July 21, 2004
Table of Contents
Overview of Federal Aviation Administration (FAA) privacy management process for ASKME
Personally Identifiable Information (PII) and ASKME
Why ASKME collects information
How ASKME uses information
How ASKME shares information
How ASKME provides notice and consent
How ASKME ensures data accuracy
How ASKME provides redress
How ASKME secures information
System of records
The Federal Aviation Administration (FAA) within the Department of Transportation (DOT) has been given the responsibility of civil aviation safety. FAA is responsible for:
One of the proposed programs that would help FAA fulfill this mission is ASKME. Though still in the early planning stages, ASKME would perform five basic functions, using designated aviation industry employees to perform certain FAA functions:
The proposed ASKME system would use a Web interface for all of the above components, and to support the Paperwork Reduction and E-Government Act priorities, it may include a public Web site for some appropriate activities. ASKME is in the early planning stages.
Privacy management is an integral part of the ASKME system. DOT/FAA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FAA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FAA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
FAA relies on designees to exercise superior training, judgment, and professionalism in their activities on FAA’s behalf. To help ensure that only appropriate individuals receive designation, and to monitor and control designees’ ongoing efforts, FAA must collect and use designee PII. FAA uses this PII to review applications, track the designee process, contact potential, current, and past designees, enforce requirements, handle complaints, and provide designee support.
In addition, it is expected that ASKME will support restricted access functionality to all parts of the system. Therefore, ASKME may also contain usernames and passwords and associate those data with individuals accessing ASKME.
ASKME is primarily planned as an internal tool to analyze safety data and manage time-intensive processes such as designee and equipment certificate activities. FAA intends to use PII in ASKME only for these primary purposes. Designee PII represents all or most of the PII planned for ASKME, and FAA will use this PII in the same privacy-sensitive manner it does now – to communicate with potential/current/past designees, monitor and control designee processes, and maintain quality of designee activities.
In some cases, FAA may need to share some information in ASKME within other departments of the FAA, or perhaps other government agencies. Routine sharing of this nature will be provided for and monitored through Memorandums of Understanding that define protocols, recipients, security, authorized uses, and other protections. FAA does not share PII from ASKME outside of the federal government. FAA will also provide the minimum information necessary in these data transfers and regulate user access according to job function and business need.
For an individual’s PII to be in ASKME, he or she must have either applied for designee status or be listed as a reference or contact in reference to the designation of another individual. The designee program is a voluntary one, and aviation industry employees who do not wish their PII to be in ASKME are not obligated to participate in the designee program. FAA employees and contractors with approved access to ASKME may provide PII associated with their login and password to the system. In these cases, FAA staff members must read a notice and disclosure statement on logging in that describes obligations and privacy protections. In addition, in the case that ASKME may also include a limited public Website interface to facilitate some online transactions, the Website will post an accurate privacy policy that contains all the sections required by the E-Government Act of 2002.
Under the provisions of the Privacy Act, individuals may request searches of some ASKME data to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the ASKME that contains name, designee number, and information regarding the request. FAA does not allow public access to the information stored in the ASKME.
As provided for by the Representatives of the Administrator System of Records notice under the Privacy Act, individuals with questions about privacy and ASKME may contact FAA directly. If ASKME also includes a public Website section, the posted privacy policy will additionally provide contact information for FAA’s Privacy Officer.
ASKME will take appropriate security measures to safeguard PII and other sensitive data. ASKME will apply DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of FAA employees and contractors.
In addition, access to ASKME PII will be limited according to job function. FAA will control access privileges according to the “minimum necessary” rule, with the most sensitive data, such as social security number, accessible only to one or more system administrator as necessary.
The following access safeguards will also be implemented:
FAA will certify and accredit the security of ASKME in accordance with DOT standard requirements.