Policy Document

You are here

PIA - CASTLE

DEPARTMENT OF TRANSPORTATION
Office of the Secretary (OST)
PRIVACY IMPACT ASSESSMENT
CASTLE

August 12, 2004


Table of Contents

Overview of OST (OST) privacy management process for CASTLE
Personally identifiable information and CASTLE
Why CASTLE collects information
How CASTLE uses information
How CASTLE shares information
How CASTLE provides notice and consent
How CASTLE ensures data accuracy
How CASTLE secures information
System of records

Overview of OST (OST) privacy management process for CASTLE

The Office of the Secretary (OST), within the Department of Transportation (DOT), has been given the responsibility of formulating national transportation policy and promoting intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of US airlines, enforcing airline consumer protection regulations, issuing regulations to prevent alcohol and illegal drug misuse in transportation systems, improving the security of the national transportation system, and preparing transportation legislation.

As part of its support function for DOT, OST is moving its current time and attendance system, Integrated Personnel and Payroll System (IPPS), to a new Web-enabled and more efficient system, CASTLE. CASTLE will manage a full range of Human Resource (HR) time and attendance collections for DOT employees. To accomplish this, CASTLE stores and maintains HR-related personnel data on current employees, and maintains data on former employees for 52 weeks after their separation before destroying those data. The CASTLE system is currently in product development and testing. When deployed, CASTLE will be accessed by DOT employees through a password-protected intranet Website.

Privacy management is an integral part of the CASTLE project. DOT/OST has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, methodologies, and sound policies and procedures.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing all U.S. civil transportation systems. The methodology is based upon the following:

  •     Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
  •     Assess the current privacy environment. This involved interviews with key individuals involved in the CASTLE system to ensure that all uses of Personally Identifiable Information (PII), along with the risks involved with such use, are identified and documented.
  •     Organize the resources necessary for the project's goals. Internal DOT/OST resources, along with outside experts, are involved in reviewing the technology, data uses and associated risks. They are also involved in developing the necessary redress systems and training programs.
  •     Develop the policies, practices, and procedures. The resources identified in the paragraph immediately above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies effectively protect privacy while allowing DOT/OST to achieve its mission.
  •     Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
  •     Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
  •     Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.

Personally Identifiable Information (PII) and CASTLE

The CASTLE system uses both PII and non-PII - data to manage time and attendance functions throughout DOT. In addition to current employee PII, CASTLE may also contain PII of former employees for 52 weeks, helping to ensure that former employee's rights are protected. CASTLE PII may include name, social security number, and employment status.

In addition, CASTLE uses logon names and passwords to control access. Therefore, CASTLE also contains the name and password of each DOT user and associates the data with that individual.

An individual's PII enters the CASTLE system when that person is hired by DOT. CASTLE receives employee data from other DOT systems; including Consolidated Personnel Management Information System (CPMIS), Consolidated Uniform Payroll System (CUPS), and IPPS.

Why CASTLE collects information

CASTLE collects information in order to fulfill basic time and attendance functions, such as recording and tracking vacation taken, personal time taken, and work project time. CASTLE interfaces with other DOT HR systems to send information necessary to record employee pay and HR actions appropriately. The CASTLE system collects PII only when an individual becomes an employee of DOT.

How CASTLE uses information

Information in CASTLE is used to monitor and manage time and attendance functions. CASTLE uses PII to identify an individual and ensure that the time and attendance information is accounted to the correct individual.

How CASTLE shares information

CASTLE shares PII with other HR systems, such as payroll and other similar systems. CASTLE shares name and social security number with other systems to ensure the time and attendance information logs to the correct individual's record.

How CASTLE provides notice and consent

Entry of PII into CASTLE is a necessary condition of any employment relationship with DOT, and individuals provide PII for that purpose. DOT does not use CASTLE PII for secondary purposes; therefore, consent for secondary uses is not needed.

How CASTLE ensures data accuracy

CASTLE receives PII primarily from other HR-related systems, each with data quality procedures and processes. At any time, an individual can request information on his or her PII and may request some changes as appropriate.

How CASTLE secures information

The CASTLE system is housed in Oklahoma City, Oklahoma. Personnel with physical access have all undergone and passed DOT background checks.

In addition to physical access, electronic access to PII in CASTLE is limited according to a matrix of job function and accounting activities. Different users are provided different levels of access.

OST controls access privileges through the following roles:

  •     Employee User
  •     Technical Administrator

The following matrix describes the privileges and safeguards around each of these roles as they pertain to PII.

RoleAccessSafeguards
Employee UserView, enter, and change time and attendance information pertaining only to his or her own record.The following safeguards apply:

    Passwords expire after a set period.
    Accounts are locked after a set period of inactivity.
    Minimum length of passwords is eight characters.
    Accounts are locked after a set number of incorrect attempts.

Technical Administrator

Variable, depending on job responsibilities. Permissions may include combination of:

    View and change all PII.
    Manage user profiles.
    Grant permissions for grant actions.
The following safeguards apply:

    Passwords expire after a set period.
    Accounts are locked after a set period of inactivity.
    Minimum length of passwords is eight characters.
    Accounts are locked after a set number of incorrect attempts.

Headquarter TEAM Administrator

Variable, depending on job responsibilities:

    View and change all data in system.
    Create and manage user profiles.
The following safeguards apply:

    Passwords expire after a set period.
    Accounts are locked after a set period of inactivity.
    Minimum length of passwords is eight characters.
    Accounts are locked after a set number of incorrect attempts.

Access for all CASTLE users, regardless of permissions, is protected through a user ID and password combination with the following safeguards:

  •     Passwords expire after a set period
  •     Accounts are locked after a set period
  •     Minimum length of passwords is eight characters
  •     Accounts are locked after a set number of incorrect attempts
  •     A CASTLE session closes after a period of inactivity

In addition, CASTLE maintains an audit trail of all CASTLE transactions, when those transactions are processed, and the individual(s) who initiated them. OST regularly monitors this audit trail.

OST trains users on CASTLE and privacy responsibilities through instructor-led training. In addition, OST staff complete annual specialized security training.

System of records

CASTLE replaces IPPS, which was the prior system of records subject to the Privacy Act. For that purpose, its Privacy Act System of Records notice is listed under DOT/ALL 11. DOT is currently working to amend the system of records accordingly. OST has certified and accredited CASTLE in accordance with DOT Information Technology security requirements.

Updated: Friday, April 6, 2012