DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Privacy Impact Assessment
Individual Physical Access Control Systems (PACS)
the Alaska Regional Facility Security System (ARFSS)
August 3, 2009
TABLE OF CONTENTS
Personally Identifiable Information (PII) in PACS AND ARFSS
Why PACS AND ARFSS Collects Information
Legal Authority for Information Collection
How PACS AND ARFSS Uses Information
How PACS AND ARFSS Shares Information
How PACS AND ARFSS Provides Notice and Consent
How PACS AND ARFSS Ensures Data Accuracy
How PACS AND ARFSS Provides Redress
How PACS AND ARFSS Secures Information
How Long PACS AND ARFSS Retains Information
System of Records
The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs and is responsible for providing the safest, most efficient aerospace system in the world. The FAA is responsible for:
- Regulating civil aviation to promote safety;
- Encouraging and developing civil aeronautics, including new aviation technology;
- Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
- Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
- Regulating U.S. commercial space transportation..
One of the initiatives that helps the FAA meet these responsibilities is the Facility Security Risk Management (FSRM) Program, which provides security-related structural improvements, and electronic systems that protect buildings, information systems, and personnel. The FSRM Program is managed by the FAA's Air Traffic Facilities, Infrastructure and Security Service Group, Facility Security Team.
An important element of the FSRM Program is the Physical Access Control System and the Alaska Regional Facility Security System (ARFSS). The PACS and ARFSS provide an electronic security system that supports access control for all persons seeking to enter FAA buildings and restricted space. In Alaska the system is called the Alaska Regional Facility Security System (ARFSS). Whenever employees, long-term contractors and frequent visitors use their FAA identification badge, PACS and ARFSS links the person's identity (name only) to an account number that is in turn tied to access authorizations. The individual is granted or denied access to rooms or buildings based upon those authorizations.
PACS and ARFSS contain PII pertaining to employees, contractors, and visitors. PII is loaded into PACS and ARFSS for employees, long-term contractors, and frequent visitors using name and image data from within the FAA Investigations Tracking System (ITS). An ITS record is created when an employee, contractor, or frequent visitor applies for and receives a long-term DOT/FAA ID card. Once the application is approved and the card is issued, the name of the individual and the photograph that is captured for the DOT/FAA ID card are manually copied into PACS and ARFSS, after which the card will be assigned corresponding access authorization for facility access. No other PII is sent to PACS and ARFSS.
For short-term contractors and infrequent visitors, who receive a temporary visitor ID card or badge instead of a FAA-issued ID badge, the security guard verifies the individual's name from any local, State, or Federal government-issued ID card and enters it into a hand-written visitor log as a record of the visit.
PACS and ARFSS collects PII in order to help FAA manage individuals access to FAA buildings and secured space and meet its responsibility to secure FAA personnel, facilities, and systems throughout the country.
The Homeland Security Act of 2002 (Public Law 107-296), dated November 25, 2002.
When accessing a facility or restricted room, FAA employees, long-term contractors, and frequent visitors are required to present the FAA ID card, also called a smartcard, to a card reader, which reads a unique card number and provides the card holder access to groups of buildings and doors in accordance with the corresponding permissions.
PACS and ARFSS does not share information. If an investigation requires user information, records are manually downloaded.
A notice regarding PII is provided to all individuals accessing FAA facilities through the following applicable Privacy Act System of Records Notices: DOT/ALL 9 - Identification Media Record Systems and DOT/FAA 815 - Investigative Record System.
Names and photographs used by PACS and ARFSS are copied; records are assumed to be accurate unless users notify the person issuing the ID media, or unless the issuing official discovers a discrepancy.
Under the provisions of the Privacy Act, individuals may request searches of the PACS AND ARFSS file to determine if any records have been added that may pertain to them. This is accomplished by sending a written request directly to the PACS AND ARFSS program office that contains name, authentication information, and information regarding the request. The FAA does not allow access through either the Internet or Intranet to the information stored in the PACS AND ARFSS.
As provided for by the Privacy Act System of Records Notices DOT/ALL 9 - Identification Media Record Systems and DOT/FAA 815 Investigative Record System, individuals with questions about privacy and PACS and ARFSS, including the redress process, may contact FAA directly, where PACS and ARFSS system resides, at:
The Facility Security Risk Management Program (FSRM)
Attn: Program Manager
950 L' Enfant Plaza South
Washington, DC 20024
PACS and ARFSS is protected through managing access to the system by controlling which computers can connect and which individuals using those computers can access any PACS and ARFSS data. Interconnected or web-enabled PACS and ARFSS are also certified and accredited to ensure the protection of system information in accordance with FAA Order 1370.82. Further, regular audits of internal PACS and ARFSS activities track actions even by authorized users, to reveal if such persons are accessing data inappropriately. FAA controls access privileges according to the following roles:
- System Administrator
The matrix below describes the levels of access and safeguards around each of these roles as they pertain to PII.
PACS and ARFSS keep records of access for as long as thirty (30) days. Generally, after thirty (30) days, if no alarm or investigation is triggered, data is recorded over and permanently destroyed. If an alarm or investigation is triggered, associated PACS and ARFSS user data recorded at the time of the event is stored in the system's archives. Such archived data is held in PACS and ARFSS for up to three years. Copies of archived data may be exported to law enforcement or DOT or FAA investigative personnel, at which time it is no longer under the control of PACS and ARFSS personnel.
PACS and ARFSS is a system of records subject to the Privacy Act, because it is routinely searched by name. The following system of records notices cover the activity of the PACS and ARFSS: DOT/ALL 9 - Identification Media Record Systems and DOT/FAA 815 - Investigative Record System.