Privacy Risk Management Policy

This policy establishes the Department of Transportation (DOT) policy and assigns responsibilities for carrying out the privacy risk management requirements of the Privacy Act of 1974 (Privacy Act), the Paperwork Reduction Act (PRA), the E-Government Act of 2002 (EGov), the Federal Information Security Management Act (FISMA) and the Consolidated Appropriations Act of 2005, as well as general privacy risk management at DOT.

These requirements often overlap, and special attention must be paid to each before commencing any collection of information or engaging in activities that may create privacy risk(s) for individuals and the larger public. This policy establishes policies and responsibilities for managing privacy risk in creating, collecting, maintaining, using, storing, transmitting, protecting and destroying personally identifiable information (PII).

PII is personal or professional information that can be used to distinguish or trace an individual’s identity, such as the individual’s name, Social Security number (SSN), biometric records, etc., alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Further Office of Management and Budget (OMB) guidance states that “the definition of PII is not anchored to any single category of information or technology. Rather, it requires acase-by-case assessment of the specific risk that an individual can be identified by examining thecontext of use and combination of data elements. During the assessment it is important for agenciesto recognize that non-PII can become PII whenever additional information is made publiclyavailable. This applies to any medium and any source that, when combined with other availableinformation, could be used toidentify an individual.”

This policy also establishes policies and responsibilities for managing privacy risk in activities that do not include the collection of PII by DOT.