Policy Document

You are here

PIA - PAYROLL MANAGEMENT INFORMATION SYSTEM (PMIS)

DEPARTMENT OF TRANSPORTATION
Maritime Administration

  PRIVACY IMPACT ASSESSMENT 
  PAYROLL MANAGEMENT INFORMATION SYSTEM (PMIS) 

March 8, 2009


System Overview

The Maritime Administration, within the Department of Transportation, has been given the responsibility to improve and strengthen the U.S. marine transportation system. The Maritime Administration programs promote the development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the Nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of service as a naval and military auxiliary in time of war or national emergency. 

Payroll Management Information System uses social security numbers (SSNs) to match records from FPPS and CASTLE for payroll labor distribution. This includes complete payroll information on all (active and inactive) MARAD employees and which programs they charge to. It also provides management information to Program Managers on labor charges to their programs. Lastly, the system provides projection of future labor cost per project code.

Information, including Personally Identifiable Information (PII) in the Payroll Management Information System

Payroll Management Information System (PMIS) is the basis for MARAD labor tracking. PMIS uses social security numbers (SSNs) to match records from FPPS and CASTLE for payroll labor distribution. This includes complete payroll information on all (active and inactive) MARAD employees and which programs they charge to. It also provides management information to Program Managers on labor charges to their programs. 

Further, PMIS provides a calculated, labor driven projection of future labor cost within each MARAD project. That data is the basis for ensuring project labor costs don't turn into overruns.

Why Payroll Management Information System Collects Information

The Maritime Administration (MARAD) is dedicated to continuing the revitalization of a strong U.S. Merchant Marine. U.S. Merchant Mariners plays a vital role in the national and economic security of our country. Throughout history mariners have always answered the call to serve, whether in time of war or peacetime emergencies. MARAD employees are identified via social security numbers in both PMIS and in the CASTLE system that is used by all of DOT. 

Identification of common records between both systems depends on the accuracy of the social security number match with name. PMIS relies on extracts from external data systems and intends to use the Employee Common ID to replace the SSN. However, until all systems that PMIS interfaces with have converted to using the Employee Common ID, PMIS still needs the SSN field to relate the data between those systems. Forty-three (43) tables have been identified that contain the full 9 digit SSN, of which fourteen (14) tables represent core application data, the rest are temporary or staging data used as part of the import process.

Legal Authority for Information Collection

The Maritime Domain Awareness (MDA) program and the Maritime Security Act of 2003 are the legal authority for information collection for MARAD systems.

How Payroll Management Information System Uses Information

The information is utilized for project management and forecasting labor charges.

How Payroll Management Information System Shares Information

Payroll Management Information System is a web-based application that is centrally housed at the NASA Stennis Space Center in Mississippi.

How Payroll Management Information System Provides Notice and Consent

Payroll Management Information System data usage is contained with US DOT and MARAD Human Resources and participation is mandatory upon hire.

How Payroll Management Information System Ensures Data Accuracy

Data quality and relevance are the sole responsibility of the information providers. Payroll Management Information System has incorporated data integrity techniques into its infrastructure. 

The data elements are described in detail in the interface control documents as well as the logical data model.

How Payroll Management Information System Provides Redress

Data used in Payroll Management Information System is obtained from CASTLE. The source of data and the possible ability to decline would be at the data sources' level. 

Payroll Management Information System data usage is specified in the MOA/MOU defined with FAA. The data providers are the owners of the data and will have license to provide the data to Payroll Management Information System or not to. 

As provided for by the System of Records notice under the Privacy Act, individuals with questions about privacy and Payroll Management Information System may contact the Maritime Administration's Privacy Officer. The Maritime Administration privacy policy provides contact information for the Privacy Officer on the Payroll Management Information System.

How Payroll Management Information System Secures Information

Payroll Management Information System takes appropriate security measures to safeguard PII and other sensitive data. Payroll Management Information System applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of Maritime Administration employees and contractors. 

Data access is determined by permission levels and role based access controls. Users have certain rights based on account type. Users entering Payroll Management Information System are required authenticating with a unique identification and password. System security policy guidelines provide for the creation of secure complex passwords. Users register for an account on the Payroll Management Information System application. The Payroll Management Information System accounts manager reviews then approves/denies access to Payroll Management Information System.

Role Access Safeguards
System Administrator Full Access Administrators have permissions to provide management of the infrastructure
Maritime Administration Manager Read, Write Modify  Managers have limited permissions based on roles, they have the ability to manage the application
Maritime Administration User Read, Write Users are limited by role based permissions that allow them to write new data and to run reports
Other Federal Entity Read Other federal agency users are restricted by role based permissions to only view data and run reports
Industry Partner Read Industry Partners are restricted by role based permissions to only view data and run reports

After initial certification and accreditation, Payroll Management Information System will have a Certification and Accreditation performed every 3 years to ensure it meets agency and Federal requirements. Additional activities are performed more frequently to ensure Payroll Management Information System meets regulatory security requirements. 

A favorable risk assessment was performed in 2008 for the Payroll Management Information System. Unacceptable risks found during this risk assessment were noted in a plan of action and milestones document that was subsequently remediated by the system owner. 

The Maritime Administration IT Security team performs continuous monitoring activities for the Payroll Management Information System at different frequencies. Operating system and application patches are verified on a weekly basis. Application scanning is used to identify insecure coding practices, improper configurations, and areas of non-compliance with privacy laws. Furthermore, an Intrusion Prevention System aids in the detection of potential intruders and minimizes their impact if success is achieved.

How Long Payroll Management Information System Retains Information

Data retention will be based on legal requirements pertaining contractual service obligations.

System of Records

Payroll Management Information System contains information that is part of a System of Records subject to the Privacy Act, because it is searched by an individual's social security number. In some cases, such as DOT/OST, the Department of Transportation controls the data and maintains System of Records responsibilities. 

Payroll Management Information System has been certified and accredited in accordance with DOT information technology security standard requirements. 

Updated: Friday, April 6, 2012