PRIVACY IMPACT ASSESSMENT

ASKME

July 21, 2004

Table of Contents

Overview of Federal Aviation Administration (FAA) privacy management process for ASKME
Personally Identifiable Information (PII) and ASKME
Why ASKME collects information
How ASKME uses information
How ASKME shares information
How ASKME provides notice and consent
How ASKME ensures data accuracy
How ASKME provides redress
How ASKME secures information
System of records

Overview of Federal Aviation Administration (FAA) privacy management process for ASKME

The Federal Aviation Administration (FAA) within the Department of Transportation (DOT) has been given the responsibility of civil aviation safety. FAA is responsible for:

Regulating civil aviation to promote safety;
encouraging and developing civil aeronautics, including new aviation technology;
developing and operating a system of air traffic control and navigation for both civil and military aircraft;
researching and developing the National Airspace System and civil aeronautics;
developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
regulating U.S. commercial space transportation

One of the proposed programs that would help FAA fulfill this mission is ASKME. Though still in the early planning stages, ASKME would perform five basic functions, using designated aviation industry employees to perform certain FAA functions:

Collect and analyze equipment safety data from several existing FAA sources of data.
Manage aircraft, engine, and propeller certificate processes.
Manage designee processes.
Manage compliance and enforcement activities.
Document and internally distribute lessons learned from FAA safety programs.

The proposed ASKME system would use a Web interface for all of the above components, and to support the Paperwork Reduction and E-Government Act priorities, it may include a public Web site for some appropriate activities. ASKME is in the early planning stages.

Privacy management is an integral part of the ASKME system. DOT/FAA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FAA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FAA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the ASKME system to ensure that privacy risks are identified and documented.
Organize the resources necessary for the project’s goals. Internal DOT/FAA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/FAA to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FAA project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.

Personally Identifiable Information (PII) and ASKME

To increase the efficiency of the FAA’s activities, FAA allows a group of individuals with specific expertise in a variety of skills to become “designees.” These designees, after an application and acceptance process, are authorized to review and approve or deny plans, schematics, designs, equipment, and other aviation assets. The ASKME system would contain PII pertaining to designees as needed to designate, monitor and control, and manage these individuals. In addition, ASKME may contain non-PII on manufacturers and other businesses/organizations involved in aviation. In some cases, a business or organization may submit an individual’s name and business contact information for inclusion in ASKME. It should be noted that this does not represent new information collection. Rather, ASKME combines information that FAA already collects, authorized through Paperwork Reduction Act OMB control number 2120-0033 and regulated by the Privacy Act of 1974, as stated in the Representatives of the Administrator System of Records Notice #830. For an individual’s PII to be included in ASKME , that individual must have applied for designee status with FAA, or have had her/his name submitted as a reference or contact in a complaint/comment pertaining to another individual’s designee application or status. Designee PII that ASKME may contain includes the following: Name · Address

Why ASKME collects information

FAA relies on designees to exercise superior training, judgment, and professionalism in their activities on FAA’s behalf. To help ensure that only appropriate individuals receive designation, and to monitor and control designees’ ongoing efforts, FAA must collect and use designee PII. FAA uses this PII to review applications, track the designee process, contact potential, current, and past designees, enforce requirements, handle complaints, and provide designee support.

In addition, it is expected that ASKME will support restricted access functionality to all parts of the system. Therefore, ASKME may also contain usernames and passwords and associate those data with individuals accessing ASKME.

How ASKME uses information

ASKME is primarily planned as an internal tool to analyze safety data and manage time-intensive processes such as designee and equipment certificate activities. FAA intends to use PII in ASKME only for these primary purposes. Designee PII represents all or most of the PII planned for ASKME, and FAA will use this PII in the same privacy-sensitive manner it does now – to communicate with potential/current/past designees, monitor and control designee processes, and maintain quality of designee activities.

How ASKME shares information

In some cases, FAA may need to share some information in ASKME within other departments of the FAA, or perhaps other government agencies. Routine sharing of this nature will be provided for and monitored through Memorandums of Understanding that define protocols, recipients, security, authorized uses, and other protections. FAA does not share PII from ASKME outside of the federal government. FAA will also provide the minimum information necessary in these data transfers and regulate user access according to job function and business need.

How ASKME provides notice and consent

For an individual’s PII to be in ASKME, he or she must have either applied for designee status or be listed as a reference or contact in reference to the designation of another individual. The designee program is a voluntary one, and aviation industry employees who do not wish their PII to be in ASKME are not obligated to participate in the designee program. FAA employees and contractors with approved access to ASKME may provide PII associated with their login and password to the system. In these cases, FAA staff members must read a notice and disclosure statement on logging in that describes obligations and privacy protections. In addition, in the case that ASKME may also include a limited public Website interface to facilitate some online transactions, the Website will post an accurate privacy policy that contains all the sections required by the E-Government Act of 2002.

How ASKME ensures data accuracy

ASKME will receive all designee data either directly through forms submitted by the designee, or through additional contact or interaction with the designee. The length of time a record remains on the ASKME system is governed by federal guidelines, and where applicable, FAA will maintain a retention policy that addresses system data retention and destruction. FAA will assign for each component of ASKME a data steward, who will be responsible for reviewing data integrity and accuracy; applying retention and data quality procedures.

Under the provisions of the Privacy Act, individuals may request searches of some ASKME data to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the ASKME that contains name, designee number, and information regarding the request. FAA does not allow public access to the information stored in the ASKME.

How ASKME provides redress

As provided for by the Representatives of the Administrator System of Records notice under the Privacy Act, individuals with questions about privacy and ASKME may contact FAA directly. If ASKME also includes a public Website section, the posted privacy policy will additionally provide contact information for FAA’s Privacy Officer.

How ASKME secures information

ASKME will take appropriate security measures to safeguard PII and other sensitive data. ASKME will apply DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of FAA employees and contractors.

In addition, access to ASKME PII will be limited according to job function. FAA will control access privileges according to the “minimum necessary” rule, with the most sensitive data, such as social security number, accessible only to one or more system administrator as necessary.

The following access safeguards will also be implemented:

Passwords expire after a set period.
Accounts are locked after a set period of inactivity.
Minimum length of passwords is eight characters.
Passwords must be a combination of letters and numbers
Accounts are locked after a set number of incorrect attempts.

System of records

ASKME will contain information that is part of an existing system of records subject to the Privacy Act, because it is searched by designee name and possibly other unique identifier. You can find ASKME’s system of records notice, under DOT/FAA 830, Representatives of the Administrator at http://cio.ost.dot.gov/policy/records.html.

FAA will certify and accredit the security of ASKME in accordance with DOT standard requirements.