FHWA

DEPARTMENT OF TRANSPORTATION

Federal Highway Administration

PRIVACY IMPACT ASSESSMENT

Freedom of Information Act Request Log Tracking System

September 14, 2006

Table of Contents

Overview of Federal Highway Administration (FHWA) privacy management process for Freedom of Information Act Tracking System
Personally-identifiable information and Freedom of Information Act Tracking System
Why Freedom of Information Act Tracking System collects information
How Freedom of Information Act Tracking System uses information
How The Freedom of Information Act Tracking System will share information
How Freedom of Information Act Tracking System provides notice and consent
How Freedom of Information Act Tracking System ensures data accuracy
How Freedom of Information Act Tracking System Files provides redress
How Freedom of Information Act Tracking System secures information
System of records

Overview of Federal Highway Administration (FHWA) privacy management process for Freedom of Information Act Tracking System

Federal Highway Administration (FHWA), within the Department of Transportation (“DOT”), has been given the responsibility for enhancing the movement of people and goods from one place to another, while also ensuring the safety of the traveling public, promoting the efficiency of the transportation system, and protecting the environment.

The Freedom of Information Act (FOIA) tracking system contains records and related correspondence on individuals who have filed requests for information under the provisions of the FOIA, including requests for review of initial denials of such requests; copies of requested records; and records under administrative appeal.  The system permits FHWA management and personnel to track and monitor FOIA requests, input processing data, and produce reports.

Privacy management is an integral part of the FOIA Tracking System.  Privacy management utilizes proven technology, sound policies and procedures, and proven methodologies. The FOIA Tracking System has gone through a thorough privacy management review process completed by the FHWA privacy office and ISSO. 

The privacy management process is built upon a methodology that is designed to help ensure that DOT and FHWA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FHWA to achieve its mission of protecting and enhancing a most important U.S. transportation system.  The methodology is based upon the following:

  1. Establish priority, authority, and responsibility. Using a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
  2. Assess the current privacy environment.  This involved interviews with key individuals involved in the FOIA tracking system to ensure that all uses of personally identifiable data, along with the risks involved with such use, are identified and documented. 
  3. Organize the resources necessary for the project’s goals.  Internal DOT/FHWA resources will be involved in reviewing the technology, data uses, and associated risks.  They will also be involved in developing the necessary redress systems and training programs.
  4. Develop the policies, practices, and procedures.  The resources identified in Step 3 will work to develop an effective policy or policies, practices and procedures to ensure that fair information practices are complied with.  The policies will effectively protect privacy while allowing DOT/FHWA to achieve its mission.
  5. Implement the policies, practices, and procedures.  Once the policies, practices, and procedures are developed, they must be implemented.  This involves training of all individuals who will have access to and/or process personally identifiable information. 
  6. Maintain policies, practices, and procedures.  Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices.  Regular monitoring of compliance with privacy policies, practices, and procedures will be required. 
  7. Manage exceptions and/or problems with the policies, practices, and procedures.  This step involves the development and implementation of an effective redress and audit system to ensure that any complaints can be effectively addressed and corrections made if necessary.

Personally-identifiable information and Freedom of Information Act Tracking System

The FOIA tracking system contains both Personally-Identifiable Information (PII) and non-PII pertaining to FOIA requests. The PII contained within the system is name, mailing address, telephone number, and email address.

Why Freedom of Information Act Tracking System collects information

The FOIA tracking system allows FHWA to maintain timely responses to FOIA correspondences. FHWA tracks the responses and workload associated with each request, as well as maintain records of correspondence. FHWA uses PII in the FOIA tracking system to contact individuals requesting responses, track status on responses, and other work associated with requests, and maintain records. 

How Freedom of Information Act Tracking System uses information

FOIA tracking system uses PII solely for the purpose of tracking, reporting, and responding to FOIA requests.  FHWA does not normally disseminate the data to other agencies nor does it normally release the data to outside parties. However, in cases in which other Federal agencies records or interests are involved, consultation with or referral to those agencies requires transfer of the request-specific PII.  Further, FOIA requests for other than first-party information are themselves available under FOIA; first-party requests are available only under the Privacy Act.

How The Freedom of Information Act Tracking System will share information

Only approved FHWA staff have regular access to The FOIA tracking system. Affected Program or Chief Counsel staff may be consulted and PII shared to allow proper handling of FOIA requests or appeals.

The FOIA tracking system does not share personally identifiable information in any way with external agencies, except as described above.

How Freedom of Information Act Tracking System provides notice and consent

As a Privacy Act System of Records, the FOIA tracking system provided notice of practices through its Privacy Act System of Records Notice (DOT/ALL 17). The FOIA system does not use PII for any secondary purposes that might require consent unless authorized by law. 

How Freedom of Information Act Tracking System ensures data accuracy

The FOIA tracking system users receive PII directly from individuals contacting FHWA through correspondence or requests.  Also, FHWA receives PII from individuals sending correspondence on behalf of another individual. FHWA authorized data entry personnel enter PII into the system and are responsible for the data accuracy. If FHWA staff members become aware of inaccuracy in PII, FHWA may contact the individual in question and correct the inaccuracy.

Under the provisions of the Privacy Act, individuals may request searches of the FOIA tracking system to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the System Manager that contains name, and authentication information. 

How Freedom of Information Act Tracking System Files provides redress

At any time, a user may contact a FHWA privacy representative through the public Web site and ask questions on privacy questions. This contact information is provided in the Privacy Policy, posted visibly on the Web site.

How Freedom of Information Act Tracking System secures information

Physical access to the server that houses the FOIA tracking system is limited to appropriate personnel through building key cards and room-access keypads. Personnel with physical access have all undergone and passed DOT security checks.

In addition to physical access, the access rights administered by the User Profile and Access Control System (UPACS) is a key component in the FHWA security program.  UPACS is the security control system that manages User authentication and associated access rights for individuals who need entry into one of FHWA applications, including the FOIA Tracking System.  Access to PII in the FOIA Tracking system is limited according to job function. FWHA controls access privileges according to the following roles:

The following matrix describes the privileges and safeguards around each of these roles as they pertain to personally identifiable information.

ROLE

ACCESS

SAFEGUARDS

User
  • Create own profile
  • Access and change own profile information
  • User-set user name and password.
  • Privileges set by system administrator.

System Owner
  • Create own profile
  • Access and change own profile information
  • Request changes to system as needed.
  • Search and view user names
  • User-set user name and password.
  • Privileges set by system administrator.
  • Minimum 8 character length (via UPACS)
  • Contain at least two numeric (0-9) and two non-numeric (A-Z and spaces) characters
  • Be different than passwords used before
  • Privileges set by system administrator

System Administrator
  • View and search all information in database
  • Change passwords and user names
  • Change and delete profile information
  • Change and delete other data in system

User-set user name and password, according to DOT standards:

  • Minimum 8-character length
  • Use upper and lower case
  • Forced password change every 3 months

Must access system from limited number of computers, each of which also has user name/password access control.

System of records

Freedom of Information Act Tracking System is a system of records under the Privacy Act of 1974 and the Department of Transportation has published a System of Records Notice (DOT/ALL17) in the Federal Register.