Driver Register (NDR)
November 17, 2003
Table of Contents
Overview of National Highway Traffic Safety Administration (NHTSA) privacy management process for NDR
Personally-identifiable information and NDR
Why NDR collects information
How NDR uses information
How NDR shares information
How NDR provides notice and consent
How NDR ensures data accuracy
How NDR provides redress
How NDR secures information
System of records
Overview of National Highway Traffic Safety Administration (NHTSA) privacy management process for NDR
The National Highway Traffic Safety Administration (NHTSA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs. NHTSA is responsible for reducing deaths, injuries, and economic losses resulting from motor vehicle crashes. One of the programs that helps NHTSA fulfill this mission is the National Driver Register (NDR), which assists States in identifying problem drivers.
The NDR system provides a central indicator of the location of information on individuals whose privilege to drive has been revoked, suspended, canceled, or denied or who have been convicted of serious traffic-related offenses. NHTSA maintains limited information in the NDR: names, dates of birth, driver license numbers, and sex of drivers on whom a State or the District of Columbia has driver records, but not the content of the driver record; all that an inquiry to the NDR does is indicate whether a State or the District of Columbia has a record on an individual matching the individual who is the subject of the inquiry, and, if so, which one(s). State driver licensing officials use NDR data when determining whether to issue a driver license. In addition, the NDR is queried by other authorized users (Federal and non-Federal employers or prospective employers of motor vehicle operators, Federal Aviation Administration (FAA) for airman medical certification, Federal Railroad Administration (FRA) and railroads for locomotive operators, Coast Guard for merchant mariners and servicemen, air carriers for pilot applicants, and National Transportation Safety Board (NTSB) and Federal Motor Carrier Safety Administration (FMCSA) in connection with accident investigations). Under the provisions of the Privacy Act, individuals are also entitled to request NDR file searches to determine if there are records pertaining to them on file. An individual's request submitted directly to the NDR must be in writing and notarized. All 50 States and the District of Columbia participate in the NDR. The system is also referred to as the Problem Driver Pointer System.
Privacy management is an integral part of the NDR system. DOT/NHTSA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and NHTSA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing NHTSA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the NDR system to ensure that privacy risks are identified and documented.
- Organize the resources necessary for the project's goals. Internal DOT/NHTSA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/NHTSA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the NHTSA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.
Personally-identifiable information and NDR
The NDR system contains both Personally Identifiable Information (PII) and non-personally identifiable information pertaining to drivers. For an individual's PII to be included in NDR, that individual's driving privilege must have been revoked, suspended, canceled, or denied; or the individual must have been convicted of one or more serious traffic-related offenses. The PII that the reporting jurisdictions send to NDR is reporting jurisdiction, individual's full name, other names used, date of birth, sex, and driver license number. Additional PII that may be sent by the reporting jurisdiction is social security number, height, weight, and eye color.
Why NDR collects information
NDR collects PII in order to provide State Departments of Motor Vehicles (DMVs), FAA, FRA, and air carriers and other employers with centralized access to information on problem drivers. States use this information to make driver license issuance decisions. Other authorized users use this information to obtain an individual's driver history from a State to determine suitability for employment as operator of a motor vehicle or other transportation vehicle.
How NDR uses information
States are required by the Commercial Motor Vehicle Safety Act of 1986 to check both the NDR and the FMCSA's Commercial Driver's License Information System (CDLIS) prior to issuing a Commercial Driver's License. More recent legislation, the Motor Carrier Safety Improvement Act of 1999, requires States to check the NDR prior to the issuance of any motor vehicle license. NDR supplies PII to State DMV officials and other authorized users to assist in identifying problem drivers in an effort to help a State determine whether an individual should be licensed in that State and to help other authorized users determine whether an individual should be considered for employment as operator of a motor vehicle or other transportation vehicle. To accomplish this, States and other authorized users send inquiry\ies to NDR containing names, dates of birth, and sex. These inquiries are searched against the data on the NDR file and the results are sent to the State or other authorized user making the inquiry.
How NDR shares information
Although the NDR system is not network-connected to any other system or group of systems within DOT, State DMVs have access to the NDR system through the American Association of Motor Vehicle Administrators (AAMVA) telecommunications network. AAMVA maintains access and security control to its network. State DMVs maintain access and security controls to their own systems. State DMV users can submit an inquiry on an individual, receiving back from NDR information on possible matches that includes all available PII in the NDR system. DMVs use this PII to determine the match and grant or refuse a driver's license based on this information.
Some federal agencies are also allowed to send inquiries to the NDR. These include agencies that employ motor vehicle operators, FAA for airman medical certifications, FRA (and railroads) for locomotive operators, Coast Guard for merchant mariners and servicemen, and NTSB and FMCSA in connection with accident investigations.
Air carriers and other employers can request NDR information on an individual, with written and notarized permission from that individual. These requests must be made through the State DMV on a State DMV-provided form.
Individuals may request a search of the NDR file to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the NDR that contains name, date of birth, and sex. In response to this request, NDR provides PII relating to that individual and information concerning to whom that individual's PII has been disclosed within the past 5 years.
The NDR staff and contractors are granted varying levels of access to the PII based on their job requirements. The levels of access are described in the matrix that follows the section titled
How NDR secures information.
NHTSA does not share NDR PII in any other way.
How NDR provides notice and consent
For an individual's PII to be sent to the NDR by a reporting jurisdiction that individual's driving privilege must have been revoked, suspended, canceled, or denied; or the individual must have been convicted of one or more serious traffic-related offenses. Each State's procedures determine whether individuals are notified that their PII is being sent to NDR for inclusion in the database. When an individual applies for a driver's license, each State has its own procedures and paperwork for processing the request.
How NDR ensures data accuracy
NDR receives all data directly from the State DMVs. At any time, States may request an electronic copy of all their active records on the NDR file. States send changes to NDR daily, and States are responsible for sending accurate files and changing records appropriately. The length of time a record remains on the NDR file is governed by the reporting jurisdiction's records retention laws. Under special circumstances, NHTSA employees may delete an NDR record but only upon request of the reporting jurisdiction. To track this consent, NDR provides weekly reports of deleted records and management verifies the required written State permission documentation supporting that deleted record.
Under the provisions of the Privacy Act, individuals may request searches of the NDR file to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the NDR that contains name, date of birth, and sex. NHTSA does not allow access through either the Internet or Intranet to the information stored in the NDR.
How NDR provides redress
At any time, individuals may request a search of the NDR file to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the NDR that contains name, date of birth, and sex. Since States maintain the actual driver history data, individuals must contact the reporting jurisdiction(s) to request changes to their records. NDR staff provides customer service to assist individuals with problem resolution. Although there is no statement on the NHTSA Web site that provides information on how to request changes, the Web site does provide a list of the State DMV addresses and phone numbers that individuals may contact.
How NDR secures information
NDR data files are maintained in a building under surveillance by a 24-hour guard force. In addition, the spaces in which the files are maintained are equipped with lockable doors, which are locked when vacated. All NDR staff and contractors are briefed on NDR security requirements and their responsibilities. Magnetic tape records are erased by degaussing prior to disposing of the tapes. Shredding destroys paper source data containing PII.
NDR staff and contractors with access to NDR data receive basic security training with some privacy components. These users also annually read and sign a Non-Disclosure Agreement containing privacy provisions and penalties for unauthorized disclosure of data. NHTSA does not provide NDR-specific privacy training to other users.
In addition to physical access, electronic access to NDR PII is limited according to job function. NHTSA controls access privileges according to the following roles:
- State DMV User
- Other authorized users (Federal agencies, air carriers, employers)
- NDR Users (NDR Operations Staff)
- NDR Administrators and Developers (NDR Systems Staff)
- NDR Contractors (computer center's Systems Staff and computer center's customer service staff)
- Individuals
The following matrix describes the levels of access and safeguards around each of these roles as they pertain to PII.
| Role | Access | Safeguards |
|---|---|---|
| State DMV User | Send inquiry to NDR Review response from NDR containing PII | Accessible only through State DMV. Each State has its own procedures for issuing and controlling userids and passwords. States are required to use the American Association of Motor Vehicle Administrators (AAMVA) telecommunications network to transmit and receive data to/from NDR. AAMVA's network uses software that verifies origin and destination. NDR uses COBOL application programs to limit access to data to legitimate users. |
| Other authorized users (Federal agencies, air carriers, certain employers) | Send inquiry to NDR NDR sends PII on file, including which State added the record to NDR. User decides whether to obtain driver history record from the State DMV. | Procedures are established beforehand to identify legitimate points of contact. NDR uses COBOL application programs to limit access to data to legitimate users. |
| NDR Users (NDR Operations Staff) | View PII to enable them to respond to individuals and other authorized users and to assist customers in resolving problems related to NDR records. May delete NDR records with written authority from States. | Access to data is limited to legitimate users with the help of IBM's RACF mainframe security software, COBOL applications programs, and userids and passwords. Record deletion monitored on a weekly basis.The following safeguards also apply: Passwords expire after a set period.Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers Accounts are locked after a set number of incorrect attempts. |
| NDR Administrators and Developers (NDR Systems Staff) | Authority to modify access rules to PII. View PII for programming and maintenance purposes, to assist Operations Staff, and to work with the States to correct programming problems. Modify and delete PII with written authority from States. | Record deletion monitored on a weekly basis. Program changes are documented.The following safeguards also apply: Passwords expire after a set period.Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers Accounts are locked after a set number of incorrect attempts. |
| NDR Contractor (computer center's Systems Staff and computer center's customer service staff) | Restricted access to PII. Wider access in emergency situations. | The following safeguards apply:
Access to data is limited to legitimate users with the help of IBM's RACF mainframe security software, COBOL applications programs, and userids and passwords. Secured FIRECALL userids provide READ/WRITE access to authorized users on an emergency basis. Actions taken utilizing a FIRECALL userid are monitored. A daily report is provided to management for review. The manager compares the notifications from the employees to the occurrences listed in the report and verifies that the access was warranted. |
| Individuals | Send request to NDR for file search. View response letter from NDR. PII is provided if individual matches PII on NDR file. | Individual's request to NDR must be in writing and notarized. |
System of records
NDR is a system of records subject to the Privacy Act., DOT/NHTSA 417 National Driver Register, NDR.
NHTSA has certified and accredited the security of NDR in accordance with DOT standard requirements.