August 20, 2004
Table of Contents
Overview of Office of Inspector General (OIG) privacy management process for TIGR
Personally Identifiable Information (PII) and TIGR
Why TIGR collects information
How TIGR uses information
How TIGR shares information
How TIGR provides notice and consent
How TIGR ensures data accuracy
How TIGR provides redress
How TIGR secures information
System of records
The Office of Inspector General (OIG) within the Department of Transportation (DOT) has been given the responsibility to promote efficiency and effectiveness and to prevent and detect waste and abuse in departmental programs and operations. OIG does this through audits and investigations. OIG also consults with the Congress about programs in progress and proposed new laws and regulations.
The Inspector General Act of 1978 established the Office of Inspector General as an independent entity within the Department. This Act prohibits agency officials from interfering with audits or investigations. However, much of OIG's most significant work is accomplished with the cooperation of the officials whose programs are being reviewed.
One of the systems that helps OIG fulfill this mission is the Transportation Inspector General Reporting System (TIGR). This system allows OIG to maintain and manage pertinent records on many OIG activities, including:
Though TIGR has been in existence for more than 10 years, recent improvements have made the system Web-enabled. However, TIGR remains accessible only to OIG employees and contractors through an Intranet Website.
Privacy management is an integral part of the TIGR system. DOT/OIG has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OIG will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OIG to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
OIG is responsible for conducting fair and accurate investigations. This process requires the gathering of information, some of which may be personal information. OIG uses this PII to ensure that individuals are correctly identified, contact individuals in the course of an investigation, track investigation processes, and make decisions.
OIG also uses TIGR to manage data on basic OIG operations, as well as internal audits and investigations. Therefore, TIGR may use PII on Federal government employees and contractors, including OIG employees and contractors, to track time, manage travel and expenses, and conduct internal audits and investigations.
In addition, TIGR supports restricted access functionality to all parts of the system. Therefore, TIGR contains usernames and passwords for OIG employees and associates those data with individuals accessing TIGR.
TIGR is primarily used as an internal tool to collect and manage data involved in OIG activities. OIG uses PII in TIGR only for these primary purposes, except as may be authorized by law.
In some cases, OIG may need to share some information in TIGR within OIG, or perhaps other government agencies, such as law enforcement. Policies detailed in OIG’s Operating Procedures Manual define routine data sharing protocols, security and authorized uses. OIG does not share PII from TIGR outside of the Federal government, except as may be authorized by law.
For a member of the public’s PII to be in TIGR, he or she must be somehow associated with an investigation. In some cases, an individual will know of the investigation and his or her involvement, and in other cases, not.
Notice is provided through the applicable Privacy Act System of Records notice, DOT/OST 101 - Inspector General Reporting System, TIGR.
OIG employees and contractors with approved access to TIGR provide PII associated with their login and password to the system. In these cases, OIG staff members must read a notice and disclosure statement on logging in that describes obligations and privacy protections.
As provided for by the System of Records notice under the Privacy Act, individuals with questions about privacy and TIGR may contact the TIGR System Manager. In addition, privacy concerns can be directed to OIG’s Privacy Officer. The OIG privacy policy provides contact information for the Privacy Officer at: http://www.oig.dot.gov:8080/privacy.jsp
TIGR takes appropriate security measures to safeguard PII and other sensitive data. TIGR applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of OIG employees and contractors.
In addition, OIG access to TIGR PII is limited according to job function. There is a formal approval process that must occur, in which one or more managers approve an individual’s TIGR access, before that access is granted. OIG controls access privileges according to the “minimum necessary” rule.
The following access safeguards are also implemented:
OIG has certified and accredited the security of TIGR in accordance with DOT information technology security standard requirements.