DEPARTMENT OF TRANSPORTATION
Departmental Office of Civil Rights
PRIVACY IMPACT ASSESSMENT
OnLine Accommodation Tracking System (OATS)
August 15, 2009
The Departmental Office of Civil Rights, Office of the Secretary, Transportation, will be responsible for the system, which will be used by all of the modes in DOT.
The purpose of this system is to track reasonable accommodation requests submitted by DOT employees and applicants. The system enforces compliance with Executive Order 13164 and Equal Employment Opportunity Commission (EEOC) guidance. DOT is required to collect information on accommodation requests and report annually whether requested accommodations were provided or denied within the allowable time frame (a maximum of 25 business days). The system will assist all decision makers in ensuring that a decision is made and the accommodation is provided within the time frame allowed. Access to the system is controlled by user credentials maintained in a secure database. All personally identifiable information maintained in the system is encrypted via AES technology. The system uses Secure Socket Layer to ensure secure data transmission over the internet.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the WCIS system to ensure that privacy risks are identified, addressed and documented.
- Organize the resources necessary for the project's goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Information, Including Personally-Identifiable Information (PII), in OATS
OATS contains both PII and non-PII. The PII will apply to applicants and employees who make accommodation requests as well as the decision makers who process the requests. The information will include for the applicants: name, address, phone number, type of accommodation requested, and reason for the request. For employees the system will track: the employee's name, email address, office, job series, pay grade, type of accommodation requested, reason for the request, a summary of any discussion of the request, whether medical documentation was requested, whether it was provided, and the outcome of the request (approved, denied, or if an interim accommodation was provided). The name, contact information, job title, and office of the decision maker will be recorded.
Why OATS Collects Information
This system collects information necessary to comply with Executive Order (EO) 13164 and EEOC Policy Guidance No. 915-002: Establishing Procedures to Facilitate the Provision of Reasonable Accommodation, which requires agencies to track information on requests and to strive to meet the timeframe established by the agency. For DOT, the processing time frame is 25 business days. The information collected by the system meets the requirements of the EO and EEOC guidelines. The agency must analyze the information collected to ensure that requests are processed appropriately and timely. EEOC has set a standard that 90% of requests be processed within the time limit; DOT must report annually whether it has met the standard.
Legal Authority for Information Collection
Executive Order 13164, issued July 26, 2000, requires that DOT utilize a system of recordkeeping that tracks the processing of requests for reasonable accommodation. EEOC's Policy Guidance on Executive Order 13164: Establishing Procedures to Facilitate the Provision of Reasonable Accommodation issued October 20, 2000, lists the data elements which must be captured.
How OATS Uses Information
These records may be used:
- To disclose pertinent information to appropriate Federal, State, local, or foreign agencies responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license, where the disclosing agency becomes aware of a potential violation of civil or criminal law or regulations.
- To disclose information to a Federal, State, or local agency, maintaining civil, criminal or other relevant enforcement information or other pertinent information, which has requested information relevant to or necessary to the requesting agency's or the bureau's hiring or retention of an individual, or issuance of a security clearance, license, contract, grant or other benefit.
- To provide information to the Department of Justice for the purpose of litigating an action or seeking legal advice. Disclosure may be made during judicial processes.
- To disclose information in a proceeding before a court, adjudicative body, or other administrative body before which the agency is authorized to appear when (a) the agency, (b) any employee of the agency in his or her official capacity, (c) any employee of the agency in his or her individual capacity where the Department of Justice or the agency has agreed to represent the employee, or (d) the United States, when the agency determines that litigation is likely to affect the agency, is a party to litigation or has an interest in such litigation, and the use of such records by the agency is deemed to be relevant and necessary to the litigation or administrative proceeding and not otherwise privileged.
- To provide information to officials of labor organizations recognized under 5 U.S.C. chapter 71 when relevant and necessary to their duties of exclusive representation.
- To provide information to third parties during the course of an investigation to the extent necessary to obtain information.
- To disclose information to the news media and the public, in accordance with guidelines contained in 28 CFR 50.2 in the same manner as permitted for Department of Justice officials, unless release would constitute an unwarranted invasion of personal privacy.
- To disclose information to a contractor to the extent necessary for the performance of a contract.
- To disclose information to an arbitrator, mediator, or similar person, and to the parties, in the context of alternative dispute resolution, to the extent relevant and necessary to permit the arbitrator, mediator, or similar person to resolve the matters presented, including asserted privileges.
- To disclose information to the Merit Systems Protection Board and the Office of Special Counsel in personnel, discrimination, and labor management matters when relevant and necessary to their duties.
- To disclose information to foreign governments in accordance with formal or informal international agreements when necessary to respond to a request for reasonable accommodation.
- To disclose information to the Office of Personnel Management and/or to the Equal Employment Opportunity Commission in personnel, discrimination, and labor management matters when relevant and necessary to their duties.
Other possible routine uses of the information, applicable to all DOT systems, are published in the Federal Register at 65 F.R. 19476 (April 11, 2000), under Prefatory Statement of General Routine Uses
How OATS Shares Information
Specific information collected by OATS will be shared with individuals outside of DOT only if it becomes the subject of an EEO complaint that is not settled before it goes to the courts or EEOC. The OATS record then becomes part of the discovery process. Aside from EEO complaint usage, the only information that will be reported is an affirmative or negative response to the annual question on whether 90% of requests were met timely. All reports created by OATS are for internal use to ensure that accommodations are provided in a timely manner, that the response is not impacted by the requestor's pay level, that the interactive process is conducted and recorded, and that medical information is requested only when necessary. Other possible routine uses of the information, applicable to all DOT systems, are published in the Federal Register at 65 F.R. 19476 (April 11, 2000), under Prefatory Statement of Routine Uses.
How OATS Provides Notice and Consent
The system does not collect any information that is not already collected in order to process reasonable accommodation requests; it simply records it in an automated system. Any employee requesting accommodation is acquiescing to the collection of this information. Medical records are not stored in the system.
How OATS Ensures Data Accuracy
Supervisors enter the information for employees who request accommodation in order to perform their job or to enjoy the benefits and privileges of employment. Human resources staff enters the information for applicants who request accommodation for the application and/or interview process. Accommodation requests may be made in any form, for example, the request may be verbal, by e-mail communication, or in a letter.
Employees will not have access to the system, but will receive an email confirmation of their request. Applicants who provide an email will receive a similar confirmation. If no email address is provided by the applicant, the confirmation will be sent to their home address. The confirmation provides the applicant or employee with an opportunity to request corrections, if necessary. No documents will be scanned into OATS.
The system is designed to automatically calculate the number of business days from the date of the request to the date medical documentation (if necessary) is requested, and the number of business days from when the medical documentation was submitted to when the accommodation was provided or denied. This calculation is one of the most crucial benefits of the system. (If a supervisor discovers that s/he entered the wrong date, the OATS Administrator will be contacted to make the correction.) OATS Administrators and the system administrator will use to the system to run aggregate reports. The review will be used to identify discrepancies, for example, in meeting time limits or if a large number of denials is reflected for a single organization.
How OATS Provides Redress
DOT provides Web site access to a privacy officer who addresses privacy concerns and questions.
Individuals wishing to know if their records appear in this system should direct their requests to Christy Compton, Departmental Office of Civil Rights, at 1200 New Jersey Avenue S.E., W78-308, Washington, D.C., 20590 or email@example.com.
How OATS Secures Information
Only designated, approved federal employees (supervisors, OA HR staff, OA system Administrators, and the DOCR system manager will have access to this system based on a need to know basis. No supervisor will have access to another supervisor's records. The OATS Administrator for each Operating Administration (OA)will have access to all records in that OA, and the DOCR system manager will have access to all DOT records.
Data files are maintained in a secure government facility. All IT support staff and contractors are briefed on IT security requirements and associated responsibilities.
Federal staff with access to this system receives basic security training with some privacy components. These users also annually read and sign a Non-Disclosure Agreement containing privacy provisions and penalties for unauthorized disclosure of data. In addition to physical access, electronic access to PII is limited according to job function. DOT controls access privileges according to a documented roles matrix, with each individual receiving the minimum necessary access to PII and permissions. Many IT users receive read-only access to all or some of the data.
In addition, access to PII requires access to a secure site with complex password requirements. Password and account procedures comply with the following basic guidelines:
- Account holders are required to possess a valid DOT email address to use the system.
- All reasonable accommodation requests are protected through a Secure Socket Layer connection.
- Data fields containing the First Name, Last Name, Phone Number, and Email address of the requestor are encrypted in the database.
- Minimum length of passwords is eight characters.
- Passwords must be a combination of letters and numbers.
How Long Vendor Application Retains Information
The EEOC requires each agency to keep records related to a particular individual who has requested a reasonable accommodation for the duration of that individual's employment. These records would include any documentation of the individual's disability or need for reasonable accommodation, as well as information about the disposition of that individual's accommodation request. The EEOC also requires that agencies keep any cumulative records used to track the agency's performance with regard to reasonable accommodation for at least three years.
System of Records
Because OATS will contain PII and OATS records will be retrieved by name or personal identifier, OATS is a Privacy Act system of records. DOCR has certified and accredited this system in accordance with DOT requirements.