DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)
PRIVACY IMPACT ASSESSMENT
Third-Party Web Sites and Applications (STD-TP-WEB)
November 11, 2010
TABLE OF CONTENTS
Overview of DOT privacy management process for STD-TP-WEB
Personally-identifiable information and STD-TP-WEB
Why STD-TP-WEB collects information
How STD-TP-WEB uses information
How STD-TP-WEB shares information
How STD-TP-WEB provides notice and consent
How STD-TP-WEB ensures data accuracy
How STD-TP-WEB provides redress
How STD-TP-WEB secures information
How long STD-TP-WEB retains information
Whether STD-TP-WEB is a Privacy Act system of records
Within the Department of Transportation (DOT), DOT's Office of Chief Information Officer (OCIO), within the Office of the Secretary of Transportation (OST), is responsible for leading DOT's compliance with the Open Government Directive issued by the Office of Management and Budget on December 8, 2009 (OMB Memorandum M-10-06). OCIO and other OST offices (principally, the Office of Public Affairs (OPA) and the Office of General Counsel (OGC)) provide technical, programmatic and legal support for DOT-wide compliance with the Open Government Directive. OMB's Open Government Directive requires agencies to take specific actions to implement the principles of transparency, participation, and collaboration as set forth in the President's Memorandum on Transparency and Open Government, issued January 21, 2009.
As part of its support function for Open Government, OCIO issued policies (DOT Order 1351.24 "Departmental Web Policy" and DOT Order 1351.33 "Departmental Web-Based Interactive Technologies Policy") regarding use of third-party web sites and applications. These policies permit DOT public engagement and public affairs offices and Information Technology (IT) support personnel to use third-party web sites and applications (i.e., "non-.gov" sites, such as Facebook, YouTube and Twitter) to provide information and services to the public and to provide social media tools (such as blogs) for members of the public to use to engage with DOT regarding DOT programs. On a "non-.gov" site, the third party that operates the site collects certain mandatory information about users of the site as necessary to operate the social media tools (for example, to register or enroll users to submit comments to the site or to receive information alerts from the site). The third party may also solicit and collect optional information about users of the site for the third party's own commercial purposes. The mandatory and optional information collected by the third party could include personally identifiable information (PII) about individual users. The third party could make some of this PII publicly available to other users of the site (for example, a user's personal email address may appear on the site if the user is using it as his or her public ID; "friending" may reveal some of the user's personal profile information to the user who is "friended"). In addition, individual members of the public may include other PII in their public interactions with the site (such as, by including PII in comments they submit to the site).
While the Open Government Directive encourages agencies to interact with the public, the Privacy Act of 1974 (5 U.S.C. 552a(e)(1)) prohibits agencies from collecting more than the minimum PII necessary to accomplish a purpose of the agency required by statute or Executive Order. OMB Memorandum M-10-23 "Guidance for Agency Use of Third-Party Websites and Applications" requires that a Privacy Impact Assessment (PIA) be conducted whenever an agency's use of a third-party website or application "makes PII available" to the agency. The OMB Memorandum permits an agency to cover multiple, functionally comparable third-party websites and applications in a single PIA.
This standard PIA covers conservative DOT uses of third-party web sites and applications to interact with the public, which will not involve collection of PII by DOT; it addresses how DOT will avoid capturing and using any PII that is made available to DOT when DOT uses third-party web sites and applications with no intention to collect and use PII. If a DOT office's use of a third-party web site or application will involve collection of PII by DOT, or will otherwise implicate privacy risks that are different from those described in this standard PIA, that office must prepare a PIA exclusively for its particular use of a third-party site to interact with the public. Any DOT use of a third-party web site or application must comply fully with DOT Order 1351.24 "Departmental Web Policy" and DOT Order 1351.33 "Departmental Web-Based Interactive Technologies Policy."
DOT's standard use of a third-party web site or application to interact with the public does not involve collection of PII by DOT. The types of PII that are likely to be made available by the third party to DOT when users interact with the site (such as, when a user submits comments to the site or "friends" DOT), are:
- Certain profile information collected by the third party about users who register to use any of the social media tools.
- In general, third-party sites require users to provide a valid e-mail address in order to access the services they provide and interact with other users of the site, including DOT. Users are identified on the third-party site by their email address or by an alias, if the third party operating the site offers users the option to be identified by an alias.
- Third-party sites may also collect optional information from users. This optional information can include, but is not limited to: name, hometown, current residence, age, date of birth, sex, religion, and an identifying photograph or picture. A user's optional information may be displayed to DOT when the user "friends," "follows," "subscribes to" or otherwise interacts with an official DOT profile on the third-party site.
- Any PII that users include in comments they submit to the site (e.g., personal contact information and descriptive personal details, which can be associated with a particular individual). DOT's Citizen Conduct Policy and DOT's Privacy Notice (available on or via a link from the third-party site) discourage disclosure of PII when providing feedback to DOT through the third-party site.
To the extent that the third-party web site or application makes PII available to DOT, DOT avoids capturing and using the PII, as follows:
- When DOT interacts with the site, DOT avoids taking note of any PII made available to DOT on the web site or application.
- DOT redacts any PII from the periodic screenshots of the site that DOT creates, before using the screenshots for any official agency purpose, so that the informational content in the official recordkeeping copy of the screenshot cannot be associated with any particular individuals.
- If the site includes a blog, DOT moderates the blog (screens comments before they are posted to the site) and redacts any PII from comments before they are posted.
Examples of PII that DOT redacts and does not use or take note of include but are not limited to: email addresses that do not end in .mil or .gov; names of individuals who are representing themselves in a personal capacity as opposed to representing entities or otherwise acting in a business capacity; and descriptive personal details about an individual that have no utility to DOT and that could enable the individual to be identified from context.
DOT does not collect PII as a result of its standard use of a third-party web site or application to interact with the public. DOT avoids capturing and using any PII that is made available to DOT in interacting with the site, as described in the previous section.
On-line interaction: Only designated DOT personnel working in the public engagement or public affairs office that sponsors use of the third-party web site or application, and IT support personnel, are authorized to interact with the third-party site on behalf of DOT. Their interaction with the third-party site is limited to:
- posting information for public review and providing the opportunity for public feedback;
- periodically reviewing public feedback online, without taking note of any PII made available to DOT on the web site or application;
- periodically responding to public feedback online, as DOT deems appropriate; and
- periodically creating screenshots of the web site.
Web site content records: Designated DOT personnel in the sponsoring office, and IT support personnel, redact PII from the web site screenshots before the screenshots are used for official agency purposes. DOT uses the screenshots for the following purposes:
- to document any unique DOT content that results from DOT's use of the third-party web site or application; and
- to document and consider any useful feedback received from the public for agency purposes, as DOT deems appropriate (such as, by considering the public's feedback in formulating policy recommendations).
Web site management and operations records: DOT's web site management and operations records do not contain PII. DOT maintains a roster of the usernames and passwords for the DOT account owners who are authorized to interact with the third-party site, but since those account owners interact with the site in an official capacity on behalf of DOT, their usernames and passwords are not PII. The third party operating the site maintains the account registration records (mandatory and optional profile information, including PII) about members of the public who register to use the social media tools offered on the site. The third party maintains the account registration records for its own use in operating the social media tools, not for use by DOT. DOT does not have access to those records.
Web measurement and customization (cookies) records: Any cookies that are set to analyze users' interactions with the site are set by the third party that operates the site, for its own use, not for use by DOT. DOT does not have access to the records.
DOT does not collect and therefore does not share with any non-DOT parties any PII that is made available to DOT through DOT's standard use of a third-party web site or application. The PII is made available by users of the site; users provide it to the third party that operates the site, who may display some of it to DOT when users interact with DOT on the site (e.g., when a user submits comments to the site or "friends" DOT).
DOT does not provide notice and consent to individuals regarding DOT's use of any PII about them that is made available to DOT through DOT's standard use of a third-party web site or application, because DOT does not collect or use the PII. However, DOT takes the following actions to inform users of the collection and use of their PII by the third party operating the site, as required by OMB Memorandum M-10-23 "Guidance for Agency Use of Third-Party Websites and Applications:"
- DOT posts a DOT Privacy Notice on the site (or provides a link to it from the site) warning members of the public that:
- DOT will not maintain, use or share PII that becomes available through DOT's use of the third party web site or application, as more fully explained in DOT's standard PIA for Third-Party Websites and Applications (i.e., this PIA for STD-TP-WEB).
- By using the web site or application to communicate with DOT, individuals may be providing nongovernment third parties access to PII.
- Individuals should use the alternative mechanism(s) (e.g., DOT email address) provided on the official DOT ".gov" web site to communicate with DOT, if the communications will include PII.
Any PII made available to DOT through its use of a third-party web site or application to interact with the public is submitted directly by a member of the public, who is responsible for its accuracy. DOT does not attempt to ensure the accuracy of any such PII, because DOT does not collect it or use it.
Any member of the public seeking removal or correction of PII posted to a third-party web site or application used by DOT to interact with the public must contact the third party operating the site (e.g., FaceBook, YouTube, Twitter).
Web site content records: DOT secures any PII appearing in the periodic screenshots that DOT creates for records management purposes, even though such PII was public on the site, as follows:
- If DOT captures the screenshots electronically, DOT secures them with encryption pending redaction. DOT deletes any unredacted screenshots that remain after creating redacted versions.
- If DOT captures the screenshots by printing them, DOT secures the printouts by storing them in a locked file cabinet or other secured container or secured area pending redaction. DOT shreds any unredacted printouts that remain after creating redacted versions, using a cross-cut shredder.
- Only designated DOT personnel in the office that sponsors use of the third-party web site or application, and IT support personnel, handle the screenshots pending and during redaction.
- To minimize PII appearing in screenshots, requiring redaction, DOT's Privacy Notice and DOT's Citizen Conduct Policy (available on or via a link from the third-party site) warn visitors to use the alternative mechanism(s) (e.g., DOT email address) provided on the designated official DOT .gov web site to communicate with DOT, if the communication will include PII.
Web site management and operations records: There is no PII in the roster of official DOT account owners and associated usernames and passwords. DOT secures the roster and requires official account owners to change their passwords on the third-party site every 90 days, to ensure that only authorized DOT personnel are able to interact with the site on behalf of DOT (not because the roster is considered PII). If the roster is maintained electronically, DOT maintains the roster in an encrypted, password-protected database accessed by the sponsoring office and IT support personnel. If the roster is kept in hard-copy, it is locked in a secure location accessed by the sponsoring office and IT support personnel.
Web site content records: Screenshots are periodically printed in hard copy or captured electronically, as necessary to document unique DOT content resulting from DOT's use of the third-party web site or application to interact with the public. The screenshots are promptly redacted to remove any PII, even though the PII was public on the site. Unredacted screenshots are promptly deleted or shredded after creating redacted versions. The official recordkeeping copies are destroyed one year after completion of the information project for which the third-party web site was used, unless the National Archives and Records Administration (NARA) determines that they warrant permanent retention in the National Archives. The applicable disposition authority is General Records Schedule 14, Item 4.
Web site management and operations record: Entries to the roster of official DOT account owners and associated usernames and passwords are updated consistent with access approvals granted by DOT's Office of Public Affairs and Office of General Counsel. The roster is destroyed when no longer needed; i.e., when DOT discontinues use of the third-party web site. The applicable disposition authority is General Records Schedule 24, Item 6b.
DOT's "standard" use of a third-party web site or application to interact with the public does not create a new Privacy Act system of records or modify an existing Privacy Act system of records. No PII is contained in the records, so no PII is retrieved by name or other personal identifier.
1 - All official DOT ".gov" sites should be distinguishable from third-party "non-.gov" sites based on the URL alone. DOT's "Fast Lane" blog is an anomaly; it displays the URL http://fastlane.dot.gov, but it is a "non-.gov" site, operated by a third party, as disclosed by the statement "Powered by TypePad."