DEPARTMENT OF TRANSPORTATION
Surface Transportation Board
PRIVACY IMPACT ASSESSMENT
Case Management System (CASE)
September 21, 2005
Table of Contents
Overview of the Surface Transportation Board (STB)
privacy management process for CASE
Personally-identifiable (PII) information and
CASE
Why CASE collects information
How CASE uses information
How CASE shares information
How CASE provides notice and consent
How CASE ensures data accuracy
How CASE provides redress
How CASE secures information
How long CASE retains information
System of records
The Surface Transportation Board (STB) is an economic regulatory agency that Congress charged with the fundamental missions of resolving railroad rate and service disputes and reviewing proposed railroad mergers. The STB serves as both an adjudicatory and a regulatory body. The agency has jurisdiction over railroad rate and service issues and rail restructuring transactions (mergers, line sales, line construction, and line abandonments); certain trucking company, moving van, and non-contiguous ocean shipping company rate matters; certain intercity passenger bus company structure, financial, and operational matters; and rates and services of certain pipelines not regulated by the Federal Energy Regulatory Commission.
One set of activities that supports this mission is to hear and decide application and petition cases referred to as “dockets”. The Case Management System (CASE) helps STB manage the flow of dockets brought before STB. To do this, CASE records and tracks:
- A filed application or petition, including information on who filed the application or petition, when it was filed, and to whom the case is assigned.
- Statutory and internal deadlines for processing.
- Pertinent filings in each docket.
- All other decisions and notices of the STB in each docket.
In addition, CASE allows STB to meet requirements to display through a public Web site information on applicants, petitioners, and other parties to a docket, as well as the filings, decisions, and notices in the docket and correspondence related to environmental issues.
Privacy management is an integral part of the CASE system. DOT/STB has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies. In addition, the CASE planning team includes participation by STB’s Privacy Officer. This individual is assisting the CASE team to consider all the fair information practices and applicable laws when making decisions that may affect privacy.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that the Department of Transportation (DOT) and STB will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing STB to achieve its mission of regulating and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appointing
a cross-functional privacy management team to ensure input from systems architecture,
technology, security, legal, and other disciplines necessary to ensure that
an effective privacy management program is developed.
- Assess the current privacy environment. Interviewing key individuals
involved in the CASE system to ensure that privacy risks are identified and
documented.
- Organize the resources necessary for the project’s goals. Internal
DOT/STB resources, along with outside experts, review the technology, data
uses, and associated risks. They also develop the necessary procedures and
training programs.
- Develop the policies, practices, and procedures. The resources
identified in the paragraph above develop effective policies, practices, and
procedures to ensure that fair information practices are complied with. The
policies are designed to protect privacy effectively while allowing DOT/STB
to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies,
practices, and procedures are developed, they must be implemented. This involves
training all individuals who will have access to and/or process personally
identifiable information. It also entails working with vendors to ensure
that they maintain the highest standard for privacy while providing services
to the STB project.
- Maintain policies, practices, and procedures. Due to changes in
technology, personnel, and other aspects of any program, effective privacy
management requires that technology and information be available to the privacy
management team to ensure that privacy policies, practices, and procedures
continue to reflect the current work environment. Regular monitoring of compliance
with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and
procedures. This step involves developing and implementing effective
redress procedures and audit systems to ensure that complaints are effectively
addressed and corrections made when necessary.
CASE collects and maintains personal information of all persons who file applications,
petitions and other filings in a docket, which may include name, email address,
postal address, affiliation/group or person or persons represented, phone number,
and in some cases Bar number of attorneys. In order to make an initial
filing in a docket, an individual must provide, along with the filing, the above
information and either fax (faxes must be followed up by delivery of the originals),
mail, or hand deliver the hard copy to STB, along with payment for the filing,
if applicable. At that point, CASE data entry staff enters the data into CASE.
For all filings other than the initial filing, commenters and parties to a docket
may register online through STB’s public Web site and submit their comments and
filings electronically. Or if the commenters and parties prefer, filings and comments
subsequent to the initial filing may be presented to the STB by mail or in person.
All submitters must provide the same personal information, which is stored and
accessed through CASE. In addition, the submitter, if filing electronically, must
create a user name and password to access information and submit filings. CASE
maintains these passwords and IDs, and it associates this information with the
individual in question. For an individual’s PII to be included in CASE,
that individual must be involved in a docket before STB. When an individual chooses
to become part of this process, his or her personal information is considered
public information and is shared within and outside of STB without additional
authorization.
STB has responsibility for handling the docket process in a way dictated by federal regulations. CASE collects personal information from parties involved in a docket in order to:
- Contact individuals with questions pertaining to a docket.
- Allow all docket participants to be able to contact one another and access the information in the docket.
How CASE uses information
STB staff assigned to a docket may use CASE to track and record docket activities, contact parties and their representatives, review information, and make public all necessary information.
Most of the PII in CASE is considered public information, and it is posted publicly on the STB Web site without restriction. In addition, STB provides public information related to cases to the public for a fee, on request and without restriction to use. The information may contain PII.
The section of the STB Web site associated with CASE provides a link to a privacy policy that describes STB’s privacy practices. In addition, before an individual submits PII through a hard copy or online form, STB provides an explanation and warning that all personal data entered is considered public and may be shared without restriction with both public and private third parties, for both primary and secondary purposes.
Personal information contained in CASE is provided by the individual in question.
After PII is posted on the public Web site, any individual can view the personal
data. If there are inaccuracies in the data, the individual can call or email
the STB’s Privacy Officer to request a change. Information on how to request changes
to personal information is located on the STB Web page under FAQs/Administrative
Inquiries/How do I report an error in the information displayed. An email may
be sent directly to the STB Privacy Officer by choosing e-Filing/Information Quality
Comments.
Under the Privacy Act, individuals may request searches of CASE data to determine if any records have been added that may pertain to them. This is accomplished by sending a written notarized request directly to the responsible CASE staff member(s) that contains name, designee number, and information regarding the request.
As provided for by the applicable System of Records notice under the Privacy Act, individuals with questions about CASE and Web privacy practices can contact STB’s Privacy Officer. Contact information for STB’s Privacy Officer is posted on the STB privacy policy.
How
CASE secures information
CASE takes appropriate security measures to safeguard PII and other sensitive data. CASE applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of STB employees and contractors.
In addition, access to logon and password information in CASE is limited to STB staff. These staff members access the CASE databases with the following safeguards:
- Passwords expire after a set period.
- Accounts are locked after a set period of inactivity.
- Minimum length of passwords is eight characters.
- Passwords must be a combination of letters and numbers.
- Accounts are locked after a set number of incorrect access attempts.
In order to provide historical information trends and in compliance with its Privacy Act System of Records notice, CASE keeps data permanently.
CASE is part of an existing system of records, ICC-V: Case Status System (Formal
Case Control) subject to the Privacy Act, because it can be searched by name.
STB has certified and accredited the security of CASE in accordance with DOT standard requirements.