PIA - Employer Notification Service State Pilot Test
DEPARTMENT OF TRANSPORTATION
Federal Motor Carrier Safety Administration
PRIVACY IMPACT ASSESSMENT
Employer Notification Service State Pilot Test (ENS)
August 1, 2006
Table of Contents
Overview of Federal Motor Carrier Safety Administration (FMCSA) privacy management process for ENS
Personally-identifiable information (PII) and ENS
Why ENS collects information
How ENS uses information
How ENS shares information
How ENS provides notice and consent
How ENS ensures data accuracy
How ENS provides redress
How ENS secures information
System of records
FMCSA, within the Department of Transportation (DOT), has been given the responsibility to reduce crashes, injuries, and fatalities involving large trucks and buses. To meet these goals, FMCSA is in the process of assessing the value of deploying a nationwide system that would allow motor carriers to be more quickly informed of changes in the Commercial Driver’s License (CDL) status of the drivers that they employ. Currently, employers are required to perform a records check on each driver once per year. In addition, drivers are required to notify their employers within 30 days of a traffic conviction and within one day of a suspension of their CDL. Often times, drivers do not report these changes in a timely manner.
The agency has just completed a study that found that such a system would be both cost-beneficial and feasible. To further analyze the system, an 18-month pilot test will be conducted. The pilot test will be based in Colorado and, possibly, Minnesota. For purposes of conducting a pilot test, participating carriers will be able to register their drivers in a prototype system. A maximum of 2,000 drivers from each State will be enrolled. The system will notify the carrier via electronic mail when a driver has been convicted of a traffic-related offense. This electronic mail will direct the carrier to a secure website where information on the conviction can be obtained. If the carrier does not choose to access the information, it will be held in the system for a maximum of seven days. After that, it is deleted as the system is not intended to be a long-term accessible database of driver conviction data. It is intended to be a pointer system that alerts carriers to changes in their drivers’ CDL status in real time. The main goal of the project is to evaluate how carriers use this real time information and if it aids them in either modifying the affected drivers’ behavior or removing them from the road.
Privacy management is an integral part of the ENS project. FMCSA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FMCSA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FMCSA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the ENS system to ensure that all uses of PII data, along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project’s goals. Internal DOT/FMCSA resources, along with outside experts, are involved in reviewing the technology, data uses and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph immediately above work to develop an effective policy or policies, practices and procedures to ensure that fair information practices are complied with. The policies effectively protect privacy while allowing DOT/FMCSA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process PII. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FMCSA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures will be required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints can be effectively addressed and corrections made if necessary.
The ENS system uses both PII and non-personally identifiable information pertaining to conviction data. The system permanently holds only non-sensitive information provided by the employing carrier: name, CDL number, and employing carrier. Specific data on convictions is not retained.
Some designated individuals have direct access to ENS database. In order to manage access and appropriate permissions, FMCSA collects name, contact information, organization information, and other related information and maintains user IDs and passwords.
ENS collects driver information in order to send conviction information to their employing carrier and, ultimately, to assess the prototype system.
For individuals with direct access to ENS, FMCSA also collects necessary PII to authenticate users and restrict permissions, and ENS associates these individuals with user-created user IDs and passwords.
Once a driver’s conviction information is sent to the employing carrier, ideally, the carrier will either attempt to modify the driver’s behavior that led to the conviction or to remove him or her from the road.
FMCSA also provides direct access to ENS for some designated users. In order to control access, the FMCSA maintains name, contact information, user ID, password, and organization information on these users. FMCSA uses this PII to authorize or deny access, determine and set permissions, enable access, and contact users if concerns arise.
Designated members of the project team have direct access to driver PII data. Designated FMCSA staff members also have direct access to ENS for purposes of the project.
FMCSA may also share PII with other federal agencies to assist with national security or other compliance activities. FMCSA evaluates each request on an individual basis and oversees the process to ensure all Privacy Act procedures are followed.
ENS contains PII for drivers of commercial vehicles and their employing carriers. Drivers and commercial carrier representatives are required by law to provide PII as part of the inspection and crash data collection process and ENS does not provide additional notice or options for consent.
The ENS system provides some internal data quality and completeness checks. The carriers participating in the pilot test are responsible for inputting correct information for their drivers. In addition, the conviction data is received directly from the participating state. Therefore, it is the responsibility of the drivers and state official to ensure accuracy.
At any time, an individual, in writing or through email, may contact FMCSA and request that privacy practices be reviewed.
Physical access to the ENS system is limited to appropriate personnel through applicable physical security requirements of the agency.
FMCSA performed a Risk Assessment (RA) during the development of the system and found the Ashburn, Virginia facility provides acceptable security for the system. FMCSA will continue to support the administration of the system during the implementation phase by performing vulnerability scans against ENS on an as-needed basis. The results of these vulnerability scans will provide a level of assurance that selected security controls (identified during the RA) are operating as intended and are effective in minimizing operating risk to ENS. Scan results will also provide FMCSA with the confidence that security patches are effectively applied for all relevant software.
Personnel with access to ENS receive yearly training that includes some privacy direction. All users receive customized Terms and Conditions of Use and/or Rules of Behavior that describe privacy responsibilities.
ENS is not a system of records subject to the Privacy Act, 5 USC 552a, because records are not normally retrieved by name or unique ID of an individual. ENS is intended to be a pointer system that directs the carrier to conviction information of specific drivers employed by that carrier. The carrier cannot know the identity of the affected driver until it accesses the information. The information is not retained in the system if the carrier does not access it.