Privacy Impact Assessment

for

Query Central (QC),
Automated Commercial Environment (ACE) and
International Trade Data System (ITDS)

September 24, 2007

Point of Contact:
Janet Curtis
Office of Research and Information Technology, IT Development Division
Federal Motor Carrier Safety Administration
(202) 493-0458

Reviewing Official
Habib Azarsina
Acting Departmental Privacy Officer, U.S. Department of Transportation
(202) 366-1965

Introduction

The Federal Motor Carrier Safety Administration (FMCSA) of the U.S. Department of Transportation (DOT) is participating in the U.S. Customs and Border Protection’s (CBP’s) Automated Commercial Environment (ACE) program. ACE is a multi-year effort to update CBP’s information systems. This effort began in 2001 and ACE will replace CBP’s twenty plus year old trade information database, Automated Commercial System (ACS). The purposes of ACE are: (1) to streamline business processes; (2) to facilitate growth in trade; (3) to ensure cargo security; (4) to provide means to combat terrorism through monitoring what materials and which persons enter and leave the country; and (5) to foster participation in global commerce, while ensuring compliance with U.S. laws and regulations.

To build upon existing infrastructure, ACE will use the International Trade Data System (ITDS) to share electronic international trade and transportation data with Participating Government Agencies (PGAs), such as FMCSA. ITDS provides the Federal government with a secure, integrated, government-wide interface for disseminating and using such international trade and transportation data. Through the ACE-ITDS interface, FMCSA will receive necessary commercial motor carrier information which consists of company information, driver information and vehicle information for all commercial motor carriers crossing the border. By using Query Central (QC), FMCSA will in turn verify carrier information against certain information systems. Together, this process is called the QC- ACE/ITDS process.

The QC-ACE/ITDS process begins when a commercial motor carrier electronically submits his/her manifest (“the e-manifest”) to CBP. The manifest will include information on the driver, the company, including its DOT number and vehicle information, such as Vehicle Identification Number (VIN). The driver information will include: (1) the driver’s name; (2) the driver’s date of birth; and (3) the driver’s Commercial Driver’s License number (CDL). This driver information, collectively, qualifies as Personal Identifying Information (PII).

All FMCSA required commercial motor carrier information will be entered into the CBP’s ACE program from the e-manifest. ACE sends the information into the ITDS, which is again a large database that contains several kinds of information on motor carriers. FMCSA has an interest in knowing and applying the commercial motor carrier information found in ITDS. Conversely, CBP has an interest in knowing whether its commercial motor carrier ITDS information matches FMCSA information on that same carrier. Using ACE, CBP will accordingly pass the ITDS commercial motor carrier information, which includes the driver PII, to FMCSA.

When FMCSA receives the ITDS information from ACE on the commercial motor carrier -including the driver PII- FMCSA, using QC, will simultaneously send this information to multiple FMCSA databases for verification. When QC gets the response from the multiple FMCSA databases, QC will send the response – via ACE/ITDS again – back to CBP. CBP then use FMCSA’s response concerning the specific commercial motor carrier to make its own mission-oriented decisions about the carrier. Conversely, FMCSA uses the ACE/ITDS information contained in the CBP query regarding the commercial motor carrier to make FMCSA decisions on the commercial motor carrier.
As a PGA, FMCSA will enter into a Memorandum of Understanding (MOU) with CBP regarding the access and appropriate use of information in the QC-ACE/ITDS process. Prior to signing the MOU, CBP and FMCSA agreed to complete a Privacy Impact Assessment (PIA) of their respective systems involved in the QC-ACE/ITDS system. CBP completed its PIA of ACE, which can be found at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm. This document represents FMCSA’s PIA of QC, the system that receives the information from ACE/ITDS.

The QC PIA primarily focuses on FMCSA’s privacy management issues of QC. The QC PIA provides an overview of FMCSA privacy management process of QC; and addresses the following issues of QC, using a question and answer format: (1) data scope and purpose; (2) data modification/redress; (3) access; (4) maintenance and administrative control; (5) decision analysis; and (6) privacy risk analysis. Although CBP completed its PIA regarding ACE, the QC PIA focuses on the information gathered through ACE and shared with QC through the ITDS interface.

Overview of FMCSA privacy management process for QC

FMCSA has been given the responsibility to reduce crashes, injuries, and fatalities involving large trucks and buses. In carrying out its safety mandate, FMCSA:

• develops and enforces data-driven regulations that balance motor carrier (truck and bus companies) safety with industry efficiency;
• harnesses safety information systems to focus on higher risk carriers in enforcing the safety regulations; and
• targets educational messages to carriers, commercial drivers, and the public.

QC serves as one tool that assists FMCSA in achieving these agency objectives. Specifically, QC is an FMCSA intelligent query system designed to dramatically increase access to motor carrier safety information for State and Federal law enforcement personnel. QC is a web-based application that retrieves safety compliance and enforcement data on commercial motor vehicle drivers, vehicles, and carriers from multiple sources using a single input. The response data is analyzed and summarized before being presented in the end user's browser (see attached diagram). Sources of data for FMCSA’s QC system in the QC-ACE/ITDS process include:

• The Motor Carrier Management Information System (MCMIS), an FMCSA system that uses Oracle database with a web front-end access (http://mcmis.fmcsa.dot.gov/). It is a source for FMCSA inspection, crash, compliance, review, safety audit, and registration data. MCMIS is an existing DOT Privacy Act System of Records. For more information, refer to the MCMIS PIA (available on the DOT website at http://www.dot.gov/pia/fmcsa_mcmis.htm) and the MCMIS System of Records Notice (SORN) (published December 29, 2000 in the Federal Register (citation 65 FR 83124)). In the QC-ACE/ITDS process, MCMIS is used to verify carrier information. However, privacy-related information on drivers is not verified against MCMIS.
• The Commercial Drivers’ License Information System (CDLIS), which was created to fulfill a requirement under the Commercial Motor Vehicle Safety Act (CMVSA) of 1986 and has been in full operation since April 1992. It serves as a clearinghouse that each of the 51 jurisdictions (the 50 states and the District of Columbia) can check before issuing a commercial driver's license (CDL). CDLIS helps to ensure that only one license or CDL is issued to each driver nationwide. It also ensures that all convictions are reported to the licensing state and made part of the driver's record. The driver information on CDLIS is wholly maintained by the States and thus is not a DOT Privacy Act System of Records (CDLIS Notice of Policy, 70 FR 2454-03 (Jan. 13, 2005). Pursuant to the CDLIS Modernization Plan, grant agreements, and an operational agreement, CDLIS will comply with Federal technology security requirements as set forth in the Federal Information Security Management Act (FISMA). In the QC-ACE/ITDS process, CDLIS is used to verify driver information, including PII.
• The Safety and Fitness Electronic Records (SAFER), is an FMCSA system, which is currently an integral communication link for most FMCSA data transfers. SAFER consists of a web site (http://safer.fmcsa.dot.gov) that displays carrier information available to the public, a store and forward mailbox system, secondary databases, and communication links. It handles user queries, database refreshes and inbound data transfers. SAFER is not a system of records and does contain PII information. In the QC-ACE/ITDS process, SAFER is used to verify vehicle information.
• The Licensing and Insurance (L&I) system is an FMCSA system which is a client-server and web-based application (http://li-public.fmcsa.dot.gov/) with both public and private access. L&I is part of the operating authority process. It is used to enter and display licensing and insurance information regarding authorized for-hire motor carriers, freight forwarders, and property brokers. It is the authoritative source for FMCSA licensing and insurance data. L&I is not a system of record and does not contain any PII information. In the QC-ACE/ITDS process, L&I is used to verify whether a carrier has operating authority and sufficient insurance.
• The FMCSA Performance and Registration Information Systems Management (PRISM) program ties vehicle registration to the safety of the commercial vehicle company responsible for the vehicle(s). PRISM includes two major processes – the Commercial Vehicle Registration Process and the Motor Carrier Safety Improvement Process. The MCMIS database is the authoritative source for the PRISM carrier census data. Data is sent from the MCMIS database to the FMCSA SAFER/PRISM database on a daily basis. The safety information from the SAFER/PRISM database is used by the states for vehicle registration to tie a vehicle to the responsible carrier. The PRISM program is not a system of record and does not contain any PII information. In the QC-ACE/ITDS process, PRISM is used to verify vehicle registration.
• SCT (Secretaria de Comunicaciones y Transportes) and LIFIS (Licencia Federal Information System) contain Mexican carrier and driver information and are not DOT Systems of Records because they are maintained by Mexico. These systems do contain PII information. In the QC-ACE/ITDS process, SCT and LIFIS are used to verify driver and carrier information regarding Mexican companies and vehicles.

In order to participate in ITDS, QC receives messages from ACE and uses the data elements contained in the message to validate the information against several FMCSA information systems. In turn, QC responds to the inquiry from ACE with a predefined set of response or error messages.

Section One: Data Scope and Purpose

1.1 What information is to be collected by QC?

Generally, QC does not act as a repository of information; rather, QC acts as an interface between an end user and several other FMCSA managed information systems. For example when an end user uses QC to inquire about the status of a motor carrier’s operating authority, QC queries FMCSA’s Licensing and Insurance (L&I) information system to retrieve the results. Similarly, the data used to analyze and respond to inquiries about CDLs originate in State-owned and administered databases.

The ACE system database includes manifest information with specific details regarding the trip, conveyance, equipment, driver, and shipments related to a commercial land border crossing. A truck manifest is made up of four parts: the driver, conveyance, equipment, and shipments. This information is collected from the e-Manifest submitted by the carriers or their agent to CBP. Subsequently, the data elements pertinent to FMCSA are verified using QC which will interface with other FMCSA information systems. The following individual information is transmitted from ACE to QC:

Conveyance

1) License plate on the vehicle and trailer
2) State of issuance
3) County of issuance
4) VIN (Vehicle Identification Number)

Driver

1) Name of the driver of the conveyance (truck) *
2) Date of birth of the driver*
3) Commercial Driver’s License (CDL)/driver's license number*
4) CDL/driver’s license state/province of issuance for the driver
5) CDL country of issuance for the driver and
6) Hazmat endorsement for the driver.

* These elements are considered PII information

Motor Carrier

1) DOT number

CBP and PGA Employees

None

1.2 Why is the information being collected? Is it relevant and necessary for the purpose of QC-ACE/ITDS?

The e-Manifest information that is collected from ACE will allow FMCSA to better accomplish its mission to reduce crashes, injuries, and fatalities involving large trucks and buses. The e-manifest will assist FMCSA by providing timely information to allow for the screening of incoming motor carriers, commercial motor vehicles (conveyances) and drivers for motor carrier safety and vehicle safety issues. In addition, the information collected will increase efficiency and security of commercial vehicle inspections at the international borders.

1.3 What is the intended use of the information?

FMCSA will use the information on e-Manifests to assist in screening motor carriers, commercial motor vehicles and their drivers for motor carrier and vehicle safety issues and inspections. Using QC, FMCSA will screen certain e-Manifest data elements and return response and error messages to ACE and State and Federal commercial vehicle enforcement personnel.

1.4 What are the sources of the information for QC in the QC-ACE/ITDS process? Where and how are you acquiring the information?

The account holder to the ACE system submits personal information about the carrier’s driver, the carrier and the carrier’s vehicles when creating an account in ACE, or when submitting a manifest on a transactional basis (each time the truck crosses the border). In turn, ACE will transmit a message to QC requesting validation of certain data elements (i.e., driver information, vehicle information and DOT number).

1.5 Will QC derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No. QC will merely generate a message stating that the information provided to ACE via the e-Manifest is valid or invalid. This is similar to a red light, green light type of notice.

1.6 Will the newly derived data be placed on the individual’s record?

No. The response message or error message generated by QC will not be placed on the individual’s record.

1.7 Can QC make new determinations about an individual that were previously not possible without the new data?

Yes. QC is able to determine whether the information provided by ACE/ITDS is consistent with information located on FMCSA systems, CDLIS, SCT, and LIFIS. The QC-ACE/ITDS process allows a State or Federal commercial vehicle inspector to make the appropriate determinations about whether a motor carrier, vehicle or driver is in violation of the FMCSA safety regulations.

1.8 How will the newly derived data be verified for relevance and accuracy?

The data is derived from the e-manifest that is stored in ACE. Additional information on how the data is verified for relevance and accuracy can be found at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm.

1.9 Are the data elements described in detail and documented? If yes, what is the name of the document?

The data elements are described in detail in the Interface Control Documents, the Multi-Modal Manifest Data Elements Matrix, and the Logical Data Model. Separately, the data elements were also published in the Federal Register at 70 FR 13514 on March 21, 2005.

Section Two: Data Modifications/Redress

2.1 What opportunities do individuals have to decline providing information in the QC-ACE/ITDS process?

In the QC-ACE/ITDS process, information is not provided directly to QC. Rather, the information is provided to CBP and stored in ACE. Affected individuals have an opportunity to decline to provide the information to FMCSA only to the extent that the individuals have the right to decline to provide information to CBP. By participating in ACE, a motor carrier agrees to provide information concerning individual drivers, the company, and its commercial motor vehicles to CBP. CBP has strongly recommended to the motor carrier that it discloses to employees and contractors any information provided to ACE that relates to those individuals.

Additional information regarding an individual’s opportunity to decline providing information to ACE can be found at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm.

2.2 What opportunities do individuals have to consent to particular uses of the information in the QC-ACE/ITDS process?

There are no opportunities for affected individuals to consent to particular uses of information, unless they choose not to cross the borders into the United States. Additional information regarding an individual’s opportunity to consent to particular uses of information may be found at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm.

2.3 How do individuals grant consent concerning how their information will be used or shared in the QC-ACE/ITDS process?

Since the program and the requirement to file a Customs Declaration and e-Manifest are mandatory, affected individuals do not have the opportunity to grant consent concerning how their information will be used or shared. Once an affected individual’s information is provided by the individual or the carrier who employs the individual, it is used to fulfill CBP’s and FMCSA’s statutory and regulatory mandates. FMCSA will use the information to fulfill its statutory and regulatory mandates as provided for within the terms of a Memorandum of Understanding (MOU) executed by both CBP and FMCSA. FMCSA and CBP are equally obligated to protect individual privacy rights.

What are the procedures for correcting erroneous information on QC?

A motor carrier can request correction of erroneous information by using FMCSA’s DataQs information system (https://dataqs.fmcsa.dot.gov/login.asp). The DataQs system is an electronic means for filing concerns about Federal and State data released to the public by FMCSA. Through this system, data concerns are automatically forwarded to the appropriate office for resolution. The system also allows filers to monitor the status of each filing.

Section Three: Data Access

3.1 Who will have access to QC (Users, Managers, System Administrators, Developers, Others) and is it documented?

State and Federal commercial vehicle safety personnel in the course of their assigned duties will use QC. System Administrators and Developers will have access to QC as required by their positions. QC will not gain any new users as a result of FMCSA’s participation in ACE.

3.2 How will access to QC by a user be determined?

Data access is determined by permission levels. Users have certain rights based on account type. Users entering QC are required to authenticate with a unique identification and password. System security policy guidelines provide for the creation of secure passwords.

Section Four: Maintenance & Administrative Control

4.1 Is the QC system security consistent with agency requirements under FISMA?

QC was accredited on 06/15/2007. Certification and Accreditation (C&A) is performed every 3 years to ensure QC meets agency and Federal requirements or when a major change occurs to the system. Additional activities are performed more frequently to ensure QC meets regulatory security requirements.

Additional information regarding how ACE meets FISMA requirements may be obtained at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm.

4.2 Affirm that the agency is following information technology security requirements and procedures required by federal law and policies to ensure that information is appropriately secured.

The FMCSA IT Security team actively ensures the security of QC by performing baseline scanning, conducting background investigations on contractor personnel, conducting self-assessment annually, vulnerability scanning, application scanning, and reviewing of audit logs. This approach also ensures that intrusions are detected immediately so the appropriate response can be taken to ensure QC remains online.

Additional information regarding how ACE meets FISMA requirements may be obtained at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm.

4.3 Acknowledge that the agency has conducted a risk assessment, identified appropriate security controls to protect against that risk, and implemented those controls.

A favorable risk assessment was performed in 2004 for the QC system. Unacceptable risks found during this risk assessment were noted in a plan of action and milestones document that was subsequently remediated by the system owner. A re-accreditation of QC that verified that findings from the previous C&A were remediated correctly was completed on June 30, 2007.

4.4 Describe the monitoring/testing/evaluating on a regular basis to ensure that controls continue to work properly to safeguard system data.

The FMCSA IT Security team performs continuous monitoring activities for the QC system at different frequencies. Operating system and application patches are verified on a weekly basis. Application scanning is used to identify insecure coding practices, mis-configurations, and areas of non-compliance with privacy laws. Furthermore, an Intrusion Prevention System and encryption solution are used to detect potential intruders.

4.5 Provide a point of contact for any additional questions from users.

Janet Curtis
Office of Research and Information Technology, IT Development Division
1200 New Jersey Avenue, SE
Washington, DC 20590
(202) 493-0458

4.6 If the QC is operated in more that one site, how will consistent use of the system and data be maintained in all sites?

QC is a web-based application that accesses FMCSA systems housed at the Volpe Transportation Center in Cambridge, MA. The data will be consistent from site to site because QC will always be accessing the same systems.

4.7 What are the retention periods of data in the QC system?

There is no data stored in QC. Therefore, there is no retention period.

4.8 What are the procedures for expunging the data at the end of the retention period and are these procedures documented?

There is no data stored in QC. Therefore, there are no procedures for expunging the data.

4.9 Will the QC system provide the capability to monitor individuals or groups of individuals? If yes, explain?

Yes, FMCSA currently tracks user identification for QC usage. For explanation of the monitoring capability, see the response to 4.10.

4.10 What controls are in place to prevent unauthorized monitoring of individuals or groups of individuals?

The monitoring is performed by an Intrusion Prevention System and encryption solution (see 4.4 above) or is performed by the FMCSA IT Security teams. No other individuals have access to perform such monitoring.

Under which SORN does the system operate? Provide Number and Name.

QC is a web-based system and it is not a System of Records. Therefore a SORN has not been completed for QC.

Section Five: Decision Analysis

5.1 Did you evaluate competing technologies on their privacy handling capabilities? If yes, explain.

With respect to QC, FMCSA limits and restricts access to information based upon user roles. Therefore, no competing technologies were evaluated for privacy handling capabilities.

5.2 Were there any choice changes made to system architectures, hardware, software, or implementation plans as a result of doing a PIA? If yes, explain.

No. FMCSA made a special effort to inform the public with respect to the submission and handling of their personal data. Therefore, no choice changes to system architecture, hardware, or software were required.

Section Six: Privacy Risk Analysis

In analyzing what might constitute risks to an individual's privacy, FMCSA determined that no additional risks to an individual’s privacy have been created as a result of utilizing QC to participate in CBP’s ACE program.

Last updated: 12/5/2007