PRIVACY IMPACT ASSESSMENT

Airmen/Aircraft Registry Modernization System (RMS)

August 12, 2004

Table of Contents

Overview of Federal Aviation Administration (FAA) privacy management process for RMS
Personally Identifiable Information (PII) and RMS
Why RMS collects information
How RMS uses information
How RMS shares information
How RMS provides notice and consent
How RMS ensures data accuracy
How RMS provides redress
How RMS secures information
System of records

Overview of Federal Aviation Administration (FAA) privacy management process for RMS

The Federal Aviation Administration (FAA) within the Department of Transportation (DOT) has been given the responsibility for civil aviation safety. FAA is responsible for:

Regulating civil aviation to promote safety;
Encouraging and developing civil aeronautics, including new aviation technology;
Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
Researching and developing the National Airspace System and civil aeronautics;
Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
Regulating U.S. commercial space transportation

One of the systems that helps FAA fulfill this mission is the Airmen/Aircraft Registry Modernization System (RMS). This system allows FAA to maintain airmen and aircraft records, including but not limited to:

Airmen:
- Records documenting the certificate type, class, rating(s) and limitation(s) issued to an airman.
Aircraft:
- To whom the aircraft is registered
- Aircraft ownership
- Legal instruments pertinent to aircraft

Though RMS has been in existence for some time, recent improvements have moved some functionality to the Web, supporting Section 208 of the E-Government Act of 2002 goals.

Privacy management is an integral part of the RMS system. DOT/FAA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FAA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FAA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the RMS system to ensure that privacy risks are identified and documented.
Organize the resources necessary for the project’s goals. Internal DOT/FAA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/FAA to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FAA project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.

Personally Identifiable Information (PII) and RMS

To handle airmen certifications and aircraft registrations, FAA requires PII about airmen and aircraft owners/registrants. With this in mind, RMS may include or collect the following data on airmen and/or aircraft owners and registrants, either for authentication or certification requirements: · Name · Date of birth (airmen only) · Social security number (airmen only) · Driver’s license number, passport number, or government ID number · Physical Description (height, weight, hair and eye color, sex, and citizenship) · Address (airmen only) · Medical records (airmen only) · Certificate number (airmen only) In the past, RMS used an airman’s social security number as the certificate number. FAA is now changing that practice, developing unique certificate numbers not affiliated with social security number. During this change, airmen can request, online or offline, that his or her social security number not appear as a certificate number. For an individual’s PII to be included in RMS, that individual must be associated with an airmen or aircraft certificate or application.

Why RMS collects information

FAA is responsible for granting airmen certification and aircraft registration and managing the processes, both of which require PII. FAA uses the PII in RMS to grant, track, and monitor airmen and aircraft certificates. In addition, FAA may use PII in RMS to contact individuals for more pertinent information, handle applicable requests, and aggregate data for trend analyses.

In addition, RMS supports restricted access functionality to all parts of the system. Therefore, RMS contains usernames and passwords for FAA employees and associates that data with individuals accessing RMS. Members of the public can also perform some functions online pertaining to their airmen account. Therefore, RMS also contains email addresses and passwords for public Website users with approved access.

How RMS uses information

RMS is primarily planned as an internal tool to manage and store records, analyze safety data and manage time-intensive processes such as examination activities. FAA intends to use PII in RMS only for these primary purposes. FAA will use this PII in the same privacy-sensitive manner it does now.

How RMS shares information

In some cases, FAA may need to share some information in RMS with other departments of the FAA, or perhaps other government agencies, such as law enforcement. Routine sharing of this nature is provided for and monitored through Memorandums of Understanding that define protocols, recipients, security, authorized uses, and other protections. FAA shares RMS data in accordance with the Privacy Act of 1974 and as required by law.

How RMS provides notice and consent

For an individual’s PII to be in RMS, he or she must have either applied for or have an airmen certification, or have been associated with an aircraft registration.

Notice is provided through the applicable Privacy Act System of Records notices, DOT/FAA 847 - Aviation Records on Individuals, and DOT/FAA 801 - Aircraft Registration System. In addition, as RMS includes a limited public Website interface to facilitate some online transactions, the Website posts an accurate privacy policy that contains all the protections and advisories required by the E-Government Act.

FAA employees and contractors with approved access to RMS may provide PII associated with their login and password to the system. In these cases, FAA staff members must read a notice and disclosure statement before logging in that describes obligations and privacy protections.

How RMS ensures data accuracy

RMS receives most PII either directly through forms submitted by the individual in question, or through additional contact or interaction with the individual. The length of time a record remains on the RMS system is governed by federal guidelines, and information on the retention policy is provided in Privacy Act System of Records notices DOT/FAA 847 and DOT/FAA 801. RMS does provide some online functionality that allows an individual to request changes to some of his or her information, such as address, and to request that his or her social security number not be used as the certificate number.

Under the provisions of the Privacy Act, individuals may request searches of some RMS data to determine if any records have been added that may pertain to them. This is accomplished by sending a written request directly to the program office that contains name, authentication information, and information regarding the request. FAA does not allow public access to the information stored in the RMS.

How RMS provides redress

As provided for by the Privacy Act System of Records notices DOT/FAA 801 and DOT/FAA 847, individuals with questions about privacy and RMS may contact FAA directly. The posted privacy policy on the RMS public Website will additionally provide contact information for FAA’s Privacy Officer.

How RMS secures information

RMS takes appropriate security measures to safeguard PII and other sensitive data. RMS applies DOT security standards, including but not limited to, routine scans and monitoring, back-up activities, and background security checks of FAA employees and contractors.

In addition, FAA access to RMS PII is limited according to job function. There is a formal approval process that must occur, in which one or managers approve an individual’s RMS access, before that access is granted. FAA controls access privileges according to the “minimum necessary” rule.

The following access safeguards are also be implemented:

Passwords expire after a set period.
Accounts are locked after a set period of inactivity.
Minimum length of passwords is eight characters.
Passwords must be a combination of letters, numbers, and special characters.
Accounts are locked after a set number of incorrect attempts.

System of records

RMS contains information that is part of two existing systems of records subject to the Privacy Act, because it is searched by an individual’s name and unique identifiers. You can find RMS’ system of records notices, DOT/FAA 847 and DOT/FAA 801, by going to: http://cio.ost.dot.gov/policy/records.html.

FAA is in the process of certifying and accrediting the security of RMS in accordance with DOT standard information technology requirements.