U.S. Department of Transportation
Federal Motor Carrier Safety Administration
Unified Registration System Rulemaking
U.S. DEPARTMENT OF TRANSPORTATION
Federal Motor Carrier Safety Administration
PRIVACY IMPACT ASSESSMENT
Unified Registration System Rulemaking
Rulemaking Point of Contact
Rhonda Scott
Production Application, IT Operations, Information Technology
Federal Motor Carrier Safety Administration
202-266-4134
Reviewing Official
Pam Gosier-Cox, FMCSA Privacy Officer
Office of Information Technology
Federal Motor Carrier Safety Administration
(202) 366-3655
September 9, 2009
TABLE OF CONTENTS
OVERVIEW OF FMCSA [NAME OF RULEMAKING] FINAL RULE 3
DESCRIPTION OF CURRENT [NAME OF RULEMAKING] RULEMAKING PROCESS 3
OVERVIEW OF [NAME OF RULEMAKING] RULEMAKING 4
IMPACT OF [NAME OF RULEMAKING] RULEMAKING ON PERSONAL INFORMATION OF GENERAL PUBLIC 4
SUMMARY OF PRIVACY IMPACT ASSESSMENT PROCESS 4
PII AND [NAME OF RULEMAKING] RULEMAKING 5
Best Practices for Protecting PII Associated with [NAME OF RULEMAKING] RULEMAKING 5
Introduction
The Federal Motor Carrier Safety Administration’s (FMCSA’s) primary mission is to reduce crashes, injuries, and fatalities involving large trucks and buses. This mission is accomplished by developing and enforcing data-driven regulations that balance motor carrier safety with industry efficiency; utilizing federal and state safety information systems to focus on high-risk carriers and drivers to enforce safety regulations; targeting educational messages to carriers, commercial motor vehicle drivers, and the public; and partnering with stakeholders (e.g., federal, state, and local enforcement agencies; the motor carrier industry; safety groups; and organized labor) to reduce bus- and truck-related crashes.
Statutory Authority
This rulemaking is in response to sec. 103 of the ICC Termination Act of 1995 (ICCTA) [Pub. L. 104-88, 109 Stat. 888, December 29, 1995] and title IV of the Safe, Accountable, Flexible, and Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU) [Pub. L. 109-59, 119 Stat. 1714, August 10, 2005]. This rulemaking action is consistent with the requirements of 31 U.S.C. 9701 and 49 U.S.C. 31136(a).
The ICCTA enacted a new 49 U.S.C. 13908 directing the Secretary of Transportation (the Secretary), in cooperation with the States, and after notice and opportunity for public comment, to issue regulations to replace the existing information systems listed below with a single, online, Federal system:
The current Department of Transportation (USDOT) identification number system;
The single State registration system under [49 U.S.C.] section 14504;
The registration system contained in 49 U.S.C. chapter 139; and
The financial responsibility information system under section 13906.
Congress also directed the Secretary to consider whether to integrate the requirements of 49 U.S.C. 13304 regarding service of process in court proceedings into the new system. Congress specified that the new URS should serve as a clearinghouse and depository of information on and identification of all foreign and domestic motor carriers, property brokers, freight forwarders, and others required to register with the USDOT as well as information on safety fitness and compliance with required levels of financial responsibility. The language of 49 U.S.C. 13908(c) also authorized the Secretary to “establish, under section 9701 of title 31 [of the U.S. Code], a fee system for registration and filing evidence of financial responsibility under the new system under subsection (a). Fees collected under the fee system shall cover the costs of operating and upgrading the registration system, including all personnel costs associated with the system.”
The current rulemaking process requires companies to register with the The Department of Transportation under three separate registration systems: The current Department of Transportation (USDOT) identification number system; the registration system contained in 49 U.S.C. chapter 139; and the financial responsibility information system under section 13906. The URS will require these three systems to be integrated into one system.
Conforming amendments would be made to parts 360, 365, 366, 368, and 385 to replace references to obsolete forms in the OP- and MCS-series with references to proposed Form MCSA-1, the Application for USDOT Number/Operating Authority.
FMCSA recognizes that the URS final rule will impact individual’s privacy in the collection of census information by motor carrier companies. The final rule will cause each motor carrier, cargo tank facility, HM shipper and intermodal equipment provider issued a USDOT number to provide FMCSA with name, address, email address, SSN and/or EIN information. As a result, this final rule will likely impact individual who’s personal information is the same as their company information.
<Describe impact that rulemaking will have on personal information of general public>
This Privacy Impact Assessment (PIA) was conducted because URS will utilize Personally Identifiable Information (PII). This PIA reflects the framework of the Privacy Act of 1974 and the Fair Information Practice Principles (FIPPs). In addition, the Federal Motor Carrier Safety Administration (FMCSA) Office of Information Technology is releasing “Best Practices for the Protection of Personally Identifiable Information (Best Practices for Protection of PII)” to provide guidance on privacy and security protections consistent with the FIPPs standards and practices and equivalent to those required under the Privacy Act of 1974 (5 USC 552a), the Federal Information Security Management Act (FISMA) of 2002 (44 USC 3542), and the information security standards issued by the National Institute of Standards and Technology (NIST).
The U.S. Department of Transportation (DOT) privacy management process is built upon a methodology that enables DOT/FMCSA to have the information, tools, and technology necessary to effectively protect PII while allowing FMCSA to achieve its mission. The methodology includes the following:
Establishing appropriate authorities, responsibilities, and controls for information management with input from systems architecture, technology, security, legal, and other disciplines
Identifying, documenting, and addressing privacy risks
Developing and implementing appropriate policies and procedures and updating them when necessary
Monitoring compliance with applicable laws, regulations, policies, and procedures
Providing training to all DOT employees and contractors with access to PII
Effectively maintaining the privacy protection principles of:
Openness
Individual Participation
Purpose Specification
Collection Limitation
Use Limitation
Data Quality and Integrity
Security Safeguards
Accountability and Auditing
Privacy was a significant consideration in the development of the final rule.
Personal Identifiable Information is being collected in order to track safety-related data in the hopes of recognizing trends that can be useful when making policy and other changes. URS will provide some or all of this information to companies, agencies, individuals, and other organizations in order to help facilitate communication needed to enhance motor carrier safety.
In addition, in order to process requests for reports, FMCSA collects PII such as name, mailing address, and telephone number from requesting individuals. For individuals who will have direct access to URS, FMCSA also collects necessary PII to authenticate users and restrict permissions, and URS will associate these individuals with users IDs and passwords.
The FMCSA Office of Information Technology has issued best practices to assist the agency in protecting the privacy of PII associated with the implementation of the URS final rule. These best practices incorporate standards and practices equivalent to those required under the Privacy Act of 1974 (5 USC 552a) and other federal and state laws that are consistent with the FIPPs. FMCSA’s best practices for protecting PII associated with the implementation of the URS final rule include the following privacy protection principles:
Openness—FMCSA does not secretly collect PII. FMCSA also clearly discloses its policies and practices concerning the PII held by FMCSA. FMCSA has provided the general public with a description of the information practices associated with the implementation of the URS final rule through a Notice of Proposed Rulemaking (NPRM). The final rule addresses the comments received during the 60-day public comment period.
FMCSA received a total of 60 comment submissions to the docket from 58 entities, including State and local government agencies, motor carriers, industry trade associations, enforcement associations, safety advocates, and private citizens. Most comments supported creation of a unified registration system. Because the Agency is soliciting additional comments on modifications made to the NPRM, FMCSA has not addressed all comments received. Comments will be discussed if they have resulted in changes to the Agency’s original proposal. A more detailed response to comments received to both the NPRM and this SNPRM will be included in the preamble to the final URS rule.
Individual Participation—FMCSA ensures that individuals have the right to (a) obtain confirmation of whether or not FMCSA has PII relating to him or her; (b) access the PII related to him or her within a reasonable time, cost, and manner and in a form that is readily intelligible to the individual; (c) an explanation if a request made under (a) and (b) is denied and challenge such denial; and (d) challenge PII relating to him or her and, if the challenge is successful, have the data erased, rectified, completed, or amended. FMCSA has adopted effective and timely procedures to permit individuals to examine the PII that is on file concerning them and to obtain a copy of such information upon request. FMCSA has a redress process in place, known as the DataQs system, which provides an electronic means to file concerns about federal and state data released to the general public by FMCSA. DataQs allows individuals to challenge personal information related to crashes, inspections, compliance reviews, safety audits, enforcement actions, household goods mover complaints, registrations, operating authorities, and insurance issues. DataQs automatically forwards challenges to the appropriate office for resolution and allows individuals to monitor the status of their challenge. DataQs cannot be used to challenge safety ratings or civil actions that are managed via 49 CFR 385.15 (Administrative Review) or 49 CFR 385.17 (Change to Safety Rating Based upon Corrective Actions). Challenges to information provided by state agencies must be resolved by the appropriate state agency. Once a state agency has made a determination on the validity of a challenge, FMCSA considers the decision as the final resolution of the challenge. FMCSA cannot change state records without state consent.
Purpose Specification—FMCSA specifies the purpose(s) for collecting PII in the Notice of Proposed Rulemaking. The subsequent use of PII is limited to the fulfillment of those purposes, or such other uses that are compatible with those purposes, as stated in the URS final rule unless individuals are given written notice of the proposed change in use, and individuals provide express written consent for its use for such new purpose. Unless otherwise authorized by applicable law, FMCSA limits its use of PII related to the implementation of the URS final rule to the performance of official responsibilities pertaining to law enforcement, the verification of personal identity, or highway and commercial motor vehicle safety. FMCSA informs individuals that PII in the URS final rule may be transmitted to law enforcement agencies only if such disclosure is related to the performance of official responsibilities pertaining to law enforcement, highway and motor vehicle safety, or any other official purpose expressly authorized by law.
The authority for this rulemaking is described in OVERVIEW OF FMCSA UNIFIED REGISTRATION SYSTEM FINAL RULE. The collection of PII is a necessary part of the final rule because it allows federal and state law enforcement agencies to positively identify specific records in FMCSA information systems.
Collection Limitation—FMCSA only collects PII necessary for official purposes as stated in the URS final rule. In addition, FMCSA only obtains such PII by lawful and fair means and, to the greatest extent possible, with the knowledge or consent of the individual. FMCSA also considered the potential use of URS data for litigation unrelated to commercial motor vehicle (CMV) operators and drivers and recognizes that the final rule does not affect the rights of private litigants to seek discovery. Similarly, existing provisions governing FMCSA disclosure of CMV operator and driver information under the Freedom of Information Act (FOIA) are not affected by this rulemaking.
<Insert how FMCSA plans to limit PII collection>
Use Limitation—FMCSA only uses PII for the purposes and uses originally specified in the URS final rule, except (a) with the express consent of the individual, or (b) as authorized by law. This includes limiting disclosure of PII for the purposes and uses specified in the URS final rule.
The only information FMCSA requires URS to collect is that which is necessary to efficiently track motor carriers, freight forwarders, brokers, HM shippers, intermodal equipment providers and cargo tank facilities. For that reason, the Agency’s proposal imposes no operational responsibilities on drivers. Therefore, this proposed regulation would not impair a driver’s ability to operate vehicles safely (sec. 31136(a)(2)), would not impact the physical condition of drivers (sec. 31136(a)(3)), and would not have a deleterious effect on the physical condition of drivers (sec. 31136(a)(4)).
<Insert how FMCSA plans to limit PII usage>
Data Quality and Integrity—FMCSA ensures that the collection, use, and maintenance of PII for implementing the URS final rule is relevant to the purposes for which it is to be used and, to the extent necessary for those purposes, it is accurate, complete, and up-to-date.
The URS will provide internal data edit checks on all data submitted to URS. Individuals who provide PII electronically will be responsible for its accuracy.
<Insert how FMCSA plans to ensure PII quality and integrity>
Security Safeguards—PII must be protected by reasonable security safeguards against loss or unauthorized access, destruction, usage, modification, or disclosure. These safeguards incorporate standards and practices required for federal information systems under FISMA and are detailed in Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems dated March 2006 and NIST Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations dated August 2009. FMCSA has a comprehensive information security program that contains management, operational, and technical safeguards that are appropriate for the protection of PII. These safeguards are designed to achieve the following objectives:
Ensure the security and confidentiality of PII
Protect against any reasonably anticipated threats or hazards to the security or integrity of PII
Protect against unauthorized access to or use of PII
Accountability and Auditing—FMCSA is accountable for compliance with federal government privacy and security policies and regulations. In addition, FMCSA is responsible for identifying, training, and holding agency personnel accountable for adhering to FMCSA privacy and security policies and regulations. FMCSA follows the best practices described in Best Practices for Protecting PII Associated with Unified Registration System and “Best Practices for the Protection of Personally Identifiable Information (Best Practices for Protection of PII)” issued by FMCSA.
The Agency recognizes that the need for a verifiable audit trail – a detailed set of records to display date, user name, and transaction data of a particular record – must be counterbalanced by privacy considerations.
<Insert how FMCSA plans to ensure PII accountability and auditing>
Individuals will be able to obtain all or part of the Unified Registration System data. Federal and State offices will have direct access to URS. Different individuals will receive different rights in URS according to their job role and State. Carrier companies and other individuals can learn about URS information and request data through a publicly-available Web site: http://www.fmcsa.dot.gov .
Motor carriers can also access a website http://www.safersys.org to update their motor carrier identification information. To do this, motor carriers must know their USDOT number and their Personal Identification Number (PIN).
The general public can access this same website to obtain a company safety profile (CSP) on a motor carrier. The CSPs are available to the public under the Freedom of Information Act (FOIA). However, certain information in the CSP, namely Driver Data, contains personal information that is not required to be disclosed by FOIA and will not be included in a CSP that is disseminated to the public. Of course, a company may have access to its own Driver Data. For this reason, Driver Data will be released only to those who are registered as authorized recipients of that information. To register as an authorized recipient of Driver Data, the motor carrier must fax a request to (703) 280-4003, the FMCSA Data Dissemination contractor. The requestor must submit the following information: a letter on the official company letterhead; it should include the USDOT number of the company; the letter must be signed by a representative of the company; if the requestor wishes to receive their CSP via e-mail, they must include any e-mail address(es) that they have approved to receive Driver Data information. When ordering online (http://www.safersys.org) the requestor needs to check the box labeled "I am the carrier whose USDOT number was entered above". The requestor then is prompted for the last 4 digits from their company Tax ID (EIN) number to complete the transaction (If no Tax ID is on file, the requestor needs to file an updated MCS-150 with this information).
FMCSA and other Federal and State Enforcement agencies will have direct access to PII data in URS. In order to manage access and appropriate permissions, FMCSA collects name, contact information, organization information and other related information, and maintains user IDs and passwords for all users.
<Insert how PII will be shared, and who will have access to and maintain the PII>
This rulemaking will result in a new or revised Privacy Act System of Records for FMCSA.
File Type | application/msword |
Author | margaret.alston |
Last Modified By | herman.dogan |
File Modified | 2011-10-12 |
File Created | 2011-10-12 |