Policy Document

You are here

PIA - Individual Physical Access Control Systems (PACS) and the Alaska Regional Facility Security System (ARFSS)

DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
 

  Privacy Impact Assessment
  Individual Physical Access Control Systems (PACS)
and
the Alaska Regional Facility Security System (ARFSS)

August 3, 2009

TABLE OF CONTENTS

System Overview
Personally Identifiable Information (PII) in PACS AND ARFSS
Why PACS AND ARFSS Collects Information
Legal Authority for Information Collection
How PACS AND ARFSS Uses Information
How PACS AND ARFSS Shares Information
How PACS AND ARFSS Provides Notice and Consent
How PACS AND ARFSS Ensures Data Accuracy
How PACS AND ARFSS Provides Redress
How PACS AND ARFSS Secures Information
How Long PACS AND ARFSS Retains Information
System of Records

System Overview

The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs and is responsible for providing the safest, most efficient aerospace system in the world. The FAA is responsible for:

  • Regulating civil aviation to promote safety; 
  • Encouraging and developing civil aeronautics, including new aviation technology; 
  • Developing and operating a system of air traffic control and navigation for both civil and military aircraft; 
  • Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and 
  • Regulating U.S. commercial space transportation.. 

One of the initiatives that helps the FAA meet these responsibilities is the Facility Security Risk Management (FSRM) Program, which provides security-related structural improvements, and electronic systems that protect buildings, information systems, and personnel. The FSRM Program is managed by the FAA's Air Traffic Facilities, Infrastructure and Security Service Group, Facility Security Team.  

An important element of the FSRM Program is the Physical Access Control System and the Alaska Regional Facility Security System (ARFSS). The PACS and ARFSS provide an electronic security system that supports access control for all persons seeking to enter FAA buildings and restricted space. In Alaska the system is called the Alaska Regional Facility Security System (ARFSS). Whenever employees, long-term contractors and frequent visitors use their FAA identification badge, PACS and ARFSS links the person's identity (name only) to an account number that is in turn tied to access authorizations. The individual is granted or denied access to rooms or buildings based upon those authorizations. 

Personally Identifiable Information (PII) in PACS AND ARFSS

PACS and ARFSS contain PII pertaining to employees, contractors, and visitors. PII is loaded into PACS and ARFSS for employees, long-term contractors, and frequent visitors using name and image data from within the FAA Investigations Tracking System (ITS). An ITS record is created when an employee, contractor, or frequent visitor applies for and receives a long-term DOT/FAA ID card. Once the application is approved and the card is issued, the name of the individual and the photograph that is captured for the DOT/FAA ID card are manually copied into PACS and ARFSS, after which the card will be assigned corresponding access authorization for facility access. No other PII is sent to PACS and ARFSS.

For short-term contractors and infrequent visitors, who receive a temporary visitor ID card or badge instead of a FAA-issued ID badge, the security guard verifies the individual's name from any local, State, or Federal government-issued ID card and enters it into a hand-written visitor log as a record of the visit.  

Why PACS AND ARFSS Collects Information

PACS and ARFSS collects PII in order to help FAA manage individuals access to FAA buildings and secured space and meet its responsibility to secure FAA personnel, facilities, and systems throughout the country.

Legal Authority for Information Collection

The Homeland Security Act of 2002 (Public Law 107-296), dated November 25, 2002.

How PACS AND ARFSS Uses Information

When accessing a facility or restricted room, FAA employees, long-term contractors, and frequent visitors are required to present the FAA ID card, also called a smartcard, to a card reader, which reads a unique card number and provides the card holder access to groups of buildings and doors in accordance with the corresponding permissions.

How PACS AND ARFSS Shares Information

PACS and ARFSS does not share information. If an investigation requires user information, records are manually downloaded.

How PACS AND ARFSS Provides Notice and Consent

A notice regarding PII is provided to all individuals accessing FAA facilities through the following applicable Privacy Act System of Records Notices: DOT/ALL 9 - Identification Media Record Systems and DOT/FAA 815 - Investigative Record System.

How PACS AND ARFSS Ensures Data Accuracy

Names and photographs used by PACS and ARFSS are copied; records are assumed to be accurate unless users notify the person issuing the ID media, or unless the issuing official discovers a discrepancy.  

Under the provisions of the Privacy Act, individuals may request searches of the PACS AND ARFSS file to determine if any records have been added that may pertain to them. This is accomplished by sending a written request directly to the PACS AND ARFSS program office that contains name, authentication information, and information regarding the request. The FAA does not allow access through either the Internet or Intranet to the information stored in the PACS AND ARFSS. 

How PACS AND ARFSS Provides Redress

As provided for by the Privacy Act System of Records Notices DOT/ALL 9 - Identification Media Record Systems and DOT/FAA 815 Investigative Record System, individuals with questions about privacy and PACS and ARFSS, including the redress process, may contact FAA directly, where PACS and ARFSS system resides, at:

   The Facility Security Risk Management Program (FSRM)
   Attn: Program Manager
   950 L' Enfant Plaza South
   Room 125
   Washington, DC 20024  

The posted privacy policy on the FAA Web site also provides contact information for the FAA's Privacy Officer.

How PACS AND ARFSS Secures Information

PACS and ARFSS is protected through managing access to the system by controlling which computers can connect and which individuals using those computers can access any PACS and ARFSS data. Interconnected or web-enabled PACS and ARFSS are also certified and accredited to ensure the protection of system information in accordance with FAA Order 1370.82. Further, regular audits of internal PACS and ARFSS activities track actions even by authorized users, to reveal if such persons are accessing data inappropriately. FAA controls access privileges according to the following roles:

  • System Administrator
  • Operators
  • Monitors/Dispatchers

The matrix below describes the levels of access and safeguards around each of these roles as they pertain to PII.

Role Access Safeguards
Sys Admin
  • Unrestricted access to system data in order to ensure system operations; no capability to alter system administration activity records
  • The Sys Admin is capable of collecting records of access to specific spaces or general access movement by specific persons, upon request by higher authority
  • Access and change access authorization for all persons
  • User-set user name and password
  • Account set-up approved by User (Level 2) and Administrator (Level 1)
  • Passwords expire after a set period
  • Minimum length of passwords is 8 characters
  • Passwords must be combination of alpha/numeric/special characters
  • Accounts are locked after a set number of incorrect log-in attempts
  • All system administration activity is stored for audit
Operator
  • Adjust local access control levels, cameras, alarm sensor modes (auditable activities)
  • Download and export segments of video without altering video archives
  • Acknowledge alarms
  • User-set user name and password
  • Account set-up approved by Site Administrator (Level 1)
  • Passwords expire after a set period
  • Minimum length of passwords is 8 characters
  • Passwords must be combination of alpha/numeric/special characters
  • Accounts are locked after a set number of incorrect log-in attempts
Monitor/Dispatcher
  • Search and view user names and profile information
  • Suspend user access authorization profiles (without viewing full profile information)
  • Acknowledge alarms
  • View, search, export alarm data and video segments
  • User-set user name and password
  • Account set-up approved by facility management, conducted by a system administrator
  • Passwords expire after a set period
  • Minimum length of passwords is 8 characters
  • Passwords must be combination of alpha/numeric/special characters
  • Accounts are locked after a set number of incorrect log-in attempts
  • Must access system from limited number of computers, which also have user name/password access controls

How Long PACS AND ARFSS Retains Information

PACS and ARFSS keep records of access for as long as thirty (30) days. Generally, after thirty (30) days, if no alarm or investigation is triggered, data is recorded over and permanently destroyed. If an alarm or investigation is triggered, associated PACS and ARFSS user data recorded at the time of the event is stored in the system's archives. Such archived data is held in PACS and ARFSS for up to three years. Copies of archived data may be exported to law enforcement or DOT or FAA investigative personnel, at which time it is no longer under the control of PACS and ARFSS personnel.

System of Records

PACS and ARFSS is a system of records subject to the Privacy Act, because it is routinely searched by name. The following system of records notices cover the activity of the PACS and ARFSS: DOT/ALL 9 - Identification Media Record Systems and DOT/FAA 815 - Investigative Record System.

Updated: Thursday, April 11, 2013