DEPARTMENT OF TRANSPORTATION
Office of the Secretary of Transportation (OST)
PRIVACY IMPACT ASSESSMENT
Transportation Integrated Print Transaction System (TIPTS)
December 3, 2008
TABLE OF CONTENTS
Overview of Privacy Management Process
Personally Identifiable Information (PII) & TIPTS
Why TIPTS Collects Information
How TIPTS Uses Information
How TIPTS Shares Information
How TIPTS Provides Notice and Consent
How TIPTS Ensures Data Accuracy
How TIPTS Provides Redress
How TIPTS Secures Information
How Long TIPTS Retains Information
System of Records
Overview of Privacy Management Process
The Office of the Secretary (OST) oversees the formulation of national transportation policy and promotes intermodal transportation. Other responsibilities include negotiation and implementation of international transportation agreements, assuring the fitness of US airlines, enforcing airline consumer protection regulations, issuance of regulations to prevent alcohol and illegal drug misuse in transportation systems and preparing transportation legislation.
TIPTS is a web-based procurement system that allows customers to order products from the DOT's Office of Information Services (M-30) Printing and Graphics division. TIPTS facilitates Printing and Graphics ability to manage orders, assign orders to specialists, and run reports on data in the system. Additionally, vendors contracted by DOT to complete work on the orders will be able to review bid opportunities and place bids on the orders from within TIPTS.
Privacy management is an integral part of the TIPTS system. OST has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and established methodologies. The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and OST will have the information, tools and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing OST to achieve its mission of protecting and enhancing the U.S. transportation system. The methodology is based upon the following steps:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involved interviews with key individuals involved in the TIPTS system to ensure that all uses of Personally Identifiable Information (PII), along with the risks involved with such use, are identified and documented.
- Organize the resources necessary for the project's goals. Internal OST resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop effective policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing OST to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information (PII). It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the OST project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made, if necessary.
Personally Identifiable Information (PII) & TIPTS
TIPTS contains the following PII: customer name, delivery addresses, telephone extension, and zip code to delivery addresses. Vendor information, although it contains names of individuals and business contact phone numbers and addresses, does not contain sensitive personal information such as social security number, home telephone numbers, or home addresses.
Why TIPTS Collects Information
TIPTS facilitates Printing and Graphics ability to manage orders, assign orders to specialists, and run reports on data in the system.
How TIPTS Uses Information
TIPTS processes information that is used internally by authorized DOT Information Services staff, vendors, and customers regarding orders for printing and graphics services.
How TIPTS Shares Information
TIPTS allows vendors contracted by DOT to complete work on print orders, review bid opportunities, and place bids on the orders from within TIPTS.
How TIPTS Provides Notice and Consent
TIPTS includes a main login screen login-warning banner that can be edited by the Systems Administrator. The users must accept the conditions in the login-warning message by clicking on an acceptance button to gain access to the login screen. If the user does not acknowledge acceptance of the login warning the system must exit the program.
How TIPTS Ensures Data Accuracy
The integrity of TIPTS data is not a primary consideration since it consists mainly of order data for non-sensitive or non mission-critical printing and graphics tasks. There is some data which pertains to vendor price bidding.
How TIPTS Provides Redress
The user can review their own profile data and change the settings after logging in. They may also contact the system owner for removal or changing of data.
How TIPTS Secures Information
TIPTS takes appropriate security measures to safeguard PII and other sensitive data. TIPTS applies DOT security standards, including but not limited to routine scans and monitoring, back-up activities, and background security checks of OST employees and contractors.
| Role | Access | Safeguards |
|---|---|---|
| User | Place orders Review previous print orders | Specialized privilege, granted on an as needed basis |
| Print Specialist | Review and perform actions on submitted orders | Specialized privilege, granted on an as needed basis |
| Site Administrator | View all orders Review/change system settings Create user accounts | Can only be granted by ADMIN level users |
How Long TIPTS Retains Information
TIPTS retains PII information indefinitely after the initial collection.
System of Records
TIPTS does not contain information that is part of existing System of Records subject to the Privacy Act, because its records are searched only by Name.
OST has certified and accredited the security of TIPTS in accordance with DOT information technology security standard requirements.