DEPARTMENT OF TRANSPORTATION
PRIVACY IMPACT ASSESSMENT
PAYROLL MANAGEMENT INFORMATION SYSTEM (PMIS)
March 8, 2009
The Maritime Administration, within the Department of Transportation, has been given the responsibility to improve and strengthen the U.S. marine transportation system. The Maritime Administration programs promote the development and maintenance of an adequate, well-balanced United States merchant marine, sufficient to carry the Nation's domestic waterborne commerce and a substantial portion of its waterborne foreign commerce, and capable of service as a naval and military auxiliary in time of war or national emergency.
Payroll Management Information System uses social security numbers (SSNs) to match records from FPPS and CASTLE for payroll labor distribution. This includes complete payroll information on all (active and inactive) MARAD employees and which programs they charge to. It also provides management information to Program Managers on labor charges to their programs. Lastly, the system provides projection of future labor cost per project code.
Information, including Personally Identifiable Information (PII) in the Payroll Management Information System
Payroll Management Information System (PMIS) is the basis for MARAD labor tracking. PMIS uses social security numbers (SSNs) to match records from FPPS and CASTLE for payroll labor distribution. This includes complete payroll information on all (active and inactive) MARAD employees and which programs they charge to. It also provides management information to Program Managers on labor charges to their programs.
Further, PMIS provides a calculated, labor driven projection of future labor cost within each MARAD project. That data is the basis for ensuring project labor costs don't turn into overruns.
Why Payroll Management Information System Collects Information
The Maritime Administration (MARAD) is dedicated to continuing the revitalization of a strong U.S. Merchant Marine. U.S. Merchant Mariners plays a vital role in the national and economic security of our country. Throughout history mariners have always answered the call to serve, whether in time of war or peacetime emergencies. MARAD employees are identified via social security numbers in both PMIS and in the CASTLE system that is used by all of DOT.
Identification of common records between both systems depends on the accuracy of the social security number match with name. PMIS relies on extracts from external data systems and intends to use the Employee Common ID to replace the SSN. However, until all systems that PMIS interfaces with have converted to using the Employee Common ID, PMIS still needs the SSN field to relate the data between those systems. Forty-three (43) tables have been identified that contain the full 9 digit SSN, of which fourteen (14) tables represent core application data, the rest are temporary or staging data used as part of the import process.
Legal Authority for Information Collection
The Maritime Domain Awareness (MDA) program and the Maritime Security Act of 2003 are the legal authority for information collection for MARAD systems.
How Payroll Management Information System Uses Information
The information is utilized for project management and forecasting labor charges.
How Payroll Management Information System Shares Information
Payroll Management Information System is a web-based application that is centrally housed at the NASA Stennis Space Center in Mississippi.
How Payroll Management Information System Provides Notice and Consent
Payroll Management Information System data usage is contained with US DOT and MARAD Human Resources and participation is mandatory upon hire.
How Payroll Management Information System Ensures Data Accuracy
Data quality and relevance are the sole responsibility of the information providers. Payroll Management Information System has incorporated data integrity techniques into its infrastructure.
The data elements are described in detail in the interface control documents as well as the logical data model.
How Payroll Management Information System Provides Redress
Data used in Payroll Management Information System is obtained from CASTLE. The source of data and the possible ability to decline would be at the data sources' level.
Payroll Management Information System data usage is specified in the MOA/MOU defined with FAA. The data providers are the owners of the data and will have license to provide the data to Payroll Management Information System or not to.
How Payroll Management Information System Secures Information
Payroll Management Information System takes appropriate security measures to safeguard PII and other sensitive data. Payroll Management Information System applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of Maritime Administration employees and contractors.
Data access is determined by permission levels and role based access controls. Users have certain rights based on account type. Users entering Payroll Management Information System are required authenticating with a unique identification and password. System security policy guidelines provide for the creation of secure complex passwords. Users register for an account on the Payroll Management Information System application. The Payroll Management Information System accounts manager reviews then approves/denies access to Payroll Management Information System.
|System Administrator||Full Access||Administrators have permissions to provide management of the infrastructure|
|Maritime Administration Manager||Read, Write||Modify Managers have limited permissions based on roles, they have the ability to manage the application|
|Maritime Administration User||Read, Write||Users are limited by role based permissions that allow them to write new data and to run reports|
|Other Federal Entity||Read||Other federal agency users are restricted by role based permissions to only view data and run reports|
|Industry Partner||Read||Industry Partners are restricted by role based permissions to only view data and run reports|
After initial certification and accreditation, Payroll Management Information System will have a Certification and Accreditation performed every 3 years to ensure it meets agency and Federal requirements. Additional activities are performed more frequently to ensure Payroll Management Information System meets regulatory security requirements.
A favorable risk assessment was performed in 2008 for the Payroll Management Information System. Unacceptable risks found during this risk assessment were noted in a plan of action and milestones document that was subsequently remediated by the system owner.
The Maritime Administration IT Security team performs continuous monitoring activities for the Payroll Management Information System at different frequencies. Operating system and application patches are verified on a weekly basis. Application scanning is used to identify insecure coding practices, improper configurations, and areas of non-compliance with privacy laws. Furthermore, an Intrusion Prevention System aids in the detection of potential intruders and minimizes their impact if success is achieved.
How Long Payroll Management Information System Retains Information
Data retention will be based on legal requirements pertaining contractual service obligations.
System of Records
Payroll Management Information System contains information that is part of a System of Records subject to the Privacy Act, because it is searched by an individual's social security number. In some cases, such as DOT/OST, the Department of Transportation controls the data and maintains System of Records responsibilities.
Payroll Management Information System has been certified and accredited in accordance with DOT information technology security standard requirements.