DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)
PRIVACY IMPACT ASSESSMENT
Drug & Alcohol Testing Management Information System (DATMIS)
November 21, 2008
TABLE OF CONTENTS
Overview of Privacy Management Process
Personally Identifiable Information (PII) & DATMIS
Why DATMIS Collects Information
How DATMIS uses information
How DATMIS Shares Information
How DATMIS Provides Notice and Consent
How DATMIS Ensures Data Accuracy
How DATMIS Provides Redress
How DATMIS Secures Information
How Long DATMIS Retains Information
System of Records
The Drug Alcohol Testing Management Information System (DATMIS) is a major departmental application used to randomly select DOT employees in safety or security sensitive positions for drug and alcohol testing. The system is also used to record and store the results of drug testing.
Privacy management is an integral part of the DATMIS system. OST has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and established methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the DATMIS system to ensure that privacy risks are identified, addressed and documented.
- Organize the resources necessary for the project's goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Name, SSN, grade series, work location, work city and state.
DATMIS is used to record and store the results of drug and alcohol testing for randomly selected DOT employees in safety or security sensitive positions.
DATMIS automates the mission and functions of the Departmental Drug Office to track drug test results and related actions.
Personnel data is received from the Federal Personnel and Payroll System (FPPS) in a file that is downloaded via FTP and uploaded to DATMIS. Random selections are generated every two months. Once test results are received they are downloaded from the lab via FTP into DATMIS and matched to the applicable personnel records.
When an individual accepts a position, they are notified that they are subject to drug and/or alcohol testing. Consent is not required for test administration. Consent is required for release of results beyond the intended DOT employer. A signed waiver must be provided by the employee before their information can be released beyond the intended DOT employer.
Data is not updated manually, but provided via flat files from FPPS so the data is as accurate as we receive it. Data received from the laboratory via flat fiat file can not be edited by staff members. If changes are required, the laboratory resends the data.
Individuals receive test results from their drug program coordinator. If the employee feels there is a problem they address it with the drug program coordinator.
DATMIS takes appropriate security measures to safeguard PII and other sensitive data. DATMIS applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of OST employees and contractors.
|FAA Drug Program Coordinator||
Data is retained indefinitely in its unaltered state as received from FPPS.
DATMIS contains information that is part of existing System of Records subject to the Privacy Act, because it is searched by an individual's SSN, Name, and Specimen ID number. In some cases, such as DOT/OST 101, the Department of Transportation controls the data and maintains System of Records responsibilities. In other cases, other government entities providing DATMIS source data control the data and retain Privacy Act responsibilities.
OST has certified and accredited the security of DATMIS in accordance with DOT information technology security standard requirements.