Download:
pdf |
pdfU.S. Department of Transportation
Privacy Impact Assessment
Federal Motor Carrier Administration (FMCSA)
Drug and Alcohol Clearinghouse
Notice of Proposed Rulemaking
Responsible Official
Juan Moya
FMCSA Office of Enforcement and Compliance
202-366-4844
[email protected]
Reviewing Official
Claire W. Barrett
Chief Privacy & Information Asset Officer
Office of the Chief Information Officer
[email protected]
X
2/19/2014
Claire W. Barrett
Claire W. Barrett
DOT Chief Privacy & Information Asset Officer
Signed by: CLAIRE W BARRETT
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Executive Summary
The proposed rule would allow FMCSA and regulated motor carrier employers to more easily identify unsafe drivers
based on USDOT drug and alcohol testing program violations and to ensure that such drivers receive evaluation and
treatment before resuming safety-sensitive duties.
The proposed rule would revise the 49 CFR part 382, Controlled Substances and Alcohol Use and Testing to establish
the Drug and Alcohol Clearinghouse. It would require employers and service agents to report information about
current and prospective employees’ positive drug and alcohol test results, as well as refusals to submit to testing, to the
Clearinghouse. Employers would also be required to search the Clearinghouse for positive drug and alcohol test results
and refusals to submit to testing on an annual basis for current employees, and as part of the pre-employment process
for prospective employees. In addition, to help FMCSA identify those employers who do not have a drug and alcohol
testing program, the proposal would require laboratories to provide FMCSA with annual summary reports on testing
activities of FMCSA-regulated motor carrier employers they have provided testing services for.
The reporting and verification requirements would make employers better able to determine whether current or
prospective employees are prohibited from operating CMVs under the DOT drug and alcohol screening program. This
would diminish or eliminate the current problems with employees, who are employed by multiple operators, failing to
report drug and alcohol testing violations to all of their employers and thus, enabling them to continue operating
commercial motor vehicles without completing the requisite return-to-duty process.
It would also diminish or eliminate the problem of a driver with previous positive test results, or refusals to test, from
seeking and obtaining work without completing the requisite return-to-duty process. For example, this could occur if a
driver is fired for a positive test but does not inform prospective or future employers about the previous positive test
result. This could also occur if a new driver entering the workforce tests positive for drugs or alcohol during a preemployment test, waits for the drugs to leave his/her system, then takes and passes another pre-employment test and
gets hired without the employer having any knowledge of the previously failed pre-employment test.
Finally, currently motor carrier employers are required to implement DOT drug and alcohol testing programs for CDL
holders. To improve employers’ compliance the proposed rule would require all laboratories performing DOT drug
testing for FMCSA-regulated employers to file annual summary reports identifying the motor carrier employers for
whom they performed testing services. The FMCSA would then use the data provided by the laboratories to identify
employers of CDL drivers that do not have an active drug and alcohol testing program.
What is a Privacy Impact Assessment?
The Privacy Act of 1974 articulates concepts for how the federal government should treat individuals and their
information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of
personally identifiable information (PII). The E-Government Act of 2002, Section 208, establishes the requirement for
agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections. The
assessment is a practical method for evaluating privacy in information systems and collections, and documented
assurance that privacy issues have been identified and adequately addressed. The PIA is an analysis of how information
is handled to—i) ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy;
ii) determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an
-1-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
electronic information system; and iii) examine and evaluate protections and alternative processes for handling
information to mitigate potential privacy risks.1
Conducting a PIA ensures compliance with laws and regulations governing privacy and demonstrates the DOT’s
commitment to protect the privacy of any personal information we collect, store, retrieve, use and share. It is a
comprehensive analysis of how the DOT’s electronic information systems and collections handle personally identifiable
information (PII). The goals accomplished in completing a PIA include:
-
Making informed policy and system design or procurement decisions. These decisions must be based on
an understanding of privacy risk, and of options available for mitigating that risk;
Accountability for privacy issues;
Analyzing both technical and legal compliance with applicable privacy law and regulations, as well as
accepted privacy policy; and
Providing documentation on the flow of personal information and information requirements within DOT
systems.
Upon reviewing the PIA, you should have a broad understanding of the risks and potential effects associated with the
Department activities, processes, and systems described and approaches taken to mitigate any potential privacy risks.
Introduction & System Overview
The Omnibus Transportation Employee Testing Act (OTETA) of 1991 [Pub. L. 102-143, 105 Stat. 952, October 28, 1991],
as codified in 49 U.S.C. 31306, mandates the alcohol and controlled substances testing program for the Department of
Transportation (USDOT). To address this mandate, the USDOT adopted the “Procedures for Transportation Workplace
Drug and Alcohol Testing Programs” [49 CFR Part 40]. This part establishes requirements for all USDOT-regulated
parties, including employers of drivers with CDLs subject to FMCSA testing requirements. To implement the
requirements of OTETA and Part 40, an FMCSA predecessor agency published a final rule in 1994 establishing the drug
and alcohol testing program in 49 CFR Part 382. that addressed the OTETA [49 CFR Part 382].
To further improve the regulatory testing process and ensure that employers are able to identify current and
prospective employees who are not qualified to drive CMVs because of outstanding drug and alcohol test violations, on
July 6, 2012, Congress enacted The Moving Ahead for Progress in the 21st Century Act (MAP-21), mandating that the
Secretary of Transportation (Secretary) establish a national clearinghouse for controlled substance and alcohol test
results of CMV drivers.
This statutory mandate follows the investigations of bus crashes in New Orleans, Louisiana in 1999 that resulted in the
National Transportation Safety Board (NTSB) recommending that FMCSA “develop a system that records all positive
drug and alcohol test results and refusal determinations resulting from the U.S. Department of Transportation (USDOT)
testing requirements, require prospective employers to query the system before making a hiring decision, and require
certifying authorities to query the system before making a certification decision.” In addition, the Government
Accountability Office (GAO) identified 43 cases where drivers tested positive for illegal drugs (e.g., cocaine, marijuana,
and amphetamines) with one employer and subsequently tested negative with another employer who was unaware of
the prior positive tests. In its recommendations to Congress, GAO proposed the establishment of a national database
and this rulemaking as possible solutions to these job-hopping problems (See GAO-08-600 “Improvements to Drug
Office of Management and Budget’s (OMB) definition of the PIA taken from guidance on implementing the privacy
provisions of the E-Government Act of 2002 (see OMB memo of M-03-22 dated September 26, 2003).
1
-2-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Testing Programs Could Better Identify Illegal Drug Users and Keep them off the Road” and GAO-08-0829R “Examples of
Job Hopping by Commercial Drivers after Failing Drug Tests”2).
Thus, in response to the Congressional mandate and NTSB and GAO recommendations, the proposed rule would
establish a database administered by FMCSA, known as the Commercial Driver’s License Drug and Alcohol
Clearinghouse (Clearinghouse), that would require FMCSA-regulated motor carrier employers, and service agents such
as Medical Review Officers (MROs), Substance Abuse Professionals (SAPs), and consortia/third party administrators
(C/TPAs) supporting U.S. Department of Transportation (USDOT) testing programs to report verified positive,
adulterated, and substituted drug test results, positive alcohol test results, test refusals, negative return-to-duty test
results, and information on the frequency, number and type follow-up tests required. The proposed rule would also
require motor carrier employers to report actual knowledge of employees’ traffic citations for driving a CMV while
under the influence (DUI) of alcohol or drugs. The proposed rule would establish the terms of access to the database,
including the conditions under which information is submitted, accessed, maintained, updated, removed, and released
to prospective employers, current employers, and other authorized entities. (See Appendix A, Summary of
Responsibilities and Data Access to the Clearinghouse found at the end of this document.) The proposed rule will also
require laboratories that provide FMCSA-regulated motor carrier employers with USDOT drug testing services to submit
semi-annual reports to FMCSA summarizing motor carrier employer test results. Overall, motor carrier employers, or
service agents acting on their behalf would be required to query the Clearinghouse to determine whether current or
prospective drivers had tested positive for drugs or alcohol in violation of FMCSA’s drug and alcohol testing program.
The proposed rule would require an employer motor carrier to obtain written consent from a driver before querying
the Clearinghouse to determine if the Clearinghouse contains information concerning that driver. The proposed rule
prohibits disclosure of information in the Clearinghouse to an employer motor carrier without prior driver consent. No
employer motor carrier would be allowed to employ a driver that refuses to grant consent.
FMCSA responsibilities concerning driver notification will include expeditiously providing a letter sent via U.S. mail to
the address on record with the State Driver Licensing Agency that issued the CDL held by the driver whenever
information concerning that driver has been added to, revised, or removed from the Clearinghouse. The proposed rule
would also permit a driver to provide the Clearinghouse with an alternative means or address for notification, including
electronic mail.
In addition, FMCSA primarily monitors motor carrier compliance with USDOT drug and alcohol testing program
requirements using compliance reviews and new entrant safety audits and has significantly increased the number of
motor carriers that are reviewed from previous years via enhanced new entrant rules and improved compliance
programs. In 2010, new entrant audits and compliance reviews were conducted on approximately 50,000 motor
carriers. However, this still represents only a small percentage of the more than 520,000 motor carriers subject to
USDOT drug and alcohol testing requirements. As a result, many motor carriers that have not established a drug and
alcohol testing program could go undetected. Data from FMCSA oversight activities indicate a lack of compliance with
the drug and alcohol testing program requirements among by carriers. The laboratory reporting requirements in this
proposed rule are designed to help FMCSA close this gap in compliance.
2
See GAO-08-600 “Improvements to Drug Testing Programs Could Better Identify Illegal Drug Users and Keep Them Off the
Road,” May 15, 2008, and GAO-08-829R, “Examples of Job Hopping by Commercial Drivers After Failing Drug Tests,” June
30, 2008. Accessed at http://www.gao.gov/assets/280/275382.pdf and http://www.gao.gov/new.items/d08829r.pdf on
23-April-2012.
-3-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
In light of the PII that must be captured, maintained, and accessed in this database, FMCSA is publishing the NPRM and
this Privacy Impact Assessment for public comment. The program and this PIA are expected to change in response to
public comment on the NPRM. A revised PIA and if necessary a Privacy Act system of records notice (SORN) will be
issued in conjunction with the Final Rule for the Drug and Alcohol Clearinghouse.
Personally Identifiable Information and the Drug and Alcohol Clearinghouse NPRM
The proposed rule is applicable to drivers and employers of drivers who operate CMVs in interstate and intrastate
commerce in the United States and are subject to the CDL requirements in 49 CFR part 383 or the equivalent CDL
requirements for Canadian and Mexican drivers.
The proposed rule would require motor carrier employers and service agents to report information about current and
prospective employees’ drug and alcohol test results to the Clearinghouse and would require motor carrier employers
and certain service agents to check current and prospective employees against the database. The proposed rule would
provide FMCSA and regulated motor carrier employers the necessary tools to identify drivers who are prohibited from
operating a CMV based on DOT drug and alcohol program violations and ensure that such drivers receive the required
evaluation and treatment before continuing to perform safety-sensitive functions.
FMCSA is responsible for ensuring that appropriate protections and controls governing the collection, use, sharing,
storage, and retention of driver information under its control. As proposed, the rule would require use of CMV driver
information in order to ensure that positive drug and alcohol testing results, refusals, and employer reports of actual
knowledge that a driver has received a traffic citation for driving a CMV under the influence of drugs or alcohol are
accurately reported and are correctly attributed to the correct driver.
FMCSA’s drug and alcohol testing program requires specimen collectors from laboratories working for motor carrier
employers to use the Federal Drug Testing Custody and Control Form (OMB Control Number 0930-0158
http://www.reginfo.gov/public/do/DownloadDocument?documentID=189034&version=1) when collecting specimens
from drivers. Collectors use the U.S. Department of Transportation (DOT) Alcohol Testing Form (ATF) (OMB Control
Number 2105-0529) to perform alcohol testing on drivers. Under this proposal, specimen collectors would not be
permitted to record drivers’ Social Security numbers, and the only permitted employee ID number would be the
driver’s CDL number and State of issuance. That said, this proposed rule would also require the specimen collector to
record the employer’s USDOT or EIN on the ATF. FMCSA is aware that some self-employed drivers who are not
required to have USDOT numbers use their Social Security numbers as their EINs for tax purposes. Any driver who is
not comfortable using his or her Social Security number as an EIN could pursue one of two options. First, he or she
could obtain a USDOT number. Drivers can get more information about obtaining USDOT numbers at
http://www.fmcsa.dot.gov/registration-licensing/registration-licensing.htm. Second, he or she could change his or her
EIN to a number that is different from his or her Social Security number. Drivers can get more information about
changing their EINs by contacting the IRS.
C/TPAs are consortia and third party administrators who coordinate testing services for regulated motor carrier
employers. FMCSA regulations require any employer who employs only himself/herself as a driver to join a random test
selection pool. Consortia are the entities that manage these pools (49 CFR 382.103(b)). Third party administrators,
which often include consortia, are entities that regulated motor carrier employers contract with to implement drug and
alcohol testing programs. Under the proposed rule, C/TPAs would be subject to the same reporting requirements as
employers when they assume a regulated employer’s drug and alcohol testing functions. Specifically, C/TPAs that are
-4-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
required by regulation to perform employer functions (e.g., for self-employed drivers) would be required to report
positive alcohol tests, drug or alcohol test refusals, negative return-to-duty tests, and successful completion of all
follow-up tests. Employers may contract with C/TPAs to perform reporting functions, but employers, in addition to their
C/TPAs, remain responsible for meeting the reporting requirements.
SAPs evaluate, assess and refer drivers for education and/or treatment after a positive test or refusal as a part of the
return-to-duty process (49 CFR part 40, subpart O). Under the proposed rule, SAPs would be required to report to the
Clearinghouse the date that a driver began and successfully completed the return to duty process specified in 49 CFR
part 40, subpart O, indicating driver eligibility for return-to-duty testing. The SAP would also be required to report
information on the follow-up testing plan.
The requirements of this rule would also affect motor carriers employing owner-operators. The drug and alcohol
testing regulations in part 382 impose requirements upon employers and drivers; owner-operators can function as
both. Currently, when an owner-operator acts as a driver for another employer, FMCSA requires that the employer
treat the owner-operator as if he or she were an employee for the purposes of the employer’s DOT drug and alcohol
testing program. As a result, the proposed rule would require motor carriers employing owner-operators to treat those
drivers as employees for purposes of querying and reporting to the database.
The proposed rule requires medical review officers (MROs) to report to the Clearinghouse within one business day the
following driver information to the Clearinghouse for verified positive, adulterated or substituted test results and
refusals (as provided in 49 CFR § 40.191):
1. Reason for test (e.g., pre-employment, post-accident, random, reasonable suspicion, return-to-duty, or
follow-up)
2. Federal Drug Testing Custody and Control Form specimen ID number
3. Collection site name and address
4. Driver name, date of birth, and CDL number and state of issuance
5. Employer name, address and EIN or USDOT number
6. Date of test
7. Date of the verified result
8. Specimen test result
The proposed rule would require employers or C/TPAs acting on behalf of an employer who employs himself or herself
to report the following information to the Clearinghouse for: (i) an alcohol test result with an alcohol concentration of
0.04 or greater; (ii) a negative return-to-duty alcohol and/or controlled substances test result; (iii) a refusal to take an
alcohol test pursuant to 49 CFR 40.261; and (iv) a refusal to provide a specimen for controlled substances testing
pursuant to 49 CFR 40.191:
1.
2.
3.
4.
5.
6.
7.
Reason for the test
Collection site name and address
Driver’s name, date of birth, and CDL number and state of issuance
Employer name, address, and USDOT number or EIN
Date of the test
Date of result reported
Specimen test result
-5-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Motor carrier employers will also be required to report each instance in which they have knowledge that an employee
received a traffic citation for driving a CMV under the influence of drugs or alcohol. The report submitted to the
Clearinghouse must include the following information:
1.
2.
3.
4.
5.
6.
7.
CMV driver name, date of birth, and CDL number and state of issuance
Employer name, address, and USDOT Number or EIN
Date of traffic citation
Date employer became aware of traffic citation
Name and state of the law enforcement agency issuing traffic citation
Ticket or docket number associated with traffic citation
Specific charge alleged in traffic citation
For drivers participating in the return-to-duty process set forth in 49 CFR Part 40 Subpart O (Substance Abuse
Professionals and the Return-to-Duty Process), the information listed below is currently required. The proposed rule
would require SAPs to report the following information to the Clearinghouse:
1.
2.
3.
4.
5.
SAP name, address, and telephone numbers
Driver’s name, date of birth, and CDL number and state of issuance
Employer’s name, address, and EIN or USDOT number
Date of the initial SAP assessment
Date when driver has successfully completed education and /or treatment process and was eligible for
return-to-duty testing.
6. Frequency, number and type of required follow-up tests and the duration of the follow-up testing plan;
and
7. Any modifications to the follow-up testing plan
Appendix A summarizes the requirements for each entity responsible for reporting information to the Clearinghouse.
Fair Information Practice Principles (FIPPs) Analysis
The DOT PIA template based on the fair information practice principles (FIPPs). The FIPPs, rooted in the tenets of the
Privacy Act, are mirrored in the laws of many U.S. states, as well as many foreign nations and international
organizations. The FIPPs provide a framework that will support DOT efforts to appropriately identify and mitigate
privacy risk. The FIPPs-based analysis conducted by DOT is predicated on the privacy control families articulated in the
Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP) v33, sponsored by the National Institute of
Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Federal Chief Information
Officers Council and the Privacy Controls articulated in Appendix J of the NIST Special Publication 800-53 Security and
Privacy Controls for Federal Information Systems and Organizations4.
Transparency
Sections 522a(e)(3) and (e)(4) of the Privacy Act and Section 208 of the E-Government Act require public
notice of an organization’s information practices and the privacy impact of government programs and
activities. Accordingly, DOT is open and transparent about policies, procedures, and technologies that directly
affect individuals and/or their personally identifiable information (PII). Additionally, the Department should
not maintain any system of records the existence of which is not known to the public.
3
4
http://www.cio.gov/documents/FEA-Security-Privacy-Profile-v3-09-30-2010.pdf
http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
-6-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
FMCSA does not secretly collect or store PII and clearly discloses its’ policies and practices concerning the PII collected
and held associated with the implementation of all rules discussed in this PIA. FMCSA provides notice to individuals
through several different ways including the publication of the Drug and Alcohol Clearinghouse NPRM, the privacy
policy on the FMCSA website (www.fmcsa.dot.gov), and the development of the SORN that will be published on the
DOT Privacy Program website and the Federal Register for public comment. . The SORN will provide notice as to the
conditions of disclosure and routine uses for the information collected in the system. The SORN will also provide that
any dissemination of information maintained with the system be compatible with the purpose for which the
information was originally collected. If any portion of the SORN is exempt from one or more provisions of the Privacy
Act because of criminal, civil, and administrative enforcement requirements, the Agency will publish an exemption rule
in the Federal Register for public comment.
The publication of this PIA further demonstrates FMCSA’s commitment to provide appropriate transparency into the
Drug and Alcohol rulemaking. This PIA is available to the general public on the DOT Web site at
http://www.dot.gov/privacy.
This proposed rule would require employers to notify drivers that information about verified positive, adulterated, or
substituted drug test results; positive alcohol test results; refusals to submit to any test required by subpart C of 49 CFR
Part 382; employers’ reports of actual knowledge that a driver received a traffic citation for driving a CMV while under
the influence of alcohol or drugs; negative return-to-duty tests; employers’ reports of completion of follow-up testing;
and SAP reports would be reported to the Clearinghouse. Under this proposed rule, employers would notify employees
what information would be reported to the Clearinghouse through educational materials. Employees would also be
notified expeditiously each time a change to a record pertaining to the employee is made in the Clearinghouse. The
driver would then be able to access the Clearinghouse to review the new or revised data and request changes.
To limit unnecessary access to the Clearinghouse, FMCSA proposes a two-step querying process. First, employers, after
receiving the employee’s consent, would conduct a limited query of the database using the driver’s name, CDL number
and state of issuance. If the query indicates that there is information in the Clearinghouse the employer would have to
conduct a full query after receiving consent from the employee. The full query would allow an employer to access
information in the Clearinghouse.
Individual Participation and Redress
DOT should provide a reasonable opportunity and capability for individuals to make informed decisions about the
collection, use, and disclosure of their PII. As required by the Privacy Act, individuals should be active participants in
the decision making process regarding the collection and use of their PII and be provided reasonable access to their PII
and the opportunity to have their PII corrected, amended, or deleted, as appropriate.
FMCSA ensures that an individual has the right to (a) obtain confirmation of whether or not FMCSA has PII relating to
him or her; (b) access the PII related to him or her within a reasonable time, cost, and manner and in a form that is
readily intelligible to the individual; (c) obtain an explanation if a request made under (a) and (b) is denied and
challenge such denial; and (d) challenge PII relating to him or her and, if the challenge is successful, have the data
erased, rectified, completed, or amended.
The Clearinghouse will allow validated drivers access to review their own information upon electronic request.
Because of their required participation in the process, drivers would know about their own positive drug testing results,
-7-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
alcohol concentrations of 0.04 or higher, refusals to test, and whether they have completed the return-to-duty process.
Under the current drug and alcohol testing program,
Under the proposed rule, FMCSA would notify a driver when information concerning that driver has been entered into,
revised, or removed from the Clearinghouse. FMCSA would notify drivers by sending a letter via U.S. mail to the
address on record with the State Driver Licensing Agency that issued the CDL held by the driver. The driver would be
alerted each time a change occurs to his or her record in the Clearinghouse.
The proposed rule would grant drivers the right to review information in the Clearinghouse about themselves except as
otherwise restricted by law, and establishes procedures for drivers to petition FMCSA to correct inaccurate information
in the Clearinghouse. Drivers would be required to submit a petition within 18 months of the date the information in
question was reported to the Clearinghouse. Drivers would need to include information identifying themselves and the
information they want to be corrected, the reasons they believe the information is inaccurate, and evidence supporting
their challenge. Drivers would not be able to challenge the accuracy or validity of the alcohol or controlled substance
test results under these new procedures. Procedures established under this proposed rule would be used to correct
clerical errors, such as attributing drug or alcohol testing results to the wrong driver, reporting an incorrect driver name
or CDL number, misidentifying the type of test performed (i.e., pre-employment screening versus random testing), and
correcting other such inaccuracies in the Clearinghouse. These procedures could also be used to request that an
employer report of actual knowledge of a traffic citation for driving a CMV under the influence of drugs or alcohol be
removed from the Clearinghouse if the citation did not result in a conviction. FMCSA would resolve petitions and notify
drivers of its decisions within 90 days of receiving a complete petition. If the resolution of a petition would affect a
driver’s ability to perform safety-sensitive functions, he or she may request an expedited review. If FMCSA grants an
expedited review, the Agency would inform the driver of its decision within 30 days of receiving a completed petition.
Under the proposed rule a driver may request FMCSA to conduct an administrative review if he or she believes that a
decision was made in error. The driver would submit his or her request in writing to the Associate Administrator for
Enforcement and Program Delivery (MC-E), Federal Motor Carrier Safety Administration, 1200 New Jersey Avenue SE,
Washington, DC 20590. The request must explain the error the driver believes that FMCSA has made and provide
information and/or documents to prove the driver’s argument. FMCSA would complete its administrative review no
later than 60 days after receiving the driver’s request for review and this would constitute final Agency action.
Independent of the provisions provided by the rule, individuals may request access to their own records that are
maintained in a system of records in the possession or under the control of DOT by complying with DOT Privacy Act
regulations found in 49 C.F.R. Part 10. Privacy Act requests for access to an individual’s record must be in writing
(either handwritten or typed), and may be mailed, faxed or emailed. DOT regulations require that the request include a
description of the records sought, the requester’s full name, current address, and date and place of birth. The request
must be signed and either notarized or submitted under penalty of perjury. Additional information and guidance
regarding DOT’s FOIA/PA program may be found on the DOT website. Privacy Act requests concerning information in
the Clearinghouse may be addressed to:
Federal Motor Carrier Safety Administration
Attn: FOIA Team MC-MMI
1200 New Jersey Avenue SE
-8-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Washington, DC 20590
Statutory Authority and Purpose Specification
DOT should (i) identify the legal bases that authorize a particular PII collection, activity, or technology that impacts
privacy; and (ii) specify the purpose(s) for which its collects, uses, maintains, or disseminates PII.
The Moving Ahead for Progress in the 21st Century Act (MAP-21), enacted on July 6, 2012,5 mandates that the
Secretary of Transportation (Secretary) establish a national clearinghouse for controlled substance and alcohol test
results of commercial motor vehicle operators. The FMCSA also has authority to promulgate safety standards under the
Motor Carrier Safety Act of 1984 (Pub. L. 98-554, Title II, 98 Stat. 2832, October 30, 1984) (the 1984 Act), which
provides authority to regulate drivers, motor carriers, and vehicle equipment and requires the Secretary to prescribe
minimum safety standards for CMVs. The Omnibus Transportation Employee Testing Act (OTETA) of 1991 [Pub. L. 102143, 105 Stat. 952, October 28, 1991], as codified in 49 U.S.C. 31306, mandates the alcohol and controlled substances
testing program for the Department of Transportation (USDOT). An FMCSA predecessor agency published a final rule in
1994 that addressed the OTETA [49 CFR Part 382]. In addition, the “Procedures for Transportation Workplace Drug and
Alcohol Testing Programs” [49 CFR Part 40] establishes requirements for all USDOT-regulated parties, including
employers of drivers with CDLs subject to FMCSA testing requirements. In 2001, FMCSA revised 49 CFR Part 382
(“Controlled Substances and Alcohol Use and Testing”) to make FMCSA controlled substances and alcohol testing
procedures consistent and non-duplicative with 49 CFR Part 40.
FMCSA will use the drug and testing results to combat the problems of CDL holders testing positive for drugs or alcohol
and continuing to operate CMVs without participating in the required return-to-duty process.
As mentioned previously, reporting positive test results would create a database employers could check to determine
whether current or prospective employees are prohibited from operating CMVs under the DOT drug and alcohol
screening program. This would diminish or eliminate the problem of a currently-employed commercial-driver’s-license
(CDL) holder testing positive for illegal drug or alcohol use with a second employer or another potential employer
continuing to operate commercial motor vehicles (CMVs) under his or her current employment without the current
employer knowing and acting on the positive test.
Also, the Clearinghouse as proposed would diminish or eliminate the problem of a driver with previous positive tests
seeking and obtaining work without prospective employers knowing and acting on that information. This could occur if
a driver is fired for a positive test but does not inform prospective or future employers about the previous positive test
result. This could also occur if a new driver entering the workforce tests positive for drugs or alcohol during a preemployment test, waits for the drugs to leave his/her system, then takes and passes another pre-employment test and
gets hired without the employer having any knowledge of the previously failed pre-employment test.
NTSB accident investigators would have access to the CDL driver’s records in the Clearinghouse to determine if CDL
holders involved in accidents under investigation have prior positives or refusals to test, which could require further
investigation into the cause of particular accidents.
5
Pub. L. 112-141, 126 Stat. 405 (July 6, 2012).
-9-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
The other stated purpose for this proposed rule is to combat the problems of employers subject to 49 CFR Part 382 not
having required drug and alcohol testing programs in place. In support of this purpose, this proposed rule would
require all laboratories to submit semi-annual summaries of the results of motor carrier employer drug and alcohol
testing programs to FMCSA. None of the information reported by these laboratories would include PII. 49 CFR Part 40
already requires laboratories to submit individual semi-annual summary data to motor carrier employers. This
proposed rule expands this requirement to include submission of the identical data to FMCSA and would require that
the report also include the motor carrier’s USDOT Number or EIN as part of the summary data. FMCSA would then use
the summary data to confirm that motor carrier employers have a drug and alcohol testing program in place.
Data Minimization & Retention
DOT should collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was
originally collected. DOT should retain PII for only as long as necessary to fulfill the specified purpose(s) and in
accordance with a National Archives and Records Administration (NARA)-approved record disposition schedule.
The proposed rule would also change the current requirement that permits specimen collectors to use Social Security
numbers or employee ID numbers for the purposes or uniquely identifying individual drivers. Under this proposal,
specimen collectors would not be permitted to record drivers’ Social Security numbers, and the only permitted
employee ID number would be the driver’s CDL number and State of issuance.
This proposed rule would provide that the information remain in the Clearinghouse indefinitely if a driver failed to
complete the return-to-duty process. If certain conditions are met, employers will have access to this information for
either a three or five-year period. Those conditions are: (1) the SAP reports that the driver has successfully completed
the prescribed education and/or treatment as required by 49 CFR 40.305 and is eligible for return-to-duty testing; (2)
the employer or C/TPA reports that the driver has received negative return-to-duty test results; (3) the driver’s present
employer or employer’s consortium (for owner/operators) reports that the driver has successfully completed all followup tests as prescribed in the SAP report in accordance with §§40.307, 40.309, and 40.311; and (4) a specified, yet to be
determined, period of time has passed since the date of the violation determination. The employer access
requirements are based on separate provisions in MAP-21 that can be interpreted to require employers to have access
to this information for either a three or five-year period after the date of the violation determination. 49 U.S.C.
§31306a(f) requires employers to determine whether a driver has had an employment prohibition for a three-year
period prior to hiring while 49 U.S.C. §31306(g)(6) requires the Secretary to retain records in the clearinghouse for five
years.
A discussion of appropriate final record retention and disposition schedule for the Clearinghouse records is being
planned with National Archives and Records Administration (NARA) as part of the development of the System of
Records Notice. It is anticipated that information stored in the Clearinghouse will be retained for as long as
operationally necessary to support FMCSA’s research, audit and enforcement purposes, however employer access will
be limited as discussed above. The final record retention and disposition schedule will be included in the Final Rule and
accompanying update to this PIA.
-10-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Use Limitation
DOT shall limit the scope of its PII use to ensure that the Department does not use PII in any manner that is not specified
in notices, incompatible with the specified purposes for which the information was collected, or for any purpose not
otherwise permitted by law.
FMCSA would use drug and alcohol testing results for the purposes and uses specified in the Clearinghouse NPRM,
except as authorized by law. FMCSA may use the information in the Clearinghouse to identify and take enforcement
action against motor carriers and CDL drivers that are not in compliance with the Agency’s regulations. FMCSA may
also use the information for research and statistical analysis.
In accordance with 49 U.S.C. 31306a(i), FMCSA would grant the NTSB access to a driver’s information in the
Clearinghouse when that driver is involved in a crash under under investigation by the NTSB.
In accordance with 49 U.S.C. 31306a(h)(2), State Driver’s Licensing Authorities (SDLAs) may use the information to
evaluate whether an individual is qualified to operate a CMV. SDLAs are strictly prohibited from making other use of
the information or further disseminating the information.
In accordance with 49 U.S.C. 31306a(h)(1)(D), employers may only use information obtained from the Clearinghouse to
determine whether a driver is prohibited from operating a CMV. Employers are strictly prohibited from making other
use of the information or further disseminating the information.
Data Quality and Integrity
In accordance with Section 552a(e)(2) of the Privacy Act of 1974, DOT should ensure that any PII collected and
maintained by the organization is accurate, relevant, timely, and complete for the purpose for which it is to be used, as
specified in the Department’s public notice(s).
In proposing the rule, the agency will require a variety of protocols to validate and verify that the information collected
in the database is associated with the correct person in order to ensure the accuracy and reliability and of the data
collected. Those protocols include using a driver’s CDL number and state of issuance as a unique identifier, as described
above in the section entitled “Description of Commercial Driver’s License Drug and Alcohol Clearinghouse Rulemaking
on Personal Information of General Public.” In addition, Section 382.717 of the proposed rule would establish a twotiered administrative review process that would allow drivers to request that FMCSA investigate and correct
inaccurately reported information.
FMCSA would ensure that the PII collected, used, and maintained in Clearinghouse is relevant to the purposes for which
it is to be used and, to the extent necessary for those purposes it is accurate, complete, and up-to-date. FMCSA also
ensures that proper access controls, information input restrictions, data validity checks, error handling mechanisms,
information output handling and audit logs, and accountability are in place.
-11-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Security
DOT shall implement administrative, technical, and physical measures protect PII collected or maintained by the
Department against loss, unauthorized access, or disclosure, as required by the Privacy Act, and to ensure that
organizational planning and responses to privacy incidents comply with OMB policies and guidance.
PII is protected by reasonable security safeguards against loss or unauthorized access, destruction, misuse,
modification, or disclosure. These safeguards incorporate standards and practices required for federal information
systems under FISMA and the information security standards issued by NIST, including Federal Information Processing
Standards (FIPS) Publication 200 and NIST SP 800-53 Revision.3, Recommended Security Controls for Federal
Information Systems. FMCSA has a comprehensive information security and privacy program that contains
administrative, technical, and physical safeguards that are appropriate for the protection of data. These safeguards are
designed to achieve the following objectives:
•
•
•
Ensure the security and confidentiality of PII
Protect against any reasonably anticipated threats or hazards to the security or integrity of PII
Protect against unauthorized access to or use of PII
The Clearinghouse will maintain an auditing function that tracks all user activities in relation to data including access and
modification. Through technical controls including firewalls, intrusion detection, encryption, access control list, and
other security methods, FMCSA will prevent unauthorized access to data stored in its Clearinghouse. These controls will
meet Federally mandated information assurance and privacy requirements.
Except as summarized in Appendix A, no person or entity would be permitted to access the Clearinghouse. No person or
entity would be able to share, distribute, publish, or otherwise release any information in the Clearinghouse except as
specifically authorized by law. Reporting inaccurate or misleading information to the Clearinghouse would be expressly
prohibited. The Clearinghouse will have controls to limit access based on user roles and responsibilities, need to know,
least privilege, and separation of duties. These roles will be approved by the Clearinghouse System Owner and any
changes in role will need further approval prior to implementation. The Clearinghouse personnel, including government
personnel and contractors, are required to take annual security awareness and privacy training offered by FMCSA and
role-specific training. This will allow individuals with varying roles to understand how privacy impacts their role and
retain knowledge of how to properly and securely act in situation where they may use PII in the course of performing
their duties.
The Clearinghouse will undergo the security authorization process under the National Institute of Standards and
Technology prior to attaining full operational status.
Accountability and Auditing
DOT shall implement effective governance controls, monitoring controls, risk management, and assessment
controls to demonstrate that the Department is complying with all applicable privacy protection requirements and
minimizing the privacy risk to individuals.
As required by 49 USC 31306a(d), FMCSA will follow the Fair Information Practice Principles for the protection of PII
associated with the implementation of the Commercial Driver’s License Drug and Alcohol Clearinghouse. In addition to
-12-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
these practices, additional policies and procedures will be consistently applied, especially as they relate to protection,
retention, and destruction of records.
As with any collection of PII, there is a risk of misuse of the information. To mitigate the risk, FMCSA would restrict
access to the Clearinghouse by establishing strict registration procedures for employers and service agents. Registrants
would be required to provide names, addresses, telephone numbers, and other information necessary to validate
identity. Employers would be required to submit USDOT Numbers or EINs as well as the names of all persons
authorized to access the Clearinghouse on behalf of the employer. C/TPAs would be required to supply similar
information. Employers would be required to designate authorized C/TPAs and drivers would be required to designate
authorized SAPs before a C/TPA or SAP can be granted access to enter information into the Clearinghouse on behalf of
that employer or driver. MROs and SAPs would be required to provide evidence that they meet DOT qualifications and
training requirements. Employers and C/TPAs would be required to update annually the names of the people they
authorize to access the Clearinghouse. This information would be submitted via a protected website with a specific
registration protocol for MROs and SAPs. The initial registration term would be five years unless FMCSA has taken
action to revoke or cancel it. FMCSA would also cancel registrations that are inactive for two years. FMCSA proposes to
prohibit anyone from knowingly reporting false or inaccurate information. FMCSA would have the right to revoke the
registration of anyone who fails to comply with any of the prescribed rights and restrictions on accessing the
Clearinghouse, which would include (but not be limited to) submission of inaccurate information, misuse or
misappropriation of access rights, misuse of protected information, and failure to maintain the requisite qualifications,
certifications, or training requirements included in 49 CFR Part 40. Anyone violating these provisions would be subject
to the civil and criminal penalties included in 49 CFR Part 382.507 as well as any other applicable penalties.
A driver would be required to provide written consent to FMCSA before a current or prospective employer could obtain
access to information about that driver in the Clearinghouse. No employer motor carrier would be allowed to employ a
driver that refuses to grant consent.
In addition, FMCSA is responsible for identifying, training, and holding agency personnel accountable for adhering to
agency privacy and security policies and regulations. FMCSA has incorporated its Best Practices for Protection of PII in
the design and implementation process for the Clearinghouse. The Clearinghouse would include an event log and audit
trail capability. FMCSA proposes to prohibit the known submission of false or inaccurate information to the
Clearinghouse. Violations of such prohibitions would be subject to civil and criminal penalties.
Responsible Official
Juan Moya
FMCSA Office of Enforcement and Compliance
202-366-4844
[email protected]
Approval and Signature
Claire W. Barrett
DOT Chief Privacy & Information Asset Officer
[email protected]
-13-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Appendix A – Summary of Responsibilities and Data Access
Table 1 summarizes the obligations of each entity responsible for reporting information to the Clearinghouse database.
Reporting Entity
Prospective
Employer of CDL
Driver
Current Employer
of CDL Driver
MRO
-
When Information Would Be Reported to Clearinghouse
Positive pre-employment test result
Refusal to test (drug) not requiring a determination by the MRO as specified in
49 CFR 40.191
Positive alcohol test result
Refusal to test (alcohol) as specified in 49 CFR 40.261
Refusal to test (drug) not requiring a determination by the MRO as specified in
49 CFR 40.191
Citations (DUI in a CMV)
Negative return-to-duty test results (drug and alcohol testing, as applicable)
Completion of follow-up testing
Verified positive, adulterated, or substituted drug test result
Refusal to test (drug) requiring a determination by the MRO as specified in 49
CFR 40.191
Positive alcohol test result
Refusal to test (alcohol) as specified in 49 CFR 40.261
Refusal to test (drug) not requiring a determination by the MRO as specified in
49 CFR 40.191
Negative return-to-duty test results (drug and alcohol testing, as applicable)
Positive alcohol test result
Refusal to test (alcohol) as specified in 49 CFR 40.261
Refusal to test (drug) not requiring a determination by the MRO as specified in
49 CFR 40.191
Third Party
Administrator (if
designated by
employer to report
on its behalf)
Consortium
(reporting for
owner/ operators)
-
SAP
- Successful completion of treatment and/or education and the determination of
eligibility for return-to-duty testing
- Follow-up testing requirements
-
Table 1 - Reporting Entities and Circumstances
Table 2 summarizes the conditions under which entities would be able to view information in the Clearinghouse.
Querying
Type of Data Obtained
Requirements to Obtain Data
Entity
Prospective Employer
Records in the Clearinghouse pertaining to Employer obtains written consent
of CDL Driver (full
the applicant concerning:
from driver.
query)
- positive alcohol test result;
- verified positive, adulterated, or
substituted drug test result;
- refusal to test (alcohol or drug)
- citations (actual knowledge)
- return-to-duty negative test result
- follow-up testing program
information
-14-
�Federal Motor Carrier Safety Administration
Querying
Entity
Current Employer of
CDL Driver (full query)
Drug & Alcohol Clearinghouse NPRM
Type of Data Obtained
Requirements to Obtain Data
Records in the Clearinghouse pertaining to
the CDL driver concerning:
- positive alcohol test result
- verified positive, adulterated, or
substituted drugs test result;
- refusal to test (alcohol or drug)
- citations (actual knowledge)
- return-to-duty negative test result
- follow-up testing program
information
Notice of whether information for the
driver exists in the Clearinghouse
Employer obtains written consent
from driver.
CDL Driver
Records in the Clearinghouse pertaining to
the CDL driver
Specific request of the CDL driver;
FMCSA verifies driver identity.
MRO
SAP
Consortium (full
query)
No access
No access
Records in the Clearinghouse pertaining to
the CDL driver concerning:
- positive alcohol test result
- verified positive, adulterated, or
substituted drugs test result;
- refusal to test (alcohol or drug)
- citations (actual knowledge)
- return-to-duty negative test result
- follow-up testing program
information
Notice of whether information for the
driver exists in the Clearinghouse
Access limited to authority delegated by
employer to review data in Clearinghouse
Current Employer of
CDL Driver (limited
query)
Consortium
(limited query)
Third Party
Administrator
FMCSA
NTSB
Full access
Records of driver involved in accidents
under investigation
Employer obtains written consent
for a limited query
Consortium obtains written
consent for a full query.
Consortium obtains written
consent for a limited query.
TPA obtains written consent for a
limited or full query;
TPA must have specific written
consent from the employer of the
CDL driver
No consent required
No consent required
Table 2 - Querying Entities and Information Obtained from the Clearinghouse
-15-
�Federal Motor Carrier Safety Administration
Drug & Alcohol Clearinghouse NPRM
Table 3 summarizes the types of queries that an employer is required to conduct.
Type of Query
Full query
Full query
Limited query
Type of Consent
Employer obtains
written consent from
driver
Employer obtains
written consent from
driver
Employer must obtain
and maintain written
consent for at least 3
years following the
query
When Required
Pre-employment
screening
Type of Data Obtained
Information on driver’s drug
and alcohol test results
Annual query results
show that the driver
has drug or alcohol
testing information in
the Clearinghouse
Annually
Information on driver’s drug
and alcohol test results
Table 3 - Types of Queries
-16-
Notice of whether information
for the driver exists in the
Clearinghouse
�
| File Type | application/pdf |
| Author | Claire W. Barrett |
| File Modified | 2014-02-20 |
| File Created | 2014-02-20 |