DEPARTMENT OF TRANSPORTATION
FEDERAL AVIATION ADMINISTRATION
Privacy Impact Assessment
Compliance and Enforcement Tracking System (CETS)
June 12, 2006
TABLE OF CONTENTS
Overview of Privacy Management Process for the Compliance and Enforcement Tracking System (CETS)
Personally-Identifiable Information and CETS
Why CETS Collects Information
How CETS Uses Information
How CETS Shares Information
How CETS Ensures Data Accuracy
How CETS Provides Redress
How CETS Retains and Destroys Data
How CETS Secures Information
System of Records
The FAA, within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs to regulate the aviation industry. The Drug Abatement Division is responsible for ensuring the safety of our flying public by regulating the aviation industry's compliance with the drug and alcohol regulations set forth in 14 CFR part 121, Appendices I and J, and 49 CFR part 40. One of the programs that helps the Drug Abatement Division fulfill this mission is the CETS application, which documents all of the enforcement activity by the Drug Abatement program inspectors/investigators.
CETS allows the Division Management Team to monitor its inspectors/investigators workload, provide statistical information to support the drug and alcohol programs, and to monitor other day-to-day activities.
Privacy is an integral part of CETS. DOT/FAA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to ensure that DOT and FAA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FAA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in CETS to ensure that privacy risks are identified and documented.
- Organize the resources necessary for the project's goals. DOT/FAA staff, along with outside experts, review the technology, data uses, and associated risks. They also develop the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The privacy management team develops policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/FAA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FAA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.
CETS contains both Personally Identifiable Information (PII) and non-personally identifiable information pertaining to aviation employers and employees. For an individual's PII to be included in CETS, the information is entered by a specific individual and not available under the search function.
For an individual's violation to be included into CETS, the individual would have tested positive on a drug test, had a alcohol violation, refused to submit to drug and/or alcohol testing, performed safety-sensitive functions without complying with the return-to-duty requirements or other drug and alcohol violations. For a company related violation, such as failure to conduct pre-employment testing or when an individual provides a witness statement, an individual could also be included into CETS. An individual (company's officers, managers, employees, and service agents) may also be included into CETS as a result of company inspection or investigation. The following information may be included in CETS:
- Person's Name
- Person's social security number or other unique identifier.
- Employee's Address w/ City, State and Zip Code (for individual violations)
- Business address for company related violations
- Person's occupational category
- Drug and/or alcohol test results
- Related enforcement activities
CETS collects PII in order to track the progress of investigations and inspections, monitor and report statistical information on the enforcement activities, and allow inspectors/investigators to view reported incidents against employees and companies to ensure compliance.
This information is for FAA internal use only. It is used to report on statistical information, monitor employer compliance, document investigations/inspections and track inspector/investigator workload.
CETS information is shared with the Enforcement Information Subsystem (EIS) and other FAA investigative or legal offices. EIS is the FAA's enforcement tracking subsystem. It is a centralized automated database designed to assure air safety through effective administration of regulations at the headquarters and regional levels.
CETS receives data directly from inspectors and investigators and the accuracy of information is ensured through managerial review of the data. CETS also receives data from FAA systems such as Operations Specifications, Vitals and EIS.
At any time, individuals and companies may request searches of CETS to determine if any records pertain to them. The request should be sent to:
Federal Aviation Administration
Office of Aerospace Medicine
Drug Abatement Division
Attn: Manager, Program Policy Branch, AAM-820
800 Independence Avenue S.W. (Room 806)
Washington, D.C. 20591
The Program Policy Branch Manager will assist companies and individuals in making appropriate changes in CETS. FAA does not allow public access through the Internet to the information stored in CETS.
Information in CETS is retained for 10 years then is destroyed as appropriate. Case files involving "No Action" are closed within 30 days after the case should be closed in EIS. Duplicate copies of legal enforcement reports are maintained in the Office of Aerospace Medicine and are shredded after the case has been closed in the Office of Chief Counsel. NARA Request for Records Disposition Authority (for electronic records) retained in CETS is pending.
Access to CETS is limited to authorized Drug Abatement staff members and support personnel who have a valid User Login ID and password. Upon initial access, the authorized users will be prompted to change the default password given to all new CETS users.
Physical access to the CETS system is limited to authorized personnel. FAA and support personnel with physical access have all passed DOT background checks.
In addition, access to CETS PII is limited according to job function. FAA controls access privileges to the following roles:
- FAA Drug Abatement Managers
- FAA Drug Abatement Inspectors/Investigators
- System Administrators and Developers
- Support Personnel
All roles will have the following safeguards:
- Passwords expire after a set period.
- Accounts are locked after a set period of inactivity.
- Minimum length of passwords is eight characters.
- Passwords must be a combination of letters and numbers
- Accounts are locked after a set number of incorrect attempts.
System Administrators and support personnel have greater access to the system to develop and maintain the system.
CETS is a system of records subject to the Privacy Act because it may be searched by an individual's unique identifier. A Privacy Act system of records notice is under development.
FAA has certified and accredited the security of CETS in accordance with DOT standard requirements.