DEPARTMENT OF TRANSPORTATION
Office of the Secretary
PRIVACY IMPACT ASSESSMENT
Mail Out Management System II
May 11, 2006
TABLE OF CONTENTS
Overview of OST privacy management process for Mail Out Management System II
Personally-Identifiable Information (PII) and MOMS
Why MOMS Collects Information
How MOMS uses information
How MOMS Shares Information
How MOMS Provides Notice and Consent
How MOMS Ensures Data Accuracy
How MOMS Provides Redress
How MOMS Secures Information
How Long MOMS Retains Information
System of Records
The Office of the Secretary (OST), within the Department of Transportation (DOT), has been given the responsibility of formulating national transportation policy and promoting intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of U.S. airlines, enforcing airline consumer protection regulations, issuing regulations to prevent alcohol and illegal drug misuse in transportation systems, improving the security of the national transportation system, and preparing transportation legislation.
As part of its support function, DOT is responsible for providing information about its programs and initiatives to the public by disseminating mail correspondence. To help fulfill this responsibility, DOT uses the Mail Out Management System II (MOMS). MOMS is used by employees and contractors working on DOTs behalf to send outgoing mail associated with DOT operations to members of the public, and to other Federal agencies, who have requested certain information. Because of the personal information contained within the system, privacy management is an integral part of the MOMS. DOT has implemented a thorough privacy management program, utilizing proven technology, methodologies, and sound policies and procedures.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing DOT to achieve its mission of protecting and enhancing all U.S. civil transportation systems. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involved interviews with key individuals involved in the MOMS system to ensure that all uses of Personally Identifiable Information (PII), along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project's goals. Internal DOT resources, along with outside experts, are involved in reviewing the technology, data uses and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph immediately above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies effectively protect privacy while allowing DOT to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the DOT project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.
When members of the public make requests to receive one time or periodic mailings from DOT, personal information that is required to fulfill their request is collected and maintained in MOMS. This information includes name and mailing address, along with the publication(s) requested, in order to distribute requested materials through postal mail. MOMS does not always directly collect PII from individuals, rather Operating Administrations within DOT that have received requests from the public will compile mailing lists for their publications. These lists will be input into MOMS to facilitate the mailing process for a particular publication.
PII in MOMS may include name, mailing address, fax number, telephone number, and email address. Once this information has been entered into MOMS, it can be retrieved by a name-based search or by publication requests. Distribution clerks, system administrators, and system support personnel have access to the PII that is entered in MOMS. MOMS uses logon names and passwords to control access and contains the name and password of the DOT users with access to the system.
MOMS collects information in order to provide members of the public with information about DOT that they have requested either directly or through one of the DOT Operating Administrations, and to collect fees for those information items for which there is a fee. Logon names and passwords are retained in MOMS to administer the system and appropriately restrict access to the personal information.
PII in MOMS is used to generate lists of individuals who have requested to receive a certain publication. This list is used by DOT or contractors working on behalf of DOT to generate materials for the mailing, such as labels or envelopes. MOMS uses the logon names and passwords of each DOT user in order to grant those users access to the system.
Names and mailing addresses of individuals who have requested publications from DOT are shared with contractors working on behalf of DOT to administer the mailings. Mailing addresses are compared against United States Postal Service (USPS) databases to verify the accuracy of the address. The USPS does not retain any records that are compared against the databases.
MOMS is a system of records under the Privacy Act of 1974 and DOT may also share information from MOMS as allowable under the Act.
MOMS is a system of records under the Privacy Act of 1974 and has published a Privacy Act notice in the Federal Register under the system number DOT/ALL 16, Mailing Management System. Individuals who wish to receive mailings make requests by way of email, telephone, fax or postal mail in an unstructured format. DOT does not use the information in MOMS for any other purposes then to provide individuals with requested information by postal mail, and to collect fees for those information items for which there is a fee. Therefore, consent for secondary uses is not applicable.
Prior to sending a publication, the recipients' mailing addresses are compared with databases at the USPS to ensure those addresses are valid and accurate. Inaccurate and nonexistent addresses are removed from MOMS following this comparison. Individuals can contact DOT or the appropriate Operating Administration if they wish to change or update their address to continue receiving the mailings they requested.
Individuals can contact the Office of Public Affairs at DOT or the appropriate Operating Administration if they wish to change or update their address to continue receiving the mailings they requested. Individuals may also request to have their names removed from MOMS.
MOMS is housed at DOT Headquarters in Washington, DC. Personnel with access to the building have undergone DOT background checks.
Electronic access to the system is limited to those individuals in the Office of Information Services who either administer the system or participate in the distribution process for DOT publications.
DOT controls access privileges through the following roles:
- System Administrator
- System Support Personnel
The following matrix describes the privileges and safeguards around each of these roles as they pertain to PII.
|System Support Personnel||
PII in MOMS is protected by DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of DOT employees and contractors. The system has been certified and accredited in accordance with DOT requirements.
MOMS retains PII for as long as the individual is designated as a recipient of DOT publications and the address provided continues to be valid. Individual requests for removal from the system will be fulfilled in a timely manner.
MOMS contains information that is part of existing System of Records subject to the Privacy Act, because it is searched by an individual's name. The System of Records Notice can be found in the Federal Register under the system number DOT/ALL 16 Mailing Management System. MOMS has been certified and accredited in accordance with DOT information technology security standard requirements.