DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
Office of Financial Services

PRIVACY IMPACT ASSESSMENT

Reports, Analysis, and Distribution System (RADS)

July 2010

   

System Overview

The Federal Aviation Act of 1958 gives the Federal Aviation Administration (FAA) the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:

A reporting instrument that helps the FAA fulfill this mission is the Reports, Analysis, and Distribution System (RADS). RADS is a Web-based application, in that it uses the Microsoft Internet Explorer (IE) web browser as the main user interface. RADS allows authorized personnel to access a data warehouse and produce reports. The reports are grouped according to source systems as follows:

RADS is owned and operated by FAA’s Assistant Administrator for Financial Services (ABA), Financial Operations Division (AFO-001). This Privacy Impact Assessment analyzes the privacy impact of using a common portal, RADS, to access and produce reports from several financial systems. Separate Privacy Impact Assessments have been prepared for the three systems accessed by RADS: CAS, SAVES, and DTF (DELPHI Transaction File system). RADS was developed solely to provide reports for the data contained within these FAA systems. DOT’s DELPHI system is the primary source of the information in these FAA systems.  

Information, Including Personally Identifiable Information (PII) in the System

RADS accesses and generates reports from an existing data warehouse that is populated by three FAA financial systems. The data includes PII associated with financial transactions between the following categories of individuals and FAA:

The PII data elements in RADS consist of:

Why RADS Collects Information

RADS is not a source system as it does not collect PII from any parties; it simply provides centralized reporting functionality for an existing datastore. This single reporting control point helps ensure that access to sensitive data in the datastore is limited to immediate business needs.  

Legal Authority for Information Collection

5 U.S.C 301. 49 U.S.C. 40101; 49 U.S.C. 40122(g)  

How RADS Uses Information

RADS provides a centralized reporting functionality for an existing FAA financial datastore. RADS generates reports about financial transactions for use by FAA finance personnel and any contractors who assist them, on a “need to know” basis.  

How RADS Shares Information

RADS reports are not shared with parties outside DOT, and parties outside DOT do not have access to RADS, except as described in the “Prefatory Statement of General Routine Uses” that DOT published in the Federal Register at 65 F.R. 19476 (April 11, 2000), which apply to all DOT systems.    

How RADS Provides Notice and Consent

Being that RADS is not a source system and merely provides a reporting functionality from a datastore, RADS neither provides notice nor captures consent for the inclusion of an individual’s PII in its reporting. Any required notice and opportunity to consent are provided by the systems that collect the information.    

How RADS Ensures Data Accuracy

As RADS only provides reporting and it does not edit the actual data received, it was no ability to immediately ensure data accuracy. Any data accuracy issues would need to be corrected upstream within the source systems for which RADS provides reporting. The changes made in the datastore would then be reflected in the RADS reports.

How RADS Provides Redress

Under the provisions of the Privacy Act, individuals may request searches of the RADS files to determine if any records have been added that may pertain to them.    

Notification procedure: Individuals wishing to know if their records appear in RADS may inquire in person or in writing to the system manager for RADS:    

      Director of Financial Operations
      800 Independence Ave. SW
      Washington, D.C. 20591
      (202) 267-8993

The request must include the requester’s name, mailing address, telephone number and/or email address, a description and, if possible, the location of the records requested, and verification of identity (such as, a statement under penalty of perjury that the requester is the individual who he or she claims to be).    

Contesting record procedures: Individuals wanting to contest information about themselves that is contained in the DLPS system should make their requests in writing, detailing the reasons for why the records should be corrected should be corrected. Requests should be submitted to the system manager identified above, under Notification Procedure.    

For questions relating to privacy go to the FAA Privacy Policy: http://www.faa.gov/privacy/

How RADS Secures Information

RADS takes appropriate security measures to safeguard PII and other sensitive date. RADS and the data warehouse accessed through this portal application are housed on several of the agency’s dedicated servers. RADS, as well as the data warehouse, are owned and operated by the ABA Financial Management Division (AFM-400) and housed in room 612A at FAA Headquarters, Federal Office Building-10A (FOB-10A), 800 Independence Avenue, SW, Washington, DC 20591.    

RADS users can access RADS through a Web browser although access is only via the FAA intranet and operates using Secure Socket Layer (SSL) encryption technology.    

Personnel with physical access have all undergone and passed FAA background checks.    

In addition, access to CAS Reporting LDR, PAD, SAVES and ARS PII is limited according to job function, through system roles. Access control privileges are set according to the following roles:

The matrix below describes the levels of access and safeguards around each of these roles as they pertain to PII.  

ROLE

ACCESS

SAFEGUARDS

Power User
  • Develop new reports
  • Change existing reports
  • Run reports
  • Requires all users to have a User ID and Password.
  • Assigned to Security Groups to limit functionality by type (e.g., Contracting Officer, Funds Manager)
  • Users automatically inactivated based upon agency-defined rules.
  • Users automatically inactivated after a prescribed number of failed login attempts.
  • Passwords expired after a user-defined time period.
  • Prescribed password parameters (e.g., length, character type).
  • Password data is encrypted.
  • audit log of successful and failed login attempts; log includes the originating IP address.

Report User
  • Run existing reports
  • Requires all users to have a User ID and Password.
  • Assigned to Security Groups to limit functionality by type (e.g., Contracting Officer, Funds Manager)
  • Users automatically inactivated based upon agency-defined rules.
  • Users automatically inactivated after a prescribed number of failed login attempts.
  • Passwords expired after a user-defined time period.
  • Prescribed password parameters (e.g., length, character type).
  • Password data is encrypted.
  • Account set-up approved by System Administrator

 

System Administrator
  • Search and view user names and profile information
  • Grant Database Administrator accounts, reset account passwords, view system log information
  • Delete profiles (without viewing full profile information)

 
  • Requires all users to have a User ID and Password.
  • Assigned to Security Groups to limit functionality by type (e.g., Contracting Officer, Funds Manager)
  • Users automatically inactivated based upon agency-defined rules.
  • Users automatically inactivated after a prescribed number of failed login attempts.
  • Passwords expired after a user-defined time period.
  • Prescribed password parameters (e.g., length, character type).
  • Password data is encrypted.
  • System level configuration

 

Database Administrator
  • Search and view user names and profile information
  • Grant User accounts, reset account passwords, view access log information
  • Delete profiles (without viewing full profile information)

 
  • Requires all users to have a User ID and Password.
  • Assigned to Security Groups to limit functionality by type (e.g., Contracting Officer, Funds Manager)
  • Users automatically inactivated based upon agency-defined rules.
  • Users automatically inactivated after a prescribed number of failed login attempts.
  • Passwords expired after a user-defined time period.
  • Prescribed password parameters (e.g., length, character type).
  • Password data is encrypted.
  • Database level configuration

 

In addition the requirements of the Federal Information Security Management Act of 2002 (FISMA), a Security Certification and Accreditation (C&A) was completed for RADS. The C&A process is an audit of policies, procedures, controls, and contingency planning, required to be completed for all federal government IT systems every three years. All relevant policies, procedures and guidelines, including NIST Special Publication 800-53, have been followed to ensure the security of the system and the information it contains.  

How Long RADS Retains Information

Data in the RADS system is maintained as outlined in the FAA Records Management Order 1350.15C. Cut off at the end of the Fiscal Year in which the record supports. Destroy seven years after cut off in accordance with applicable federal standards in accord with limitations on civil actions by or against the U.S. Government (28 U.S.C. 2401 and 2415) if no longer required for business purposes.  

System of Records

RADS is a system of records subject to the Privacy Act because PII is regularly retrieved from RADS by an individual’s social security number. The System of Records Notices that cover RADS are DOT/ALL 7 Delphi Accounting System and DOT/FAA 853 Cost Accounting System Employee Labor Data.  

FAA Privacy Act SORNs can be found at:  

      http://www.dot.gov/privacy/privacyactnotices/  

For questions relating to privacy go to the FAA Privacy Policy:  

      http://www.faa.gov/privacy/