PRIVACY IMPACT ASSESSMENT

Controlled Correspondence Manager (CCM)

July 29, 2004

Table of Contents

Overview of Federal Railroad Administration (FRA) privacy management process for CCM
Personally identifiable information (PII) and CCM
Why CCM collects information
How CCM uses information
How CCM shares information
How CCM provides notice and consent
How CCM provides redress
How CCM secures information
System of records

Overview of Federal Railroad Administration (FRA) privacy management process for CCM

The Federal Railroad Administration (FRA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs. FRA is responsible for promulgating and enforcing rail safety regulations; administering railroad assistance programs; conducting research and development in support of improved railroad safety and national rail transportation policy; providing for the rehabilitation of Northeast Corridor rail passenger service; and consolidating government support of rail transportation activities. The Controlled Correspondence Manager (CCM) system helps FRA fulfill this mission by providing automated assistance in tracking workflow. The CCM system provides FRA with the ability to track and control correspondence, Freedom of Information Act (FOIA) requests, complaints, waivers, one-time movements, and train horn quiet zones in a timely fashion.

Privacy management is an integral part of the CCM system. DOT/FRA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FRA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FRA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the CCM system to ensure that privacy risks are identified and documented.
Organize the resources necessary for the project’s goals. Internal DOT/FRA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/FRA to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FRA project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.

Personally identifiable information (PII) and CCM

The CCM system contains both PII and non-PII pertaining to correspondence, complaints, waivers, one-time movements, FOIA requests and train horn quiet zones. For an individual’s PII to be included in CCM, that individual must write directly to FRA, or another party must write on behalf of the individual. For example, CCM contains PII on an individual who sends to FRA a FOIA request. Alternately, CCM also contains PII on a Congressional constituent when a Congressperson writes a letter on behalf of that constituent. CCM may contain the following PII on members of the public: name, postal address, email address, phone number, title, position, organization, fax number, tax ID number, and Website URL. Designated FRA employees and contractors have access to the CCM system, as managed by username and password. Therefore, CCM also contains names and passwords of designated FRA employees and associates those data with these individuals.

Why CCM collects information

FRA is committed to maintaining timely responses to correspondence and other types of requests. CCM allows FRA to track responses and workload associated with requests, as well as maintain records of correspondence. FRA uses PII in CCM to contact individuals requesting responses, track status on responses and work associated with requests, and maintain records on some types of requests, such as FOIA requests.

How CCM uses information

CCM uses PII solely for the purpose of tracking and responding to correspondence, waivers, one-time movements, etc. FRA does not disseminate the data to other agencies nor does it release the data to outside stakeholders, except as allowed by law.

How CCM shares information

Only designated FRA employees and contractors have access to CCM data and then only as pertinent to their jobs and roles. At this time, FRA employees are granted access by one or more managers and are provided a password and logon, and a system administrator must load an application on that individual’s computer and assign him or her the appropriate privileges. In the future, CCM will become a Web-enabled system, accessed by designated FRA employees and contractors through an Intranet Website.

FRA does not share information with external agencies or other interested parties. All data that is containedwithin the CCM application is used for internal purposes only.

How CCM provides notice and consent

As a Privacy Act System of Records, CCM will provide notice of practices through its Privacy Act System of Records Notice. FRA does not use PII in CCM for any secondary purposes that might require consent.

How CCM ensures data accuracy

CCM receives PII directly from individuals contacting FRA through correspondence or requests, such as requests for waivers. Also, CCM receives PII from individuals sending correspondence on behalf of another individual. FRA data entry personnel may enter some PII into the CCM system and are responsible for the data accuracy. If FRA staff members become aware of inaccuracy in PII, FRA may contact the individual in question and correct the inaccuracy.

Under the provisions of the Privacy Act, individuals may request searches of the CCM file to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the CCM System Manager that contains name, and authentication information. FRA does not allow public access to the information stored in CCM except as allowed by law.

How CCM provides redress

Under the provisions of the Privacy Act, individuals may contact the CCM system manager, as listed in the Privacy Act System of Records notice, with privacy questions and grievances.

How CCM secures information

The CCM system resides in a secure facility accessible only by designated employees who have undergone a background check.

In addition, access to CCM PII is limited according to job function. FRA controls access privileges according to the following roles:

Read Only
Routing
Data Entry
Administrator

The following matrix describes the levels of access and safeguards around each of these roles as they pertain to PII.

ROLE	ACCESS	SAFEGUARDS
Read Only	Read only of data pertinent to job role, restricted on a minimum necessary basis	Read Only user must have network password, manager permission and system administrator set-up. The following safeguards also apply: Passwords expire after a set period. Minimum length of passwords is eight characters.
Routing	Read only of data pertinent to job role, restricted on a minimum necessary basis Attach original letter or other supporting documents to the record Can add routings to a record that indicate the status of the assigned task.	Routing user must have network password, manager permission and system administrator set-up. The following safeguards also apply: Passwords expire after a set period. Minimum length of passwords is eight characters.
Data Entry	Read, create, modify, delete record; restricted on a minimum necessary basis	Data Entry must have network password, manager permission and system administrator set-up. The following safeguards also apply: Passwords expire after a set period. Minimum length of passwords is eight characters.
Administrator	Read, create, modify, and delete all records.	Data Entry must have network password, manager permission and system administrator set-up. The following safeguards also apply: Passwords expire after a set period. Minimum length of passwords is eight characters.

System of records

CCM is a system of records subject to the Privacy Act because it is searched by name or other unique identifier. FRA is currently in the process of complying with the requirements of the Privacy Act, including posting a Privacy Act System of Records Notice. FRA has certified and accredited the security of CCM in accordance with DOT information technology security standard requirements.