DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)

PRIVACY IMPACT ASSESSMENT

PRISM System (PRISM)

November 14, 2008

TABLE OF CONTENTS

Overview of Privacy Management Process
Personally Identifiable Information (PII) & PRISM
Why PRISM Collects Information
How PRISM uses information
How PRISM Shares Information
How PRISM Provides Notice and Consent
How PRISM Ensures Data Accuracy
How PRISM Provides Redress
How PRISM Secures Information
How Long PRISM Retains Information
System of Records

Overview of Privacy Management Process

The Office of the Secretary (OST) oversees the formulation of national transportation policy and promotes intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of US airlines, enforcing airline consumer protection regulations, issuance of regulations to prevent alcohol and illegal drug misuse in transportation systems and preparing transportation legislation.

Privacy management is an integral part of the Department of Transportation (DOT) PRISM System (PRISM). The Office of the Secretary (OST) has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and established methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the PRISM system to ensure that privacy risks are identified, addressed and documented.
Organize the resources necessary for the project’s goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.

Personally Identifiable Information (PII) & PRISM

PRISM is used to create, manage and report on procurement actions. PRISM stores pre-decisional, pre-award requisition/solicitation information and Social Security Account Numbers of consultants who are providing a service for DOT. The system stores contract numbers, identification of products/services purchased, socio-economic categories of vendors, and provides management tracking capabilities.

The PRISM modules will contain and publicly post the following information:
& & & PRISM does not publicly post any PII information.

Why PRISM Collects Information

PRISM collects the PII in order to effectively manage procurement actions to increase productivity across the procurement process from requisitioning to closeout, minimize data entry, and maximize efficiency through electronic routing, workflow, and workload management.

How PRISM uses information

OST personnel enter contractor, acquisition, and award information. Subsequent actions, such as contract status change, closeout, etc are also entered.

How PRISM Shares Information

In accordance with Sections A4 and A5 of the PRISM System Security Plan, PRISM is hosted off-site by Compusearch at Equinox in Sterling, Virginia. PRISM currently interfaces with:

(1) Federal Procurement Data System – Next Generation (FPDS-NG);

(2) Central Contractor Registration (CCR);

(3) On-line Representations and Certification Actions;

(4) Excluded Parties List; and

(5) Past Performance Information Retrieval System.

How PRISM Provides Notice and Consent

PRISM displays the DOT approved system warning banner to alert users of notice and consent to monitoring prior to login.

How PRISM Ensures Data Accuracy

RISM employs the data accuracy checks inherit in Oracle database software to ensure data validity and accuracy. The system has been reviewed to ensure, to the greatest extent possible, it is accurate, relevant, timely and complete via security testing and evaluation.

How PRISM Provides Redress

Validation checks are built into the application software that both prompt the user that an incorrect entry has been entered and must be corrected, and that a user has successfully input data.

How PRISM Secures Information

PRISM takes appropriate security measures to safeguard PII and other sensitive data. PRISM applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of OST employees and contractors.

ROLE	ACCESS	SAFEGUARDS
STAFF	Application and data set access only	Access is audited
ADMIN	Access to all system functions	Can only be granted by ADMIN level users

How Long PRISM Retains Information

PRISM retains PII information for a minimum of one year.

System of Records

PRISM contains information that should be included in a System of Records subject to the Privacy Act because it can be searched by an individual’s name, social security number, corporate entity, service provided and address.

OST has certified and accredited the security of PRISM in accordance with DOT information technology security standard requirements.