PRIVACY IMPACT ASSESSMENT

User Profile and Access Control System (UPACS)

August 12, 2004

Table of Contents

Overview of Federal Highway Administration (FHWA) privacy management process for UPACS
Personally-identifiable information and UPACS
Why UPACS collects information
How UPACS uses information
How UPACS shares information
How UPACS provides notice and consent
How UPACS ensures data accuracy
How UPACS provides redress
How UPACS secures information
System of records

Overview of Federal Highway Administration (FHWA) privacy management process for UPACS

Federal Highway Administration (FHWA), within the Department of Transportation (DOT), has been given the responsibility of enhancing the highway movement of people and goods, while also ensuring the safety of the traveling public, promoting the efficiency of the transportation system, and protecting the environment.[1] To meet these goals, FHWA maintains effective communication with other federal agencies, state and local organizations, and members of Congress. With security always foremost in mind, as FWHA has automated much of this information sharing it also has implemented strict safeguards to protect against unauthorized or unintentional information exchange. The User Profile and Access Control System (UPACS) is one tool that helps FHWA accomplish this.

UPACS is a Web-enabled system designed to set and manage appropriate access to various FHWA systems, as well as detect unauthorized access. To do this, UPACS maintains a record of permissions, contact information, and other related data on each user that FHWA has determined requires access to one or more FHWA systems. When a user attempts to access an FHWA system, UPACS interfaces with the system in question, exchanging data that the system needs to permit or refuse access. UPACS logs also provide FHWA the information regarding access attempts it needs to monitor system usage adequately and identify possible unauthorized access incidents or security breaches. Additionally, in an effort to reduce data duplication with other systems, FHWA uses UPACS data to print telephone lists and provide other data in accordance with predefined and acceptable uses, outside of access control. With UPACS, FHWA can strike an effective balance between efficient information sharing and adequate security.

Privacy management is an integral part of the UPACS project. DOT/ FHWA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FHWA will have the information, tools, and technology necessary to effectively manage privacy and employ the highest level of fair information practices while allowing FHWA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the UPACS system to ensure that all uses of personally identifiable data, along with the risks involved with such use, are identified and documented.
Organize the resources necessary for the project’s goals. Internal DOT/FHWA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They also are involved in developing the necessary redress systems and training programs.
Develop the policies, practices and procedures. The resources identified in the paragraph immediately above will work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies will protect privacy effectively while allowing DOT/FHWA to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FHWA project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures will be required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints can be effectively addressed and corrections made if necessary.

Personally-identifiable information (PII) and UPACS

The UPACS system uses both non-PII and PII for each individual who requires access to a FHWA system. As a result, UPACS contains PII on federal government employees and contractors, state and local employees and contractors, and a limited number of Congressional staff who also require access to one or more systems. Using the UPACS Web interface, users may:

Set up a profile that includes name, last four digits of the social security number, mother’s maiden name, phone number, email address, and other PII. In addition, users set up a password for continued access to their PII.
Access any of their own provided personal information, with the exception of the last four digits of their social security number, and change profile information, including changing contact information.

Why UPACS collects information

UPACS collects PII in order to identify users with access to FHWA systems. UPACS must collect PII in order to appropriately grant or refuse access to various systems, contact users with access questions, as well as identify breaches and correct security deficiencies.

How UPACS uses information

FHWA uses PII within UPACS to identify user access to systems, set access permissions, monitor access, and contact users with questions and concerns. FHWA may also use some PII, such as telephone numbers of federal government employees and contractors, to publish telephone lists. If a user no longer requires access to any FHWA system, he or she is deleted from the UPACS database. At that point, only log files of access remain that may include information on that user.

How UPACS shares information

UPACS shares PII with approximately 20 systems in order to manage access. All systems linking with UPACS receive data on the user’s name, ID, password, PIN, organization, and access rights. Some systems also receive additional UPACS data on individuals. Data sharing occurs only in pre-determined ways, based on system purpose, structure, and necessity. FWHA also publishes telephone lists for FHWA employees and contractors; these include name, telephone number, and information on hearing impairment needs for some employees and contractors. FHWA uses UPACS data to publish these telephone lists. FHWA does not share UPACS PII in any other way, except as required by law.

How UPACS provides notice and consent

The UPACS system provides visible links to a Privacy Policy that describes privacy practices and information uses. In the future, UPACS may provide links to Web sites outside of DOT/FWHA. In these cases, UPACS will provide a pop-up window that informs a user that he or she is leaving the site and that different privacy practices may apply.

On registration with the system, and again annually, users must read and agree to Terms and Conditions of Use, in which UPACS monitoring and possible consequences are described.

How UPACS ensures data accuracy

Users access their own PII through the UPACS Web site, which authenticates applicants through applicant-provided online ID and password. Users may also change their PII at any time, with the exception of social security number. Users may not access or change any log files or other monitoring-related information.

In addition, UPACS Administrators have overview responsibility to ensure routinely that user information is timely and accurate. There are processes and procedures in place to monitor and remind UPACS administrators of their responsibilities.

How UPACS provides redress

At any time, a user may contact a FHWA privacy representative through the public Web site and ask questions on privacy questions. This contact information is provided in the Privacy Policy, posted visibly on the Web site.

How UPACS secures information

The UPACS system is housed in the NASSIF (DOT Headquarters) building and is run by contractors. Physical access to the UPACS system is limited to appropriate personnel through building key cards and room-access key pads. Personnel with physical access have all undergone and passed security checks.

In addition to physical access, electronic access to PII in UPACS is limited according to job function. FHWA controls access privileges according to the following roles:

User
System Owner
System Sponsor
Administrator
Super Administrator

The following matrix describes the privileges and safeguards around each of these roles as they pertain to PII.

ROLE	ACCESS	SAFEGUARDS
User	Creates own profile Accesses and change own profile information Changes own password	User-set email and password: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers. Accounts are locked after a set number of incorrect attempts.
System Owner	Views PII as needed Requests rights for individuals	System Owners are set up in this role by Super Administrators. The following safeguards apply: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers. Accounts are locked after a set number of incorrect attempts.
System Sponsor	Views PII and approves a user’s access designations.	System Sponsors are set up in this role by Super Administrators. The following safeguards apply: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers Accounts are locked after a set number of incorrect attempts.
Administrator	Views and approves a user’s access designation. Can create profiles and IDs.	System Sponsors are set up in this role by Super Administrators. The following safeguards apply: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers. Accounts are locked after a set number of incorrect attempts.
Super Administrator	Views all information, creates reports, and changes all information as needed. Contacts individuals as needed regarding issues and questions.	The following safeguards apply: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of letters and numbers. Accounts are locked after a set number of incorrect attempts.

Personnel with access to UPACS past user access receive tool training that includes some privacy direction. All users receive customized Terms and Conditions of Use and/or Rules of Behavior that describe privacy responsibilities.

System of records

UPACS is a system covered under the Privacy Act of 1974, as it is searched by name and unique identifier. FHWA is currently going through the process to document and protect the system according to Privacy Act requirements. FHWA has certified and accredited UPACS according to DOT requirements.

[1] Fiscal 2003 Performance Plan; http://www.fhwa.dot.gov/reports/2003plan/index.htm