DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)

PRIVACY IMPACT ASSESSMENT

Parking and Transit Benefit System (PTBS)

November 21, 2008

TABLE OF CONTENTS

Overview of Privacy Management Process
Personally Identifiable Information (PII) & PTBS
Why PTBS Collects Information
How PTBS uses information
How PTBS Shares Information
How PTBS Provides Notice and Consent
How PTBS Ensures Data Accuracy
How PTBS Provides Redress
How PTBS Secures Information
How Long PTBS Retains Information
System of Records

Overview of Privacy Management Process

The Office of the Secretary (OST) oversees the formulation of national transportation policy and promotes intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of US airlines, enforcing airline consumer protection regulations, issuance of regulations to prevent alcohol and illegal drug misuse in transportation systems and preparing transportation legislation.

The Parking and Transit Benefit System (PTBS) is the Department of Transportation (DOT) Information Technology system used to manage the Transportation Subsidy Program (TSP) and facilitate the distribution of public-transport fare media to DOT and other Federal Agency employees, to schedule distribution of the fare media, to maintain an inventory of fare media on hand, and to manage the fare media billing. Also, the Office of Transportation Services (TRANServe), within the Office of the Assistant Secretary for Administration, Department of Transportation, has been given the responsibility of managing the vehicle parking resources at the DOT South East Federal Center (SEFC) Headquarters Facility. As space for parking personally owned vehicles (POV) in the area surrounding the facility is severely limited it is important to ensure that access for government-required vehicles and key DOT employees POVs is available full time within the DOT spaces. Thus, parking at the Headquarters Facility is allocated via a the DOT Headquarters Parking Application (DOT HPA) reservation system.

Privacy management is an integral part of the PTBS system. OST has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and established methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:

Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.

Assess the current privacy environment. This involves interviews with key individuals involved in the PTBS system to ensure that privacy risks are identified, addressed and documented.
Organize the resources necessary for the project�s goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.

Personally Identifiable Information (PII) & PTBS

As a leader in transportation-related oversight, DOT�s OST provides useful information to other agencies responsible for transportation oversight activities. To meet this goal, OST seeks to use the PTBS website to share information on oversight provider contacts, debarment/suspension/conviction, and successful audit/investigation techniques.

The PTBS modules will contain and publicly post the following information:
& & & PTBS does not publicly post any PII information.

Why PTBS Collects Information

PTBS manages the Transportation Subsidy Program (TSP) and facilitates the distribution of public-transport fare media to DOT and other Federal Agency employees, schedules distribution of the fare media, maintains an inventory of fare media on hand, and to manages the fare media billing. Also, it manages formal requests for parking allocations at the DOT South East Federal Center (SEFC) Headquarters Facility.

How PTBS uses information

The requestor�s form data is written to the protected DOT HPA database. Only the Analysts in TRANServe can access this database, where the requests can be more effectively processed and, if approved, automate many of the continuing management functions.

How PTBS Shares Information

Management and control of the Parking and Transit Benefit System is conducted via the Electronic Capital Planning and Investment Control (eCPIC) System. eCPIC is a web-based, government-owned technology system (GOTS) application designed to help agencies with the management and control of their initiatives, portfolios, and investment priorities, as well as in the preparation and submission of budget data to the Office of Management and Budget (OMB). DOT currently hosts the eCPIC Domain. The system is used by fourteen Federal agencies to help them determine the most efficient allocation of information technology spending to meet agency missions. Federal agencies that use the system consider it best practice for government portfolio management. Decisions on operations, maintenance, functionality, and enhancements are implemented through the eCPIC Service Level Agreement (SLA). Through the eCPIC Change Management Committee (CMC), agency SLA members participate in monthly meetings to share lessons learned, review the status of the project, and prioritize change requests associated with the operation, maintenance, and enhancement of the application.

How PTBS Provides Notice and Consent

PTBS displays the DOT approved system warning banner to alert users of notice and consent to monitoring prior to login.

How PTBS Ensures Data Accuracy

PTBS employs the data accuracy checks inherit in Oracle database software to ensure data validity and accuracy. The system has been reviewed to ensure, to the greatest extent possible, it is accurate, relevant, timely and complete via security testing and evaluation.

How PTBS Provides Redress

Validation checks are built into the application software that both prompt the user that an incorrect entry has been entered and must be corrected, and that a user has successfully input data.

How PTBS Secures Information

PTBS takes appropriate security measures to safeguard PII and other sensitive data. PTBS applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of OST employees and contractors.

ROLE	ACCESS	SAFEGUARDS
STAFF	Transit Customer record retrieval Transit Pickup record retrieval and update
ACCOUNT MANAGER	All Staff privileges Add/Update Transit Customer records Import Laptop data Enter Bulk Pickups using Quick Pickup interfaces Access Transit Reports Manage Daily Balance sheets
PARKING	Add/Update Parking Customer records Add/Update Parking Pickup records Access Parking Reports	Specialized privilege, granted on an as needed basis
INVENTORY	Add/Update Farecard inventory balances	Specialized privilege, granted on an as needed basis
WEBTRANSITAPP	Access/Process Online Applications	Specialized privilege, granted on an as needed basis
BULKREPORTS	Generate Bulk Monthly Billing reports	Specialized privilege, granted on an as needed basis
BULKREPORTLOCK	Ability to Lock monthly reports to disallow overwrite	Specialized privilege, granted on an as needed basis
ADMIN	Access to all system functions	Can only be granted by ADMIN level users

How Long PTBS Retains Information

PTBS retains PII information for a minimum of one year.

System of Records

PTBS contains information that is part of existing System of Records subject to the Privacy Act, because it is searched by an individual�s name or other unique identifier. In some cases, such as DOT/OST 101, the Department of Transportation controls the data and maintains System of Records responsibilities. In other cases, other government entities providing PTBS source data control the data and retain Privacy Act responsibilities.

OST has certified and accredited the security of PTBS in accordance with DOT information technology security standard requirements.