DEPARTMENT OF TRANSPORTATION
Surface Transportation Board
PRIVACY IMPACT ASSESSMENT
Case Management System (CASE)
September 21, 2005
Table of Contents
Overview of the Surface Transportation Board (STB) privacy management process for CASE
Personally-identifiable (PII) information and CASE
Why CASE collects information
How CASE uses information
How CASE shares information
How CASE provides notice and consent
How CASE ensures data accuracy
How CASE provides redress
How CASE secures information
How long CASE retains information
System of records
The Surface Transportation Board (STB) is an economic regulatory agency that Congress charged with the fundamental missions of resolving railroad rate and service disputes and reviewing proposed railroad mergers. The STB serves as both an adjudicatory and a regulatory body. The agency has jurisdiction over railroad rate and service issues and rail restructuring transactions (mergers, line sales, line construction, and line abandonments); certain trucking company, moving van, and non-contiguous ocean shipping company rate matters; certain intercity passenger bus company structure, financial, and operational matters; and rates and services of certain pipelines not regulated by the Federal Energy Regulatory Commission.
One set of activities that supports this mission is to hear and decide application and petition cases referred to as dockets. The Case Management System (CASE) helps STB manage the flow of dockets brought before STB. To do this, CASE records and tracks:
- A filed application or petition, including information on who filed the application or petition, when it was filed, and to whom the case is assigned.
- Statutory and internal deadlines for processing.
- Pertinent filings in each docket.
- All other decisions and notices of the STB in each docket.
In addition, CASE allows STB to meet requirements to display through a public Web site information on applicants, petitioners, and other parties to a docket, as well as the filings, decisions, and notices in the docket and correspondence related to environmental issues.
Privacy management is an integral part of the CASE system. DOT/STB has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies. In addition, the CASE planning team includes participation by STB's Privacy Officer. This individual is assisting the CASE team to consider all the fair information practices and applicable laws when making decisions that may affect privacy.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that the Department of Transportation (DOT) and STB will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing STB to achieve its mission of regulating and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. Interviewing key individuals involved in the CASE system to ensure that privacy risks are identified and documented.
- Organize the resources necessary for the project's goals. Internal DOT/STB resources, along with outside experts, review the technology, data uses, and associated risks. They also develop the necessary procedures and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/STB to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the STB project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect the current work environment. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves developing and implementing effective redress procedures and audit systems to ensure that complaints are effectively addressed and corrections made when necessary.
CASE collects and maintains personal information of all persons who file applications, petitions and other filings in a docket, which may include name, email address, postal address, affiliation/group or person or persons represented, phone number, and in some cases Bar number of attorneys. In order to make an initial filing in a docket, an individual must provide, along with the filing, the above information and either fax (faxes must be followed up by delivery of the originals), mail, or hand deliver the hard copy to STB, along with payment for the filing, if applicable. At that point, CASE data entry staff enters the data into CASE. For all filings other than the initial filing, commenters and parties to a docket may register online through STB's public Web site and submit their comments and filings electronically. Or if the commenters and parties prefer, filings and comments subsequent to the initial filing may be presented to the STB by mail or in person. All submitters must provide the same personal information, which is stored and accessed through CASE. In addition, the submitter, if filing electronically, must create a user name and password to access information and submit filings. CASE maintains these passwords and IDs, and it associates this information with the individual in question. For an individual's PII to be included in CASE, that individual must be involved in a docket before STB. When an individual chooses to become part of this process, his or her personal information is considered public information and is shared within and outside of STB without additional authorization.
STB has responsibility for handling the docket process in a way dictated by federal regulations. CASE collects personal information from parties involved in a docket in order to:
- Contact individuals with questions pertaining to a docket.
- Allow all docket participants to be able to contact one another and access the information in the docket.
STB staff assigned to a docket may use CASE to track and record docket activities, contact parties and their representatives, review information, and make public all necessary information.
Most of the PII in CASE is considered public information, and it is posted publicly on the STB Web site without restriction. In addition, STB provides public information related to cases to the public for a fee, on request and without restriction to use. The information may contain PII.
Personal information contained in CASE is provided by the individual in question. After PII is posted on the public Web site, any individual can view the personal data. If there are inaccuracies in the data, the individual can call or email the STB's Privacy Officer to request a change. Information on how to request changes to personal information is located on the STB Web page under FAQs/Administrative Inquiries/How do I report an error in the information displayed. An email may be sent directly to the STB Privacy Officer by choosing e-Filing/Information Quality Comments.
Under the Privacy Act, individuals may request searches of CASE data to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the responsible CASE staff member(s) that contains name, designee number, and information regarding the request.
CASE takes appropriate security measures to safeguard PII and other sensitive data. CASE applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of STB employees and contractors.
In addition, access to logon and password information in CASE is limited to STB staff. These staff members access the CASE databases with the following safeguards:
- Passwords expire after a set period.
- Accounts are locked after a set period of inactivity.
- Minimum length of passwords is eight characters.
- Passwords must be a combination of letters and numbers.
- Accounts are locked after a set number of incorrect access attempts.
In order to provide historical information trends and in compliance with its Privacy Act System of Records notice, CASE keeps data permanently.
CASE is part of an existing system of records, ICC-V: Case Status System (Formal Case Control) subject to the Privacy Act, because it can be searched by name.
STB has certified and accredited the security of CASE in accordance with DOT standard requirements.