DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety Administration
PRIVACY IMPACT ASSESSMENT
CARS Database System
TABLE OF CONTENTS
Overview of National Highway Traffic Safety Administration (NHTSA) privacy management process for CARS Database System
Personally-identifiable information and the CARS Database System
Why CARS Database System collects information
How CARS DATABASE SYSTEM uses information
How CARS DATABASE SYSTEM Shares Information
How CARS DATABASE SYSTEM Provides Notice and Consent
How CARS DATABASE SYSTEM Ensures Data Accuracy
How CARS DATABASE SYSTEM Provides Redress
How CARS DATABASE SYSTEM Secures Information
How Long CARS DATABASE SYSTEM Retains Information
System of Records
Overview of National Highway Traffic Safety Administration (NHTSA) privacy management process for CARS Database System
The National Highway Traffic Safety Administration (NHTSA), within the Department of Transportation (DOT), has been given the responsibility to carry out the Consumer Assistance to Recycle and Save Act of 2009 (the CARS Act) (Pub. L. No. 111-32), which the President signed into law on June 24, 2009. The Act establishes a temporary program under which an owner of a motor vehicle meeting statutorily specified criteria may trade in the vehicle and receive a monetary credit from the dealer toward the purchase or lease of a new motor vehicle meeting statutorily specified criteria (the CARS Program or Program).
The CARS Program covers qualifying transactions that occur between July 1, 2009 and November 1, 2009. If all of the conditions of eligibility are met and the dealer provides NHTSA with sufficient documentation relating to the transaction (much of which is obtained by the dealer directly from the consumer), NHTSA will make an electronic payment to the dealer equal to the amount of the credit extended by the dealer to the consumer, not exceeding the statutorily authorized amount. The dealer must agree to transfer the trade-in vehicle to a salvage auction or disposal facility that will crush or shred it so that it will never be returned to the road, although parts of the vehicle other than the engine block may be sold prior to disposal.
Under the CARS Program, NHTSA must collect a variety of information from individuals and entities about qualifying transactions. Vehicle manufacturers must provide data about vehicles and authorized dealers. Dealers must provide information about their business operations and individual financial transactions, including some information and documentation obtained by the dealer directly from the consumer. Automobile salvage auctions and disposal facilities may be required to provide comparable data about their business operations and information confirming the sale or destruction of trade-in vehicles. This information is required to ensure compliance with the terms of the CARS Act, specifically, to verify that purchasing consumers, new and trade-in vehicles, dealers, salvage auctions, and disposal facilities are eligible to participate in the Program; to identify, prevent, and penalize fraud; and to confirm appropriate disposal of the trade-in vehicles. Participating car buyers/lessees also will be asked by dealers to complete, on a voluntary basis, an anonymous survey about the Program for use in reporting to Congress on the efficacy of the Program, as mandated by the CARS statute. Additionally, under the Act, NHTSA is required to coordinate with the US Department of Justice (DOJ) to ensure that the National Motor Vehicle Title Information System (NMVTIS) (which is administrated by the American Association of Motor Vehicle Administrators (AAMVA)) is updated appropriately to reflect the disposal of vehicles traded in under the CARS Program.
In order to support the CARS program, NHTSA will utilize one or more secure databases (i.e., the CARS Database System) to collect, process, and store information about eligible transactions and car purchasers/lessees, dealers, salvage auctions, and disposal facilities participating in the CARS program. Privacy is an integral part of NHTSA's management of the CARS Database System. In this regard, DOT/NHTSA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and NHTSA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing NHTSA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the CARS system to ensure that all uses of personally identifiable data, along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project;s goals. Internal DOT/NHTSA resources and multiple external resources are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The internal DOT/NHTSA resources and external resources identified above will work to develop an effective policy or policies, practices, and procedures to ensure compliance with fair information practices. The policies effectively protect privacy while allowing DOT/NHTSA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the NHTSA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints can be effectively addressed and corrections made if necessary.
The CARS Database System contains both Personally Identifiable Information (PII) and non-PII about purchasing/leasing consumers, new car dealers, salvage auctions, and disposal facilities participating in the CARS Program, as described below. To the extent that purchasing/leasing consumers are individuals and salvage auctions and disposal facilities are sole proprietors, information about them constitutes PII. Car dealers consist of entities only; no information about car dealers qualifies as PII.
New Car Dealers: NHTSA receives from Original Equipment Manufacturers (OEMs) lists of new car dealers with current franchise agreements that are updated on an ongoing, periodic basis. The OEM lists contain information about each new car dealer, including the legal name of the business under State law, physical address, mailing address, tax identification number, State business license number, OEM franchise identification number, and a primary contact at the dealer. NHTSA enters this non-PII into the CARS system and then uses the system to generate certified letters to dealers on the OEM, provided lists, inviting them to register to participate in the CARS Program. Each letter contains a unique user name and password to enable the dealer to log on to the CARS system for purposes of registering to participate in the CARS Program. Dealers log on through NHTSA's CARS.gov web site, which redirects them to a secure system portal. After using their unique user name and password to log on, dealers complete their CARS Program registration by submitting additional non-PII, including banking information, some of which is sensitive but none of which qualifies as PII.
Participating dealers also use unique user names and passwords to log onto the CARS system for purposes of submitting to NHTSA records about individual financial transactions. This may include information about the dealer's business operations.
Purchasing Consumers: Participating dealers enter into the CARS Database System information and scanned documents relating to individual financial transactions, including PII about purchasing/leasing consumers participating in the CARS Program that is obtained by the dealer directly from the consumer. Records about individual buyers/lessees consist of anonymous survey records containing no PII and transaction records including the following PII data elements: a NHTSA-assigned transaction code; name and address of the purchaser/lessee; the purchaser/lessee's State driver's license number or other State identification number (ID); the State driver's license number or other State identification number of the co-purchaser/lessee (if any), as listed in the title; and the Vehicle Identification Number (VIN) of the trade-in vehicle and the VIN of the new vehicle. Depending on the State and content of the sales contract, PII also may be found on the following documents required to be scanned by dealers and entered into the system: document of title of trade-in vehicle (or, in certain States, documentation of paper-less title), proof of insurance for trade-in vehicle (cards or letter from insurer), trade-in registration, sales summary sheet, and salvage certificate. In addition, consumer complaint information obtained by DOT/NHTSA employees or contractors directly from consumers through NHTSA's CARS Hotline contains the following PII elements: names and telephone numbers.
Automobile Salvage Auctions and Disposal Facilities: The records entered into the CARS Database System by dealers about individual financial transactions also include Salvage Certifications relating to disposal of trade-in vehicles that may contain the following PII data elements about sole proprietors of salvage auctions and disposal facilities participating in the CARS Program: name, email address and, to the extent that such individuals operate their businesses out of their homes, home address and home telephone number.
The CARS Database System collects PII and non-PII in order to implement and administer the CARS Program and to ensure compliance with the terms of the CARS Act, including verifying that purchasing/leasing consumers, new and trade-in vehicles, dealers and disposal facilities are eligible to participate in the Program. The information also is used to identify, investigate and punish program fraud; update the US Department Of Justice's NMVTIS database to reflect the disposal of vehicles traded in under the CARS Program; and report to Congress on the efficacy of the Program.
The CARS Database System stores PII and non-PII and makes records containing these data available to appropriate DOT, NHTSA and OIG personnel involved in implementing and administering the CARS Program, on a need to know basis. NHTSA personnel and contractors use PII about individual car buyers/lessees and sole proprietor salvage auctions and disposal facilities to: (1) determine if individual transactions satisfy CARS program requirements; (2) send information about eligible transactions to a DOT financial management system to process vouchers and cause dealers to be paid by DOT/NHTSA for eligible transactions; (3) compare dealer-entered information in the CARS Database System to purchaser and transactional information already within the system to ensure compliance with program requirements and for audit purposes; (4) confirm proper disposal of trade-in vehicles; and (5) prevent, identify, and investigate program violations and fraud.
As directed by the CARS Act, NHTSA shares VINS of trade-in vehicles sold or destroyed under the CARS program with the U.S. Department of Justice (DOJ) and its contractor (AAMVA) for purposes of updating DOJ's NMVTIS database. Authorized DOT, NHTSA, and OIG personnel may also share PII with State Attorneys General, the National Association of Attorneys General (NAAG), and DOJ officials for purpose of investigating or prosecuting program fraud.
NHTSA also shares with States lists of VINs of trade-in vehicles for which they issued car titles, for purposes of cancelling the car titles.
Information from this System may also be shared for reasons applicable to all DOT systems, as described in the Prefatory Statement of General Routine Uses' published in the Federal Register at 65 F.R.19476 (April 11, 2000).
NHTSA's CARS.gov website contains a Privacy Act Statement (telling the record subject the authority for seeking the information and whether its disclosure is mandatory or voluntary, the principal purpose for which the information will be used, the routine uses of the information, and the effects of not providing the requested information) relating to NHTSA's collection of PII under the CARS Program. This same Privacy Act Statement appears directly beneath the dealer and consumer signature lines on a Summary of Sale Certification that both parties must sign and that is among the documents a dealer must scan into the CARS Database System and electronically submit to NHTSA for each financial transaction seeking to qualify for a credit under the CARS Program. Additionally, NHTSA's CARS Final Rule and/or the Standard Operating Procedure (SOP) for dealers instructs dealers to provide to each consumer a copy of the Privacy Act Statement at or prior to the time of PII collection.
The CARS survey form does not collect PII and therefore does not include a Privacy Act Statement. Participating car buyers/lessees are informed that the survey is anonymous and are asked to complete it on a strictly voluntary basis.
Transaction information pertaining to individual purchasers/lessees is obtained by car dealers, on behalf of NHTSA, directly from the individual consumers, from source documents the individuals provide to the dealers (some of which are scanned into the database by the dealer), and/or directly from their new and trade-in cars. Dealers scan and/or enter the information into the CARS database and manually compare the information to the source documents or systems to verify its accuracy. NHTSA personnel and contractors then review the records to ensure accuracy prior to assessing the eligibility of individual transactions. Business operations information about any sole proprietor salvage auctions and disposal facilities is obtained directly from the proprietors.
For each transaction record in the CARS Database System, NHTSA personnel and/or contractors verify the accuracy of the PII and non-PII data in the record by comparing the contents of the transaction record to hard copies of the transaction documents scanned and submitted by the dealer. NHTSA also retrieves records directly from system feeds and associated electronic documents submitted by dealers through the CARS Database System. Before a transaction is accepted into the CARS Database System, CARS runs several data integrity and validation checks. Once a transaction is validated as acceptable, data are accepted into the CARS Database System. At this point, NHTSA personnel or contractors review the records to find missing, inaccurate, or duplicate data. For missing or inaccurate data, CARS staff instructs the dealer who collected the information to take steps to complete or correct and then resubmit the transaction record into the CARS Database System.
For anti-fraud purposes, each party to a transaction (consumer, dealer, and disposal facility) is required to sign or certify certain records, so information is less vulnerable to alteration and repudiation.
To address a privacy concern or data inaccuracy, at any time, an individual can contact the CARS System Manager (NPO-400), Office of the Chief Information Officer, NHTSA, 1200 New Jersey Avenue, S.E., Washington, DC 20590.
The CARS Database System uses a secure encrypted Internet protocol to protect the data being transmitted from the dealer to the System. The central CARS database is only accessed using a secure user name and password and is protected using a managed firewall and encrypted network to ensure unauthorized access to data is not obtained through outside sources. Transmittal of data from the CARS Database Systems to other systems requiring information is performed using encrypted virtual network connections.
The CARS Database System is maintained in secure federal and contractor-owned or managed buildings. The System is hosted on servers located in a secure contractor-owned facility at Oracle On Demand in Austin, Texas. Physical access to the servers is limited to appropriate federal and contractor personnel through building badges. Personnel with physical access all have undergone and passed appropriate background verifications.
All CARS staff and contractors are briefed on CARS security requirements and their individual responsibilities for ensuring the security of information in the CARS Database System. They also receive basic security training that includes privacy components. Due to the extremely short, 4-month timeframe for completing the CARS program, CARs users may not receive CARS-specific security training (other than the security briefing).
Access to records in the CARS Database System is limited to DOT and NHTSA personnel and contractors, who have a need to know for purposes of administering the CARS Program. Their access is controlled by means of a password-protected application, in accordance with their roles and responsibilities under the Program. The System is safeguarded against unauthorized access by firewalls and a secured operating system. In addition, bank account information and a limited amount of eligible transaction information are encrypted and sent securely to DOT's financial management system for purposes of effecting payments to participating dealers for eligible transactions. Registered dealers' access to the CARS Database System is restricted and controlled through a password protected portal; each dealer's access is limited to financial transaction records entered by the same dealer.
Authorized users at NHTSA Headquarters access their records in the CARS Database System via the DOT Intranet. Authorized users at the NHTSA portal locations and at the contractor portal locations access their records in the CARS Database System via the Internet at www.cars.gov .
The password-protected portals are located at:
- The business locations of registered, participating new car dealers;
- NHTSA Headquarters, located at 1200 New Jersey Avenue, and in various of NHTSA's regional offices and at other off-site locations used in connection with CARS Program; and
- The off-site facilities of NHTSA and DOT contractors.
Because the system provides for most records to be created, maintained and used electronically, the need for paper records that could contain PII is greatly reduced. Electronically-stored CARS-related records containing PII are maintained in secure files and environments. Any hard copies of CARS-related records containing PII at DOT, NHTSA and contractor portal locations are kept in file folders locked in secure file cabinets during non-duty hours.
Members of the public are not able to access the Cars Database System.
Under the CARS Final Rule, records created under the CARS Program will be kept for 5 years. Records that are needed longer, such as to resolve claims and audit exceptions and to prosecute fraud, will be retained until such matters are resolved.
Because the CARS Database System contains PII that is retrieved by personal identifier (e.g., by an individual car buyer/lessee's State ID number or, in the case of electronic consumer complaint files, by car buyer/lessee's name or telephone number), it is a system of records subject to the Privacy Act.