Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

RESX Web Based Travel System

 

Privacy Impact Assessment (PIA) – RESX Web Based Travel System

RESX System Overview

The RESX system software is operated by TRX Technology Services, 7557 Rambler Road, Suite 1300, Dallas, Texas 75231.  Travel reservation data is stored in a commercial reservation system SABRE.  The IRS contracted travel agent, SatoTravel, uses the reserved transportation data to fulfill ticketing services.  SatoTravel confirms the traveler’s reservations by e-mailing an itinerary, with the selected travel arrangements, to the traveler.  When ticketing is performed, SatoTravel e-mails an invoice with actual costs to the traveler for use in filing their travel voucher.  Both e-mails are sent through the traveler’s “IRS.gov” address.  The on-line service provides a Privacy Policy and Disclaimer statement which explains the information requested, why it is requested, what happens to it, and the employee's options if they choose not to provide it. 

The information in both e-mails is protected, as SatoTravel sends all e-mail to IRS.gov using a secure Virtual Private Network (VPN).  This was accomplished through Request for Information Services RIS #AWS-2-0007-A00 and Service Request SR #IN-02-088.  The VPN is located at SatoTravel, 511 Shaw Road, Sterling, Virginia 20166; but action is currently being taken to relocate the VPN to Navigant headquarters in Denver CO (TIRS-03562). 

System of Records Number(s)

OPM/Govt-1 General Personnel Records
Treasury/DO .002 Treasury Integrated Management Information System
Treasury/DO .009 Treasury Financial Management Systems
Treasury /IRS 34.037 IRS Audit Trail and Security Records System
Treasury/IRS 36.003 General Personnel and Payroll Records

Data in the System

1. Describe the information (data elements and fields) available in the system in the following categories:

A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)

A.  There is no taxpayer data in the system.

B.  Employee data is voluntarily entered and consists of travel profile information. Traveler identifying elements are:  name, office address/phone/fax, e-mail address, business unit, budget office, home phone. 

C.  Airline flights, hotel, and car rental availability information is compiled and provided by SABRE.  The traveler makes their selection from the options presented in RESX.  Reservation elements are:  travel date and time, departure and arrival city, form of payment, seating/meal/rental car/hotel preferences, frequent flyer numbers, special accommodations.  To login, the traveler will enter the agency name, their login (same as TRAS), and password.

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)

RESX will contain the same data elements as the old system FEDTRIP.  The existing FEDTRIP data elements will migrate to RESX intact.  With FEDTRIP, there was an initial upload of employee identifying elements from the IRS Travel Reimbursement and Accounting System (TRAS).  The employee’s name and login were captured in a flat file and then uploaded.  This ensured name consistency in both systems.  That was a one-time only action.  Users are added/deleted on RESX at the same time they are added/deleted on TRAS; accomplished through an FTP download from the IRS Charlotte Development Center (CDC) to TRX. 

There are no other sources of information other than from TRAS and the employee. This system will only be available to IRS business travelers.  No information will be collected from taxpayers or others. 

3.  Is each data item required for the business purpose of the system?  Explain.

All data is required in order to identify the traveler, fulfill the travel request, notify the traveler, and account for the expenses associated with travel.

4. How will each data item be verified for accuracy, timeliness, and completeness?

Since this information comes voluntarily from the traveler, it is presumed to be accurate, timely, and complete as entered.

5. Is there another source for the data?  Explain how that source is or is not used.

RESX uses no other source to secure the employee data.  There is no match with our personnel system.  Since this information comes voluntarily from the traveler, it is presumed to be reliable and no other source to verify the data is necessary.

6. Generally, how will data be retrieved by the user? 

IRS business travelers will access the RESX system through XXXXX XXXXX XXXXX XXXXX XXXXX XXXXX.  Their identifying profile elements will automatically transfer from FEDTRIP to their RESX profile.  The traveler can change their profile elements at any time.  The traveler will select their travel arrangements (transportation, lodging, and car rental) from direct on-line availability options.  The traveler retrieves their confirmed RESX reservation and ticketing data from SatoTravel through their e-mail account, which is secured by VPN.

7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier? 

As an option, the traveler can retrieve their RESX reservation and ticketing data on-line through SABRE Virtually There at https://www.virtuallythere.com .  They input their last name and their unique, one-time only, reservation code for a particular trip.  This system is outside the context of our PIA request.  The SABRE privacy policy is contained on that site. 

Access to the Data

8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?

The traveler and the system administrators will have access to RESX system data. 
SatoTravel and the airline/lodging/car rental providers will receive RESX system output to complete their reservation and ticketing actions.

9. How is access to the data by a user determined and by whom? 

AWSS Travel Security Administrators will have access to employee records for the purpose of adding or deleting users, resetting passwords, authorizing travel planners to make travel arrangements on another person’s behalf, or changing group profiles.

Service-wide administrator will have access to all users and group profiles.  They will initially build IRS travel policy guidelines in the company settings.

The user’s access is restricted to their individual travel profile and arrangements, and general non-personal reservation information.  The traveler can designate a “travel planner” to make their travel arrangements.

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12.

No.  Currently, there are no IRS systems that provide, receive, or share data in the RESX system. 

Initially, as stated in question 2, the IRS system TRAS provided a file to upload travelers’ names and login to FEDTRIP during implementation in 2002.  This was merely to ensure name consistency. 

Recently, a TRAS file with travelers’ current office codes was uploaded to FEDTRIP to ensure the current code transferred to RESX.

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?

FEDTRIP received a Privacy Certification 4/4/02

12.  Will other agencies provide, receive, or share data in any form with this system?  No. 

Administrative Controls of Data

13.  What are the procedures for eliminating the data at the end of the retention period?

Web content is updated by IRS or TRX system administrators, as needed, to reflect changes to IRS policy or industry standards.  E-mail content will be deleted by the traveler when no longer needed.  User/traveler profile data will be updated by the traveler, as needed and may be deleted by the traveler when no longer needed.

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.  No.

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.  No.  

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.  No.

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.  No.

18.  Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?

No determinations of any kind are made by this system.

19.  If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?

No.  RESX does not use persistent cookies.  Earlier versions used session and/or transaction cookies to confirm identity and finalize travel arrangements for the employee.  In the release of version 1.2.26, the code was changed to remove those cookies from RESX.
 


Page Last Reviewed or Updated: December 10, 2004