DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety Administration
PRIVACY IMPACT ASSESSMENT
Fatality Analysis Reporting System (FARS)
November 22, 2003
Table of Contents
Overview of National Highway Traffic Safety Administration (NHTSA) privacy management process for FARS
Personally-identifiable information and FARS
Why FARS collects information
How FARS uses information
How FARS shares information
How FARS provides notice and consent
How FARS ensures data accuracy
How FARS provides redress
How FARS secures information
System of records
Overview of National Highway Traffic Safety Administration (NHTSA) privacy management process for FARS
National Highway Traffic Safety Administration (NHTSA), within the Department of Transportation (DOT), has been given the responsibility to carry out motor vehicle and highway safety programs. NHTSA is responsible for reducing deaths, injuries, and economic losses resulting from motor vehicle crashes. In order to fulfill this mission, NHTSA works to understand crashes and their causes.
In order to manage and analyze the complex data associated with crash factors, NHTSA has developed a Fatality Analysis Reporting System (FARS). This data system was conceived, designed, and developed by NHTSA's National Center for Statistics and Analysis (NCSA) to assist the traffic safety community in identifying traffic safety problems and evaluating both motor vehicle safety standards and highway safety initiatives. FARS maintains, analyzes, and provides access to data from motor vehicle traffic crashes that result, within 30 days of the crash, in the death of an occupant of a vehicle or a non-motorist
Privacy management is an integral part of the FARS project. DOT/ NHTSA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and NHTSA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing NHTSA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the FARS system to ensure that all uses of personally identifiable data, along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project's goals. Internal DOT/NHTSA resources, along with outside experts, are involved in reviewing the technology, data uses and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph immediately above work together to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies effectively protect privacy while allowing DOT/NHTSA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the NHTSA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.
Personally-identifiable information and FARS
The FARS system contains both Personally Identifiable Information (PII) and nonpersonally identifiable information pertaining to fatal crashes. To be included in FARS, a crash must involve a motor vehicle traveling on a trafficway customarily open to the public, and result in the death of a person (either an occupant of a vehicle or a non-motorist) within 30 days of the crash. The FARS file contains descriptions of each fatal crash reported. Each case has approximately 130 coded data elements that characterize the crash, the vehicles, and the people involved.
Three of these data points may be considered PII, either alone or in combination with other data that enable the combined data to be linked to an individual: Vehicle Identification Number (VIN), death certificate number, and race/Hispanic origin. Other specific data elements may be modified slightly at times, in response to users' needs and highway safety emphasis areas. All data elements are reported on four electronic/paper forms and input into the FARS system by designated state FARS employees/contractors:
- The Accident Form asks for information such as the time and location of the crash, the first harmful event, whether it is a hit-and-run crash, whether a school bus was involved, and the number of vehicles and people involved.
- The Vehicle and Driver Forms call for data on each crash-involved vehicle and driver. Data include the vehicle type, initial and principal impact points, most harmful event, and drivers' license status.
- The Person Form contains data on each person involved in the crash, including age, sex, role in the crash (driver, passenger, non-motorist), injury severity, and restraint use.
In addition, there are FARS Alcohol files that contain driver and non-occupant BAC (blood alcohol content) estimates, as well as overall crash alcohol estimates, which are used to supplement the data files when no alcohol information would otherwise be available.
FARS maintains two sets of records. The first set of records may contain PII and is accessible only to designated federal and state employees and contractors through password-protected Intranet access. The second set of records does not contain PII and is available to any individual on request, either through the FARS Internet Web site[2] directly or through special request.
NHTSA must also manage federal and state employee/contractor access to FARS. As a result, FARS also contains PII on federal and state government employees and contractors who require access to FARS. Using the FARS Intranet Web interface, these users may:
- Set up a profile that includes name, phone number, email address, and other PII. In addition, users set up a password for continued access to their PII.
- Access any of their own provided PII and change profile information, including changing contact information.
Why FARS collects information
FARS collects PII in order to analyze fatal crash data for statistical purposes. In some instances, FARS has been used for clinical purposes, to identify factors and causes in individual crashes. Though it does not use FARS PII in its analyses, NHTSA does require FARS PII to link to other data that may be important in the analyses.
Individuals or organizations can request only FARS data that do not include PII. In these cases, requestors can voluntarily submit the PII that NHTSA requires to fulfill this request. For example, in order to request that NHTSA mail a report, the requestor may be asked to provide a name and mailing address.
In order to manage internal access to FARS, NHTSA uses PII of federal and state users with access to the FARS system to track and manage permissions.
How FARS uses information
NHTSA uses PII within FARS to link to other sources and find data important to statistical and clinical research on fatal crashes. NHTSA does not use PII to contact or track individuals.
Also, individuals who request FARS reports are asked to provide postal address, telephone number, or fax number in order to allow NHTSA to fulfill the request[3]. After fulfillment, NHTSA retains the PII of requestors for future tracking and contact purposes.
In addition, for those state and federal employees/contractors who require direct access to FARS, NHTSA uses PII on those individuals to manage and control access and permissions to FARS.
How FARS shares information
FARS data are used extensively within NHTSA, and requests are received from sources such as state and local governments, research organizations, private citizens, the automobile and insurance industries, Congress, and the media. In order to protect privacy, only aggregate or non-personally identifiable FARS data are shared in this way.
NHTSA, through the NCSA, responds to over 20,000 telephone, email, and walk-in requests for information each year. Individuals and organizations can request reports that do not contain PII. In these cases, NHTSA uses the voluntarily-provided PII of requestors to fulfill these requests. For example, an individual who requests that NHTSA mail a report to him or her would provide a name and mailing address. NHTSA does not share or use PII of requestors for any other purpose outside of fulfillment.
In addition, individuals and organizations can access or request some of this non-PII data through the FARS Internet Web site, and/or download the FARS data files from the NHTSA FTP server. Individuals who access these services do not provide PII.
Only designated federal and state FARS staff members have access to PII in the FARS system, which is provided through a password-protected Intranet Web site. In order to manage these accesses and permissions, NHTSA collects and maintains some PII on those individuals requiring access. NHTSA does not share any PII for persons requiring access to the system, nor does NHTSA share FARS PII in any other way.
How FARS provides notice and consent
In order to have PII in FARS, an individual would have to have been involved in a fatal crash. In order to ensure the most accurate statistical data are produced, there is no option for non-participation. However, PII are not shared with the public or used for any secondary purpose.
By sending in a request for a report and accompanying that request with the PII necessary for NHTSA to fulfill the request, the requestor provides implicit consent for NHTSA to use the PII for that primary purpose. NHTSA does not use that PII for any other purpose.
How FARS ensures data accuracy
Quality Control is a vital system feature. One important part of the quality control program is a series of consistency checks, which ensure that no inconsistent data are entered. For example, if an analyst codes 11:00 am as the time of the crash and "dusk" as the light condition, these codes would be flagged as inconsistent. Other checks are for completeness and accuracy. Statistical control charts are also employed to monitor the coding of key data elements.
Federal and state FARS users access their own PII through the FARS Web site, which authenticates applicants through applicant-provided online ID and password. Users may also change their PII at any time.
How FARS provides redress
At any time, a federal or state FARS user may view and change profile information through the FARS intranet Web interface. Individuals on whom FARS may contain PII due to involvement in a fatal crash must contact the individual state jurisdiction to address data accuracy or privacy concerns.
How FARS secures information
The FARS public Web site (which contains no PII) is housed in the NASSIF (DOT Headquarters) building and is run by contractors. Physical access to the FARS system is limited to appropriate personnel through building key cards and room-access key pads. Personnel with physical access have all undergone and passed DOT background checks. The FARS data collection operation is housed at the FARS support contractor's facilities in Dulles, Virginia and is run by contractors. Personnel with physical access will be required by contract to have all undergone and pass DOT background checks by Q2 F2004.
In addition to physical access, electronic access to PII in FARS is limited according to job function. NHTSA controls access privileges according to the following roles:
- State FARS Analyst
- FARS Regional Staff
- FARS Headquarters Staff
The following matrix describes the privileges and safeguards around each of these roles as they pertain to PII.
| Role | Access | Safeguards |
|---|---|---|
| State FARS Analyst |
| User-set system access ID and password. Password must be a combination of letters and numbers. |
| FARS Regional Staff |
| User-set system access ID and password. Password must be a combination of letters and numbers. |
| FARS Headquarters Staff |
| User-set system access ID and password. Password must be a combination of letters and numbers. |
System of records
FARS is not a system of records subject to the Privacy Act. NHTSA has certified and accredited FARS in accordance with DOT requirements.