DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration

PRIVACY IMPACT ASSESSMENT

Federal Aviation Administration
Medical Certification System
(FAA MedXPress)

January 22, 2007

Table of Contents

Overview of Federal Aviation Administration privacy management process for FAA MedXPress
Personally-identifiable information and FAA MedXPress
Why FAA MedXPress Collects information
How FAA MedXPress Uses Information
How FAA MedXPress Shares Information
How FAA MedXPress Provides Notice and Consent
How FAA MedXPress Ensures Data Accuracy
How FAA MedXPress Provides Redress
How FAA MedXPress Secures Information
How FAA MedXPress Retains Information
System of Records

Overview of Federal Aviation Administration Privacy Management Process for FAA MedXPress

The Federal Aviation Administration (FAA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs. FAA is responsible for:

Regulating civil aviation to promote safety;
encouraging and developing civil aeronautics, including new aviation technology;
developing and operating a system of air traffic control and navigation for both civil and military aircraft;
researching and developing the National Airspace System and civil aeronautics;
developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
regulating U.S. commercial space transportation.

One of the programs that helps FAA fulfill this mission is the FAA Medical Certification System, known as FAA MedXPress, which has the following functions:

Provides an online version of the FAA’s Medical History Form 8500-8 (Application for Airman Medical Certificate or Airman Medical and Student Pilot Certificate) for applicants to submit their information electronically;
validates for completeness all medical history information being sent to the FAA;
allows creation of secure access accounts for users of the system;
provides an email notification system for distributing secure password information and confirmation numbers.

FAA MedXPress is managed by the Office of Aerospace Medicine (OAM) inside the FAA’s Civil Aerospace Medical Institute (CAMI). OAM/CAMI is responsible for a broad range of medical programs and services for both the domestic and international aviation communities. Services provided by the OAM/CAMI include:

Medical clearance of air traffic control specialist and other FAA employees required to meet medical standards to perform safety-sensitive duties;
pilot medical certification.

As such, OAM/CAMI has the responsibility for collecting and maintaining any information related to the medical conditions of pilots and certain covered positions within the FAA.

All airmen, air traffic controllers (ATCs) and certain other designated FAA employees are required to have FAA Medical Certificates. The process of applying for an FAA Medical Certificate or Student Pilot Medical Certificate requires completion of the OMB-approved, FAA Medical History Form 8500-8, and performance of a medical examination of the applicant by an FAA-designated Aviation Medical Examiner (AME). The AME is a private physician who is approved by the FAA to perform this function.

Until now, the applicant has been required to complete Form 8500-8 in the AME’s office prior to the examination. FAA MedXPress now allows applicants to complete and submit their FAA Form 8500-8 on-line. FAA MedXPress securely transmits the completed form to FAA and makes it available to a designated AME to review at the time of the applicant’s medical examination. FAA MedXPress is built upon the FAA’s existing Aerospace Medical Certification Subsystem (AMCS) program, which allows AMEs to transmit Form 8500-8 medical history data to the FAA.

The protection of applicant privacy is a priority for FAA. FAA utilizes a privacy management process built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to ensure that DOT and FAA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FAA to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the FAA MedXPress system to ensure that privacy risks are identified and documented.
Organize the resources necessary for the project’s goals. DOT/FAA staff, along with outside experts, review the technology, data uses, and associated risks. They also develop the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The privacy management team develops policy or policies, practices, and procedures to ensure compliance with fair information practices. The policies are designed to protect privacy effectively while allowing DOT/FAA to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FAA project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.

Personally-Identifiable Information and FAA MedXPress

To handle airmen, air traffic controller, and other FAA employee medical certifications, FAA MedXPress requires the submission of personally identifiable information (PII) and non-PII data pertaining to applicants. For an individual to be included in the FAA MedXPress system, the applicant is required to electronically complete and submit the following PII:

Name;
Social Security Number;
Date of Birth;
Home Mailing Address;
Home Phone Number;
E-mail Address;
Medical History (this includes all medical history information, such as medications being taken and previous medical visits, that is supplied by the applicant and used by the AME to determine eligibility for a medical clearance).

Why FAA MedXPress Collects information

The FAA MedXPress system collects PII in order to provide the AME and FAA with the necessary information to determine whether an applicant should be approved for medical certification as a pilot, air traffic controller, or other covered FAA employee. To facilitate this process, FAA MedXPress collects information electronically for automated transfer to AMEs. In general, FAA MedXPress aids the airman and medical examiners in providing current, consistent and valid information for FAA to make more informed certification decisions.

How FAA MedXPress Uses Information

FAA MedExpress is used primarily as a tool to manage the flow of medical certification information. The information collected by FAA MedXPress is not used by any system, process, or individual until the applicant grants access permission to a selected AME by providing that AME with the confirmation number received from FAA after the application is submitted. After the AME has completed the medical examination, the information is sent to the FAA Legal Instrument Examiners at OAM/CAMI. The FAA Legal Instrument Examiners are the individuals within FAA responsible for approving medical certificates.

How FAA MedXPress Shares Information

FAA MedXPress shares information with the AMEs and those within the FAA (OAM/CAMI) responsible for tracking medical clearance information. When the applicant provides the electronic information to an AME via a confirmation number, the data are transferred by FAA MedXPress to the AMCS. As stated previously, the AME uses the AMCS to electronically complete the Form 8500-8 to be transmitted to the FAA. FAA MedXPress shares applicant data in accordance with the Privacy Act System of Records Notice DOT/FAA 847 - Aviation Records on Individuals.

How FAA MedXPress Provides Notice and Consent

For an individual’s PII to be included in FAA MedXPress, that individual must have applied for a medical certificate. Notice is provided to applicants through the applicable Privacy Act System of Records Notice, DOT/FAA 847 – Aviation Records on Individuals. In addition, the FAA MedXPress Web site provides notice to all applicants via a privacy policy that contains all the protections and advisories required by the E-Government Act, as well as terms of use documentation. Upon registering with and logging into FAA MedXPress, applicants are able to provide consent to the terms of use by checking an appropriate box and submitting a form.

How FAA MedXPress Ensures Data Accuracy

FAA MedXPress receives all data directly from the applicant. FAA MedXPress uses internal validation functionality to ensure that all required data fields have been completed on the form. It is the responsibility of the AME to ensure that all data submitted by the applicant are complete and correct. Applicants are able to modify their data; however, any modifications to the applicant’s submitted data must be manually updated on the printed form and initialed by the applicant.

How FAA MedXPress Provides Redress

As provided for by the Privacy Act System of Records notice DOT/FAA 847 - Aviation Records on Individuals, individuals with questions about privacy and FAA MedXPress, including the redress process, may contact FAA directly. The FAA MedXPress system resides at:

6500 S. McArthur Blvd.
CAMI Bldg. Room B-17A
Oklahoma City, OK 73169

The posted privacy policy on the FAA MedXPress Web site also provides contact information for FAA’s Privacy Officer.

How FAA MedXPress Secures Information

FAA MedXPress takes appropriate security measures to safeguard PII and other sensitive data. FAA MedXPress applies DOT security standards, including, but not limited to, routine scans and monitoring, back-up activities, and background security checks of those FAA employees and contractor employees who have access to the data.
The following electronic access safeguards are also in effect:

Minimum length of passwords is eight characters.
Passwords must be a combination of letters, numbers, and special characters.
Accounts are locked after a set number of incorrect attempts.
IP addresses are locked after a set number of attempts per hour.
User sessions expire after a set period of time.

FAA MedXPress uses Secure Socket Layer encryption and session tracking to ensure that applicant data submitted on-line and transmitted to the FAA remains secure. FAA MedXPress does not employ the use of persistent cookies.

FAA MedXPress users must apply for an account using a valid email address. Temporary passwords are sent to the address provided and expire upon first use. The FAA MedXPress application consists of an account creation and user authentication module, an electronic Form 8500-8 entry module, and an email notification module. All modules operate in succession by accessing the same security information. As stated above, FAA MedXPress uses session and IP address tracking to ensure that only the validated user will have access to data.

FAA MedXPress also ensures that the only AME given access to the information entered by the applicant is the AME who receives a confirmation number from the applicant.
In addition, access to FAA MedXPress PII is limited according to job function. FAA controls access privileges according to the following roles:

User;
Help Desk.

The following matrix describes the levels of access and safeguards around each of these roles as they pertain to PII.

ROLE	ACCESS	SAFEGUARDS
User	Account Request Form 8500-8 Data Entry View and Modify Account Information Request Password Reset	The following safeguards apply: System generated passwords expire upon initial use. Sessions are expired after a set period of time. Minimum length of passwords is eight characters. Passwords must be a combination of letters, numbers and special characters. Accounts are locked after a set number of incorrect attempts. Forgotten passwords are reset by random generator. Passwords my not be reused for 13 iterations.
Help Desk	Search Applicant by Username Reset Password View Login record View Last Medical Identifier (MID) number and Confirmation Number	The following safeguards also apply: System generated passwords expire upon initial use. Sessions automatically expire after a set period of time. Minimum length of passwords is eight characters. Passwords must be a combination of letters, numbers, and special characters. Accounts are locked after a set number of incorrect attempts. Forgotten passwords are reset by random generator. Passwords may only be reused after 13 iterations.

ROLE

ACCESS

SAFEGUARDS

User

Account Request
Form 8500-8 Data Entry
View and Modify Account Information
Request Password Reset

The following safeguards apply:

System generated passwords expire upon initial use.
Sessions are expired after a set period of time.
Minimum length of passwords is eight characters.
Passwords must be a combination of letters, numbers and special characters.
Accounts are locked after a set number of incorrect attempts.
Forgotten passwords are reset by random generator.
Passwords my not be reused for 13 iterations.

Help Desk

Search Applicant by Username
Reset Password
View Login record
View Last Medical Identifier (MID) number and Confirmation Number

The following safeguards also apply:

System generated passwords expire upon initial use.
Sessions automatically expire after a set period of time.
Minimum length of passwords is eight characters.
Passwords must be a combination of letters, numbers, and special characters.
Accounts are locked after a set number of incorrect attempts.
Forgotten passwords are reset by random generator.
Passwords may only be reused after 13 iterations.

How FAA MedXPress Retains Information

FAA MedXPress retains information for completed exams as required by law. Applications for medical certification that are collected by FAA MedXPress are deleted after 60 days under the following circumstances:

The applicant initiates an application for medical certification but does not submit a completed form.
The applicant submits a completed application form but does not undergo a physical exam by a designated AME.
The submitted exam is not imported into AMCS by a designated AME.

System of Records

FAA MedXPress is a system of records subject to the Privacy Act, because it is routinely searched by a unique identifier. This system is covered by System of Records Notice: DOT/FAA 847 - Aviation Records on Individuals.