DEPARTMENT OF TRANSPORTATION
Federal Motor Carrier Safety Administration (FMCSA)

PRIVACY IMPACT ASSESSMENT

For

Commercial Driver's License Information System (CDLIS)-Gateway

January 11, 2011

Overview of FMCSA Privacy Management Process for CDLIS-Gateway

The mission of the Federal Motor Carrier Safety Administration (FMCSA), an Operating Administration within the U.S. Department of Transportation (DOT), is to reduce crashes, injuries, and fatalities involving large trucks and buses (motor carriers). To carry out its safety mandate, FMCSA partners with stakeholders—including Federal, State, and local enforcement agencies; the motor carrier industry; safety groups; commercial motor vehicle (CMV) drivers; and organized labor—on efforts to reduce crashes involving CMVs. Since the first step towards reducing crashes is to understand them, FMCSA collects and maintains Federal databases for motor carrier and CMV driver safety data as well as a national inventory of motor carriers and shippers subject to Federal Motor Carrier Safety Regulations (FMCSR) and Hazardous Materials Regulations (HMR).    

Section 12007 of the Commercial Motor Vehicle Safety Act (CMVSA) of 1986 (Public Law 99-570, 100 Stat. 3207, October 27, 1986) and Title 49 of the U.S. Code, Section 31309, entitled “Commercial driver’s license information system” require DOT to establish “an information system which will serve as a clearinghouse and depository of information pertaining to the licensing and identification of operators of commercial motor vehicles and the disqualification of such.” To comply with this mandate, FMCSA reviewed the options allowed under CMVSA. The conclusion was to assist the American Association of Motor Vehicle Administrators (AAMVA) and the State driver licensing agencies (SDLAs) to design and implement the State operated Commercial Driver’s License Information System (CDLIS).    

CDLIS is not a Federal Privacy Act system of records, but a distributed relational database maintained and operated by the States. The data from the State databases is the authoritative source of commercial driver’s license (CDL) records for each State. The States must make CDL records available to FMCSA and other authorized users as specified in 49 CFR 384.225(c). DOT, with FMCSA as the delegate, is required to develop a policy for the States on making CDLIS information available to authorized users that is consistent with existing Federal information and privacy laws [49 U.S.C. 31106(e)].    

Each State and the District of Columbia operate its own portion of the CDLIS distributed relational database to monitor CDL drivers licensed within its respective jurisdiction. These State-operated CDLIS databases are linked and share information via AAMVA’s CDLIS-Index, which is operated by AAMVA on behalf of the States. AAMVA’s CDLIS-Index enables authorized users to retrieve CDL records from the current licensing State by directing users to the appropriate State-operated CDLIS database. FMCSA monitors AAMVA and the States to ensure that AAMVA’s CDLIS-Index is operated in accordance with applicable Federal laws and regulations.    

Authorized CDLIS users include employees and contractors of Federal, State, and local enforcement agencies. Users either receive authorization from FMCSA to access CDLIS, or may receive it, if they are law enforcement agencies, from their State’s criminal justice information system (CJIS), for enforcing FMCSA CDL regulations as part of their official duties [e.g., State officials enforcing regulations in support of the FMCSA Motor Carrier Safety Assistance Program (MCSAP)].    

In order to provide authorized FMCSA users with access to CDLIS, FMCSA developed CDLIS-Gateway. CDLIS-Gateway is maintained exclusively by FMCSA, using a contractor. CDLIS-Gateway includes the following two components:

1. FMCSA CDLIS-Access (Access)—Access serves as the routing software for authorized FMCSA users to retrieve CDLIS driver records from the current licensing State by providing relevant Personally Identifiable Information (PII) concerning CDL drivers. The PII is compared with information in AAMVA’s CDLIS-Index in order to determine the current licensing State. Access then retrieves CDLIS driver records from the current licensing State and routes the information to the inquiring authorized user.
2. Automated Compliance Review System (ACRS)—ACRS is a web-based system that tracks State implementation of CDL regulations as part of State compliance reviews performed by FMCSA. As part of the State CDL compliance reviews, FMCSA may store examples of sample CDLIS driver records from that State that illustrate a problem that State needs to correct. The only PII stored in such CDLIS driver records in ACRS is that State’s driver license number. The driver license numbers are used by the licensing States to locate specific record within their State’s CDLIS database.

1. FMCSA CDLIS-Index (Index)—Index is a derivative copy of AAMVA’s CDLIS-Index that also allows authorized users to retrieve CDL records from the current licensing State by directing users to the appropriate State-operated CDLIS database. Index will initially be used exclusively by FMCSA for analysis and research purposes, such as selecting representative systematic samples of CDL drivers for authorized studies. In this capacity, FMCSA will not use PII to access index records in Index. If FMCSA decides to use Index to operationally replace use of AAMVA CDLIS-Index, users via Access, will use PII to determine if there is an entry in Index for that driver, but no response will be provided by Index to the user. The Index record located will only direct users to the authoritative source of the PII (i.e., the CDLIS database operated by the licensing State).
2. FMCSA Static CDLIS Sample (Sample)—Two versions of sample will be maintained. One will contain PII information, but will not be accessed by PII data. Two will be accessed by an anonymized version of the PII information. Anonymise or anonymization means to systematically replace the PII data, such as name, thus making the record it is associated with nameless, or anonymous. Anonymized in the context of databases used for analysis purposes means the PII data was transformed by a systematic process that converted the PII data into a different form that is still a unique ID, but which cannot be reconstructed to determine the original PII data that was transformed.    

   CDLIS index is designed to use any one of three different PII identifiers to retrieve a driver record. Two of those identifiers are combinations of two different data elements. For example, the two data elements of driver license number and State together form one of the indexes that can be used for retrieving a CDLIS driver record from the licensing State’s database. The two data elements in combination would have the transformation process applied to form an anonymized unique identifier, from which neither the driver license number nor State could be reconstructed.    

   In the case of SSN, as part of CDLIS modernization, both AAMVA and Homeland Security have come up with a solution they intend to deploy that will replace SSN within CDLIS with an anonymized representation. We will apply the same process immediately. Eventually after implementation of CDLIS modernization, CDLIS will no longer contain SSN, but the anonymized representation.    

   Both versions of sample are derived static databases containing copies of limited CDL records from State-operated CDLIS databases that were obtained during regular enforcement activities or for analysis and research purposes. Sample one will to be used for things such as supporting sending out sample surveys approved by OMB. Sample two will be used for things such as performing trend analyses, data quality studies, and other research on these historical driver records. Special studies may involve comparing driver safety performance information in Sample two with driver safety performance information from roadside inspections and crash reports stored in the Motor Carrier Management Information System (MCMIS), or comparing with State CDL records obtained via Nlets, the International Justice and Public Safety Network (Nlets). Sample two, even though accessed by indicators derived from PII data, will not contain PII since information extracted from MCMIS or from State-operated CDLIS databases will be anonymized prior to being stored in Sample two. To preserve continuity with the design of CDLIS, the anonymization is expected to generate the following unidentifiable data elements:

   • Anonymized driver name and date of birth combination
   • Anonymized driver Social Security Number (SSN) using the process agreed to between AAMVA, FMCSA and Homeland Security.
   • Anonymized CDLIS State-of-Record and driver license number combination
   Maintaining the privacy of CDL driver PII is a paramount consideration in the development and operation of CDLIS-Gateway. The privacy management process used by the CDLIS-Gateway contractor was assessed by DOT/FMCSA privacy experts using proven technologies, sound policies and procedures, and established methodologies to ensure that privacy management is an integral part of the development and operation of CDLIS-Gateway. The DOT/FMCSA privacy management process is built upon a methodology that enables DOT/FMCSA to effectively protect PII while allowing FMCSA to achieve its mission. The methodology includes the following:
   • Establishing appropriate authorities, responsibilities, and controls for information management with input from systems architecture, technology, security, legal, and other disciplines.
   • Identifying, documenting, and addressing privacy risks.
   • Developing and implementing appropriate policies and procedures and updating them when necessary.
   • Monitoring compliance with applicable laws, regulations, policies, and procedures.
   • Providing training to all DOT employees and contractors that have access to PII.
   • Effectively maintaining the privacy protection principles of:
   1. Openness
   2. Individual Participation
   3. Purpose Specification
   4. Collection Limitation
   5. Use Limitation
   6. Data Quality and Integrity
   7. Security Safeguards
   8. Accountability and Auditing
   CDLIS-Gateway does not contain a Privacy Act system of records. Neither ACRS nor Sample use PII to retrieve information about individuals. Access and Index do use PII to retrieve information about individuals, but the data is retrieved from the States. Access is only routing software for retrieving CDLIS driver records and does not itself store any PII. The authoritative sources of the PII used by Access and Index are the CDLIS distributed relational databases maintained and operated by the States.    

   Only personnel with a specific “need to know” are authorized to access information concerning CDL drivers via CDLIS-Gateway. Authorized personnel must also meet the requirements of the Driver’s Privacy Protection Act (DPPA) of 1994 (Public Law 103-322) to access CDLIS driver records. FMCSA does not provide any information concerning CDL drivers stored in or retrieved by CDLIS-Gateway to any other individual or entity than authorized directly by FMCSA as needing to know, or by States via their CJIS. Other individuals and entities authorized by Congress to access CDLIS driver records, as specified in 49 CFR 384.225(e), must request CDLIS motor vehicle records, which contain driver PII, as defined in 49 CFR 391.23(m)(2)(i). Such requests for CDL driver records from individuals and entities, such as CDL drivers, motor carriers, law firms, insurance providers, etc., must be directed to the appropriate CDLIS State-of-Record directly or via a third party authorized by the State to obtain these records in compliance with the DPPA.    

   Personally Identifiable Information (PII) and CDLIS-Gateway

   ACRS includes the following PII concerning CDL drivers:

   • State driver license number.
   Index includes the following PII concerning CMV drivers:
   • Name.
   • Date of birth.
   • SSN.
   • Gender.
   • Height.
   • Weight.
   • Eye color.
   • Driver license number.
   • CDLIS Sate-of-Record.

   Why CDLIS-Gateway Collects Information

   The information collected by CDLIS-Gateway is used by FMCSA for the following purposes:

   • ACRS—Example CDL records are used to enable licensing States to locate specific records within their State’s CDLIS databases. The single PII of driver license number is not used by ACRS to retrieve CDLIS driver records.
   • Index—PII is used to retrieve CDLIS driver records, but only from the current licensing State. Index is a derivative copy of AAMVA’s CDLIS-Index that may eventually be used to allow FMCSA to increase the number of enforcement officials accessing State-operated CDLIS databases, while reducing the burden on AAMVA CDLIS-Index. Implementation of new applications, such as the International Trade Data System (ITDS), are substantially increasing the volume of FMCSA inquiries to AAMVA’s CDLIS-Index. ITDS uses the Access software to retrieve CDL driver records in the United States, Mexico, and Canada.
    

   How CDLIS-Gateway Uses Information

   Authorized users of Access use PII to retrieve CDLIS driver records stored in State-operated CDLIS databases via Access. The records retrieved from State-operated CDLIS databases are used to determine whether CDL drivers are authorized to operate the type of CMV they are operating as part of enforcing FMCSA’s CDL regulations. They are also used to retrieve records, such as for OMB approved research surveys, of drivers and for analysis purposes. No PII is released from such studies to the public. Access currently uses AAMVA’s CDLIS-Index to determine where to route inquiries to the correct SDLAs. Responses are routed back to the inquirer via Access.    

   FMCSA may eventually use Index instead of AAMVA’s CDLIS-Index as part of retrieving CDLIS driver records stored in State-operated CDLIS databases. If this occurs, Index will continue to be a derived, copy of AAMVA’s CDLIS-Index. It will receive incremental updates of CDLIS driver index information, including PII, from AAMVA’s CDLIS-Index. The functional operation of Index in this capacity will continue to be the same as it is with Access using the AAMVA CDLIS-Index. No records will be retrieved from Index using PII.    

   ACRS stores driver license numbers within example CDLIS driver records to enable licensing States to locate specific records within their CDLIS database. These driver license numbers are not used by ACRS to retrieve CDLIS driver records.    

   Sample does not use PII to retrieve CDLIS driver records. PII extracted from MCMIS or from State-operated CDLIS databases stored in Sample two is anonymized prior to being stored in Sample two.

   How CDLIS-Gateway Shares Information

   FMCSA does not share information stored in CDLIS-Gateway with other information systems. However, CDLIS-Gateway shares information from the CDLIS State-operated databases with individuals in the following situations:

   • Information from the licensing State may be shared with Federal, State, and local government agencies for the purpose of enforcing regulatory requirements related to CMV driver safety.
   • Information from the licensing State may be shared with law enforcement officials performing law enforcement activities for CDL enforcement activities.
   • Information from the licensing State may be shared with other Federal agencies carrying out Congressionally authorized enforcement activities.
   • Information from the archived information maintained by the CDLIS-Gateway may be shared with Federal, State, and local law enforcement agencies to safeguard against and respond to PII breaches.

   How CDLIS-Gateway Provides Notice and Consent

   PII stored in or retrieved by CDLIS-Gateway is provided by State-operated CDLIS databases. Since these State-operated CDLIS databases are the authoritative sources for CDLIS driver information, CDLIS-Gateway does not provide CDL drivers with additional notice or options for consent. CDL drivers are required by law to provide PII to Federal and State enforcement officials (49 U.S.C. 31309, 31102, and 31106). Restrictions on the permissible use of CDLIS driver information, including PII, by States is regulated by 49 CFR 384.225(e) and the DPPA of 1994, as amended (18 U.S.C. 2721 et seq.).

   How CDLIS-Gateway Ensures Data Accuracy

   FMCSA does not control the accuracy of the CDLIS driver records received by CDLIS-Gateway from State-operated CDLIS databases. FMCSA can only ensure the confidentiality and integrity of PII contained in ACRS and Index. FMCSA is not permitted to modify CDLIS driver records retrieved from the SDLAs’ CDLIS databases.    

   In accordance with 49 CFR 384.225(e)(3), CMV drivers who wish to view their CDL records must contact the applicable SDLA to request a copy. In accordance with 49 CFR 384.225(c), SDLAs must provide procedures for CDL drivers, licensed within their respective jurisdictions, to request copies of their CDLIS driver records. Corrections to their information located in the State-operated CDLIS databases are subject to State procedures. To our knowledge, all States require CMV drivers to maintain their current addresses with the SDLA for purposes of the State contacting them whenever necessary.

   How CDLIS-Gateway Provides Redress

   The CDLIS State-of-Record is the authoritative source for CDLIS driver records stored in and retrieved by CDLIS-Gateway. CDL drivers who wish to contest the accuracy of their information located in State-operated CDLIS databases must direct their redress requests to the applicable SDLA.

   How CDLIS-Gateway Secures Information

   All information stored in or retrieved by CDLIS-Gateway is protected from unauthorized access through appropriate administrative, physical, and technical safeguards. Electronic files are stored in databases secured by passwords, firewalls, and operating systems to which only authorized personnel with a “need to know” have access. The CDLIS-Gateway login screen warns users of penalties for unauthorized access, and all access to information retrieved by CDLIS-Gateway is logged and monitored. The data center in which CDLIS-Gateway operates is a restricted access facility.    

   FMCSA’s contractor is subject to routine audits by DOT/FMCSA privacy officials and the FMCSA Information Technology (IT) Security Team to ensure compliance with the Privacy Act of 1974 and all other applicable Federal laws, regulations, and requirements. FMCSA also performs additional audits of its contractor to ensure that performance, privacy, and security objectives for ACRS and Index are met. The FMCSA Office of Information Technology has provided guidance to assist the contractor in protecting the confidentiality, integrity, and availability of information, including PII, stored in or retrieved by CDLIS-Gateway.    

   User access controls have been developed to ensure that the number of individuals with access to restricted information stored in or retrieved by CDLIS-Gateway is kept to a minimum and is limited to only those individuals with a “need to know.” Audit provisions are also included to ensure that CDLIS-Gateway is used appropriately by authorized users and monitored for unauthorized usage. All FMCSA information systems are governed by the FMCSA Rules of Behavior (ROB) for IT Systems. The FMCSA ROB for IT Systems must be read, understood, and signed by each user prior to being authorized to access FMCSA information systems, including CDLIS-Gateway. FMCSA contractors involved in data analysis and research are also required to sign the FMCSA Non-Disclosure Agreement prior to being authorized to access CDLIS driver records.    

   Law enforcement officials that require access to CDLIS driver records from a State other than their own via Nlets must first be authorized by their State in accordance with Federal Bureau of Investigation (FBI) user standards for access to that State’s CJIS. FBI user standards include strict user access controls and detailed tracking of every inquiry and are similar to the FMCSA user standards. Such law enforcement officials access CDLIS-Gateway via their State Nlets connection to FMCSA.    

   Access to information stored in or retrieved by CDLIS-Gateway is determined by permission levels, and CDLIS-Gateway employs role-based access controls. Users are required to authenticate with a valid user identifier and password in order to gain access to CDLIS-Gateway. This strategy improves data confidentiality and integrity. These access controls were developed in accordance with Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems dated March 2006 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 2, Recommended Security Controls for Federal Information Systems dated December 2007. Regular monitoring activities are also performed annually to provide ongoing oversight of security controls and to detect misuse of information stored in or retrieved by CDLIS-Gateway.

   How CDLIS-Gateway Retains Information

   Information stored in CDLIS-Gateway is retained in accordance with the following provisions of the U.S. National Archives and Records Administration (NARA):

   • Access—Archive records are retained for audit purposes for 5 years in accordance with the Request for Records Disposition Authority for Enforcement and Program Delivery [Standard Form (SF) 115: NI-557-05-6, Item 7B].
   • ACRS—Records are retained for 5 years in accordance with SF 115: NI-557-05-6, Item 7B.
   • Index—NARA General Records Schedule (GRS) 20, Item 2B is the applicable disposition authority for superseded information that FMCSA obtains from AAMVA’s CDLIS-Index. If FMCSA implements Index for daily operational use, it will be regularly and incrementally updated to maintain an accurate replica of AAMVA CDLIS-Index. PII in Index will be retained for as long as it is retained.
   • Sample—NARA GRS 20, Item 2C is the applicable disposition authority. Records containing PII in Sample one or those anonymized in Sample two will be retained until they are no longer needed for analysis and research purposes or whenever the records are superseded by new records or become obsolete, whichever is sooner.

   System of Records

   Based on the above explanations of the PII information contained in and the uses by the applications or databases in CDLIS-Gateway, it is not a Privacy Act system of records. The CDLIS distributed relational databases maintained and operated by the States are the authoritative sources of information retrieved by CDLIS-Gateway, and no PII is used to retrieve records from any database maintained by FMCSA.