DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Privacy Impact Assessment
SWIFT (Selections WithIn Faster Times)
February 6, 2008
TABLE OF CONTENTS
Overview of Privacy Management Process
Personally Identifiable Information (PII) and SWIFT
Why SWIFT Collects Information
How SWIFT Uses Information
How SWIFT Shares Information
How SWIFT Provides Notice and Consent
How SWIFT Ensures Data Accuracy
How SWIFT Provides Redress
How SWIFT Secures Information
How Long SWIFT Retains Information
System of Records
The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:
- Regulating civil aviation to promote safety;
- Encouraging and developing civil aeronautics, including new aviation technology;
- Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
- Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
- Regulating U.S. commercial space transportation.
One of the programs that helps the FAA fulfill this mission is Selections WithIn Faster Times (SWIFT), a suite of automated personnel processing programs that support the FAA's personnel processes.
SWIFT simplifies and streamlines personnel processes by using secure Information Technology to automate the processing of job applications, announcing vacancies, and providing position documentation. Modules within the suite are able to create and store position documentation under FAA's special compensation systems; create and post vacancy announcements; and rate, rank, and refer candidates for employment.
Privacy management is an integral part of the SWIFT system. DOT/FAA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FAA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair-information practices. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines ensures that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the SWIFT system to ensure that privacy risks are identified and documented.
- Organize the resources necessary for the project’s goals. Internal DOT/FAA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively, while allowing DOT/FAA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FAA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.
The SWIFT system contains both personally identifiable information (PII) and non-personally identifiable information pertaining to FAA employees and other citizens (both employees and members of the general public who apply for employment with the FAA). PII collected in the SWIFT system includes:
- Social Security Number
- Full Name
- Mailing Address
- Telephone Numbers (Home, Work, Other)
- Email Address
- Date of Birth
- Place of Birth
- Citizenship Status
- Education Records
- Military Status and Records
- Employment Status and Records
- Race, National Origin, and Disability information
As part of a Government-wide effort, the necessity for use of the Social Security Number is being evaluated. The FAA has the authority to collect and maintain SSN in SWIFT under 5 U.S.C. 1302, 3109, 3301, 3302, 3304, 3305, 3306, 3307, 309, 3313, 3317, 3318, 3319, 3326, 4103, 4723, 5532, and 5533 5 U.S.C. 7201; Sections 4A, 4B, 15A(1) and (2), 15B(11), and 15D(11), Uniform Guidelines on Employee Selection Procedures (1978) (43 FR 38297 et seq. (August 25, 1978)); 29 CFR 720.301; and 29 CFR 1613.301.
An individual’s PII is entered into the SWIFT system voluntarily by the applicant, who creates a profile by manually entering name, date of birth, social security number, telephone number, email address, citizen/military service/veteran status, and employment status and records. Applicants create a user ID, password, and secret question for continued access to their PII. The applicant has access to all provided personal information and can change profile information, including contact information, at any time.
In addition, each time an applicant applies for a job, the applicant may elect to provide Race, National Origin, and Disability information, which is used for statistical purposes only.
By definition, SWIFT’s goal of linking applicants with FAA jobs demands some degree of information collection and sharing. With this in mind, applicants volunteer to share PII through the SWIFT Web site so that FAA Human Resource (HR) Administrative Users and Selection Officials may assess their qualifications and consider them for applicable positions. The PII within SWIFT is used to maintain the categories of records listed above, as well as for the uses listed below. Also, FAA uses PII in SWIFT to contact references, verify applicant statements, and facilitate communication with applicants.
Authority for maintenance of the SWIFT system and collection of the PII data is provided by: 5 U.S.C. 1302, 3109, 3301, 3302, 3304, 3305, 3306, 3307, 309, 3313, 3317, 3318, 3319, 3326, 4103, 4723, 5532, and 5533 5 U.S.C. 7201; Sections 4A, 4B, 15A(1) and (2), 15B(11), and 15D(11), Uniform Guidelines on Employee Selection Procedures (1978) (43 FR 38297 et seq. (August 25, 1978)); 29 CFR 720.301; and 29 CFR 1613.301.
Information in an identifiable form is used to provide FAA and volunteer applicants with an enhanced, efficient hiring process. FAA does not use PII in SWIFT for any purposes outside of the hiring process.
The SWIFT system collects PII only with the express permission of applicants, and only for activities associated with the hiring process. SWIFT is a system of records that is subject to the Privacy Act. The General Routine Uses are outlined in the Systems of Records Notice OPM/GOVT – 5 Recruiting, Examining, and Placement Records and Systems of Records Notice OPM/GOVT -07 Applicant Race, Sex, National Origin, and Disability Status Records. https://www.opm.gov/feddata/Federalr.txt
FAA HR Administrative Users and Selection Officials responsible for making hiring decisions may have access to all or some of the PII that SWIFT contains. During the selection process, these personnel may share data contained in SWIFT with personnel staffing specialists and other authorized employees of the FAA, other federal agencies and organizations, employers, schools, and law enforcement agencies for the purpose of verifying application information and obtaining necessary clearances prior to final selection. FAA does not share SWIFT personally-identifiable information in any other way.
For an individual’s PII to be included in SWIFT, that individual must have personally created a profile and applied for employment with the FAA by entering information into SWIFT and attesting to its accuracy. The individual is advised through the posted Privacy Act Statement on the login screen that the information entered through the application is provided voluntarily, will be used to process the application for employment and, if not provided, will preclude the individual from being considered for employment.
SWIFT allows applicants to access their PII and change that information within the SWIFT database at any time. Applicants access their own PII through the FAA Jobs Web site, which authenticates applicants through applicant-provided user ID and password.
As a final step in completing each application for an FAA position, the applicant is required to assert that all information within the application, including PII, is correct and complete.
Office of the Assistant Administrator for Human Resource Management
SWIFT Program Manager
Federal Aviation Administration
800 Independence Avenue, SW
Washington, DC 20591
FAA has implemented security controls and technology features that fully incorporate protection of privacy. FAA has complied with Federal Information Security Management Act (FISMA), and mitigated privacy risks through the following methods:
- Access to the system is controlled through role-based user accounts.
- The system is protected by a series of intrusion detection devices centrally monitored by FAA’s Cyber Security Management Center.
- The system strictly controls the transmission and storage of information.
- All government and contract personnel are required to complete privacy training.
The SWIFT system is audited by FAA Security Personnel to ensure FISMA compliance through an annual assessment utilizing standards and guidance provided by the National Institute of Standards and Technology (NIST). The SWIFT system has met all requirements and has been certified and accredited to operate by the authority of DOT/FAA.
SWIFT takes appropriate security measures to safeguard PII and other sensitive data. The SWIFT system is housed in a controlled computer center within a secure facility.
Physical access to the SWIFT system is limited to appropriate personnel through photo badges, building key cards, and room-access key pads.
In addition to physical access, electronic access to PII in SWIFT is limited according to job function. FAA controls access privileges according to the following roles:
- HR Administrative User
- Selection Official
- System Manager
The matrix below describes the levels of access and safeguards around each of these roles as they pertain to PII.
User-set user ID and password:
|HR Administrative User|
HR Administrative Users are set up as users by System Managers and have two sets of user IDs and passwords, one for the system and one for the application. The following safeguards apply:
|Selection Official||Selection Officials are set up as users by System Managers and have two sets of user IDs and passwords, one for the system and one for the application. The following safeguards apply:|
|LOB Administrator User|
LOB Administrator Users are set up as users by System Managers and have two sets of user IDs and passwords, one for the system and one for the application. The following safeguards apply:
|Tracking User||Tracking Users are set up as users by System Managers and have two sets of user IDs and passwords, one for the system and one for the application. The following safeguards apply:|
System Managers have two sets of user IDs and passwords, one for the system and one for the application. The following safeguards apply:
Records in this system are retained for varying lengths of time, ranging from a few months to 5 years, e.g., most records are retained for a period of 1 to 2 years. Some records, such as individual applications, become part of the person's permanent official records when hired, while some records (e.g., non-competitive action case files) are retained for 5 years. Some records are destroyed by shredding or burning, while magnetic tapes or disks are erased.
Paper records generated by SWIFT will be retained in accordance with the current version of FAA Order 1350.15, Records Organization, Transfer and Destruction Standards. https://employees.faa.gov/tools_resources/orders_notices. The electronic records generated by SWIFT are currently unscheduled with the National Archives and Records Administration (NARA). Until the records are scheduled, the electronic records will be maintained indefinitely, as required by 36 CFR 1228.26(a)(1) and (2).
SWIFT is governed by the Privacy Act, as it is searched by name and unique identifier. The applicable Privacy Act System of Records is: OPM/GOVT-5, Recruiting, Examining, and Placement Records. FAA has certified and accredited SWIFT under DOT Information Assurance requirements.
The race and ethnicity information collected as part of the SWIFT application process is in accordance with routine uses found in Privacy Act System of Records: OPM/GOVT-7, Applicant Race, Sex, National Origin, and Disability Status Records.