Pta

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

PRIVACY THRESHOLD ANALYSIS (PTA)
This form serves as the official determination by the DHS Privacy Office to
identify the privacy compliance requirements for all Departmental uses of
personally identifiable information (PII).
A Privacy Threshold Analysis (PTA) serves as the document used to identify
information technology (IT) systems, information collections/forms, technologies,
rulemakings, programs, information sharing arrangements, or pilot projects that involve
PII and other activities that otherwise impact the privacy of individuals as determined by
the Chief Privacy Officer, pursuant to Section 222 of the Homeland Security Act, and to
assess whether there is a need for additional Privacy Compliance Documentation. A PTA
includes a general description of the IT system, information collection, form, technology,
rulemaking, program, pilot project, information sharing arrangement, or other Department
activity and describes what PII is collected (and from whom) and how that information is
used and managed.
Please complete the attached Privacy Threshold Analysis and submit it to your
component Privacy Office. After review by your component Privacy Officer the PTA is sent
to the Department’s Senior Director for Privacy Compliance for action. If you do not have a
component Privacy Office, please send the PTA to the DHS Privacy Office:
Senior Director, Privacy Compliance
The Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
Tel: 202-343-1717
[email protected]

Upon receipt from your component Privacy Office, the DHS Privacy Office will review this
form and assess whether any privacy compliance documentation is required. If compliance
documentation is required – such as Privacy Impact Assessment (PIA), System of Records
Notice (SORN), Privacy Act Statement, or Computer Matching Agreement (CMA) – the DHS
Privacy Office or component Privacy Office will send you a copy of the relevant compliance
template to complete and return.
Privacy Threshold Analysis – IC/Form

Page 1 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Privacy Threshold Analysis (PTA)

Specialized Template for
Information Collections (IC) and Forms
The Forms-PTA is a specialized template for Information Collections and Forms. This
specialized PTA must accompany all Information Collections submitted as part of the
Paperwork Reduction Act process (any instrument for collection (form, survey,
questionnaire, etc.) from ten or more members of the public). Components may use this PTA
to assess internal, component-specific forms as well.
Form Number:
Form Title:
Component:

1652-0057
Exercise Information System (EXIS)
Transportation Security Office:
Administration (TSA)

OIT

IF COVERED BY THE PAPERWORK REDUCTION ACT:
Collection Title:
EXIS
OMB Control
1652-0057
OMB Expiration
April 30, 2018
Number:
Date:
Collection status:
Revision
Date of last PTA (if
March 21, 2017
applicable):
Name:
Office:
Phone:
Name:
Office:

Phone:

PROJECT OR PROGRAM MANAGER
Jeffrey Graves
Click here to enter text.
Title:
System Owner
571-227-3575
Email:
[email protected]

COMPONENT INFORMATION COLLECTION/FORMS CONTACT
Glenn Stoll
Information Management
Title:
IMPS Director, Forms
Program Section (IMPS)
Management Officer
571-227-5175
Email:
[email protected]

Privacy Threshold Analysis – IC/Form

Page 2 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

SPECIFIC IC/Forms PTA QUESTIONS
1. Purpose of the Information Collection or Form
a. Describe the purpose of the information collection or form. Please provide a
general description of the project and its purpose, including how it supports the DHS
mission, in a way a non-technical person could understand (you may use
information from the Supporting Statement).
If this is an updated PTA, please specifically describe what changes or upgrades are
triggering the update to this PTA.
The Exercise Information System (EXIS) is a voluntary, online tool developed by TSA to
fulfill requirements of the Implementing Recommendations of the 9/11 Commission Act
of 2007. These statutory requirements led to the development of the Intermodal Security
Training Exercise Program (I-STEP) for the Transportation Systems Sector (TSS). EXIS is
used by TSS stakeholders to conduct security exercises, including publicly- or privatelyowned transportation companies or assets. TSA collects five kinds of information online
from transportation stakeholders: (1) user registration information; (2) nature and
scope of exercise; (3) corrective actions/lessons learned/best practices; (4) evaluation
feedback on EXIS itself; and (5) After-Action Reports.
b. List the DHS (or component) authorities to collect, store, and use this information.
If this information will be stored and used by a specific DHS component, list the
component-specific authorities.
Implementing Recommendations of the 9/11 Commission Act of 2007 (Pub. L. 110153); ATSA (Pub. L. 107-71)

2. Describe the IC/Form
a. Does this form collect any
Personally Identifiable
Information” (PII 1)?

b. From which type(s) of
individuals does this form
collect information?
(Check all that apply.)

☒ Yes
☐ No

☒ Members of the public
☒ U.S. citizens or lawful permanent
residents
☒ Non-U.S. Persons.
☒ DHS Employees
☒ DHS Contractors

1
Personally identifiable information means any information that permits the identity of an individual to be directly or indirectly inferred, including
any other information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident,
visitor to the U.S., or employee or contractor to the Department.

Privacy Threshold Analysis – IC/Form

Page 3 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

c. Who will complete and
submit this form? (Check
all that apply.)

d. How do individuals
complete the form? Check
all that apply.

☒ Other federal employees or contractors.

☐ The record subject of the form (e.g., the
individual applicant).
☐ Legal Representative (preparer, attorney,
etc.).
☒ Business entity.
If a business entity, is the only
information collected business contact
information?
☒ Yes
☐ No
☐ Law enforcement.
☐ DHS employee or contractor.
☐ Other individual/entity/organization that is
NOT the record subject. Please describe.
Click here to enter text.

☐ Paper.
☐ Electronic. (ex: fillable PDF)
☒ Online web form. (available and submitted via
the internet)
Provide link: https://exis.tsa.dhs.gov/default.aspx

e. What information will DHS collect on the form? List all PII data elements on the
form. If the form will collect information from more than one type of individual,
please break down list of data elements collected by type of individual.
User’s Name; Agency/Organization Name and Type; Job Title; Supervisor or other
Sponsor’s Name; Professional Phone Number; Professional Email Address;
Employment Verification Contact Name; Employment Verification Contact
Information (city, state, and zip code; phone number, and email address); user’s
login, password, & knowledge-based security questions & answers as well as the
Reason for Needing an EXIS account. In addition, the following optional
registration information can be added by the user: Professional (business),
country; City; State; Zip Code; Mobile Phone Number; Alternate Email; and
Preferred Transportation Sector.

Privacy Threshold Analysis – IC/Form

Page 4 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

f. Does this form collect Social Security number (SSN) or other element that is
stand-alone Sensitive Personally Identifiable Information (SPII)? Check all that
apply.
☐ Social Security number
☐ DHS Electronic Data Interchange
Personal Identifier (EDIPI)
☐ Alien Number (A-Number)
☐ Social Media Handle/ID
☐ Tax Identification Number
☐ Known Traveler Number
☐ Visa Number
☐ Trusted Traveler Number (Global
☐ Passport Number
Entry, Pre-Check, etc.)
☐ Bank Account, Credit Card, or other
☐ Driver’s License Number
financial account number
☐ Biometrics
☐ Other. Please list:
NA

NA

g. List the specific authority to collect SSN or these other SPII elements.

h. How will this information be used? What is the purpose of the collection?
Describe why this collection of SPII is the minimum amount of information
necessary to accomplish the purpose of the program.
i.

Are individuals
provided notice at
the time of collection
by DHS (Does the
records subject have
notice of the
collection or is form
filled out by third
party)?

☒ Yes. Please describe how notice is provided.
The form is completed directly by the EXIS
participant. The EXIS registration form includes a
Privacy Act statement as well.
☐ No.

3. How will DHS store the IC/form responses?

Privacy Threshold Analysis – IC/Form

Page 5 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

a. How will DHS store
the original,
completed IC/forms?

b. If electronic, how
does DHS input the
responses into the IT
system?
c. How would a user
search the
information
submitted on the
forms, i.e., how is the
information
retrieved?
d. What is the records
retention
schedule(s)? Include
the records schedule
number.

☐ Paper. Please describe.
Click here to enter text.
☒ Electronic. Please describe the IT system that will
store the data from the form.
Information is automatically stored in EXIS
backend.
☐ Scanned forms (completed forms are scanned into
an electronic repository). Please describe the
electronic repository.
Click here to enter text.

☐ Manually (data elements manually entered). Please
describe.
Click here to enter text.
☒ Automatically. Please describe.
Click here to enter text.
☒ By a unique identifier. 2 Please describe. If
information is retrieved by personal identifier, please
submit a Privacy Act Statement with this PTA.
User name.
☐ By a non-personal identifier. Please describe.
Click here to enter text.

1600.3.1-a(1) Community Creator User Profiles:
Cutoff at the end of the calendar year; destroy/delete
10 years after cutoff. ((N1-560-11-5, Item 1a(1))
1600.3.1-a(2) All other user profiles: Cutoff after 1
year of inactivity or termination of account;
destroy/delete 3 years after cutoff. ((N1-560-11-5,
Item 1a(2))
1600.3.1-b Exercise Packages: Cutoff at the end of the
calendar year. Destroy/delete 10 years after cutoff.
((N1-560-11-5; Item 1b))

2
Generally, a unique identifier is considered any type of “personally identifiable information,” meaning any information that permits the identity
of an individual to be directly or indirectly inferred, including any other information which is linked or linkable to that individual regardless of
whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.

Privacy Threshold Analysis – IC/Form

Page 6 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

1600.3.1-c Communities: Cutoff at the end of the
calendar year; Destroy/delete 10 years after cutoff.
((N1-560-11-5; Item 1c))
e. How do you ensure
Community creator profiles, exercise packages, and
that records are
community records are cut-off at the end of every
disposed of or deleted
calendar year, then periodically reviewed to identify
in accordance with
and delete any that are over 10 years old. Regular
the retention
user profiles are reviewed annually and any inactive
schedule?
or terminated user profiles (for at least one year) are
cut-off, then reviewed periodically and those older
than 3 years are deleted.
f. Is any of this information shared outside of the original program/office? If yes,
describe where (other offices or DHS components or external entities) and why.
What are the authorities of the receiving party?
☐ Yes, information is shared with other DHS components or offices. Please describe.
Click here to enter text.
☐ Yes, information is shared external to DHS with other federal agencies, state/local
partners, international partners, or non-governmental entities. Please describe.
Click here to enter text.
☒ No. Information on this form is not shared outside of the collecting office.

Please include a copy of the referenced form and Privacy Act Statement (if
applicable) with this PTA upon submission.

Privacy Threshold Analysis – IC/Form

Page 7 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

PRIVACY THRESHOLD REVIEW
(TO BE COMPLETED BY COMPONENT PRIVACY OFFICE)
Component Privacy Office Reviewer:

Date submitted to component Privacy
Office:
Date submitted to DHS Privacy Office:
Have you approved a Privacy Act
Statement for this form? (Only
applicable if you have received a
waiver from the DHS Chief Privacy
Officer to approve component Privacy
Act Statements.)

Jennifer L. Schmidt
December 19, 2017
January 5, 2018

☒ Yes. Please include it with this PTA
submission. See below.
☐ No. Please describe why not.
Click here to enter text.

Component Privacy Office Recommendation:
Please include recommendation below, including what existing privacy compliance
documentation is available or new privacy compliance documentation is needed.
TSA Privacy recommends approval of this PTA. EXIS is a privacy sensitive system as
it collects PII from members of the public. Existing PIA coverage is provided by
DHS/ALL-006 DHS General Contact Lists. SORN coverage is necessary because
records are retrieved by a unique personal identifier. SORN coverage is provided by
DHS/ALL-004 General Information Technology Access Account Records System and
DHS/ALL 002, DHS Mailing and Other Lists System.
Privacy Act Statement:
AUTHORITY: 49 USC § 114(f)(15); 6 USC §§ 1136(a), 1167, and 1183.

Privacy Threshold Analysis – IC/Form

Page 8 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

PRINCIPAL PURPOSE(S): This information will be used to grant individuals access to EXIS.
ROUTINE USE(S): This information may be shared in accordance with the Privacy Act of
1974, 5 USC § 552(a), for routine uses identified in the DHS system of records, DHS/ALL004 General Information Technology Access Account Records System and DHS/ALL 002
DHS Mailing and Other Lists System, or as further described in the Privacy Impact
Assessment, DHS/ALL/PIA-006 DHS General Contact Lists and subsequent updates,
available at www.dhs.gov/privacy. DISCLOSURE: Furnishing this information is voluntary;
however, failure to provide the requested information will prevent TSA from being able to
grant an individual’s access request to EXIS.
PRIVACY THRESHOLD ADJUDICATION

(TO BE COMPLETED BY THE DHS PRIVACY OFFICE)
DHS Privacy Office Reviewer:

Sean McGuinness

PCTS Workflow Number:
Date approved by DHS Privacy Office:
PTA Expiration Date

1156615
January 23, 2018
January 23, 2021

DESIGNATION

Privacy Sensitive IC or
Form:
Determination:

DHS IC/Forms Review:

Privacy Threshold Analysis – IC/Form

Yes If “no” PTA adjudication is complete.
☐ PTA sufficient at this time.
☐ Privacy compliance documentation determination in
progress.
☐ New information sharing arrangement is required.
☐ DHS Policy for Computer-Readable Extracts Containing SPII
applies.
☒ Privacy Act Statement required.
☒ Privacy Impact Assessment (PIA) required.
☒ System of Records Notice (SORN) required.
☐ Specialized training required.
☐ Other.

DHS PRIV has not received this ICR/Form.
Page 9 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

Date IC/Form Approved Click here to enter a date.
by PRIV:
IC/Form PCTS Number:
Privacy Act
Statement:
Privacy Act Statement approved concurrently with this PTA
PTA:
Choose an item.
System PTA for EXIS approved April 10, 2017
PIA:
If covered by existing PIA, please list:
If a PIA update is required, please list: DHS/ALL/PIA-006 General
Contact Lists
SORN:
If covered by existing SORN, please list:
If a SORN update is required, please list: DHS/ALL-004 General
Information Technology Access Account Records System January
18, 2007, 72 FR 2294 and DHS/ALL 002 DHS Mailing and Other
Lists System November 25, 2008, 73 FR 71659
DHS Privacy Office Comments:
Please describe rationale for privacy compliance determination above.

DHS Privacy Office finds that the Exercise Information System (EXIS) form is privacy
sensitive as it collects PII from members of the public, (to include U.S. citizens or
lawful permanent residents and non-U.S. persons) DHS employees/contractors and
other federal employees or contractors.
EXIS is an Internet-accessible knowledge management system or e-tool that allows
industry stakeholders to design and execute their own security exercises within the
transportation industry. This form collects contact information to grant individuals’
access to EXIS.
PRIV agrees with TSA Privacy that PIA coverage is provided under DHS/ALL/PIA006 General Contact List. The General Contact Lists PIA outlines how DHS collects
contact information in order to distribute information and perform various other
administrative tasks.
PRIV agrees with TSA Privacy that SORN coverage is provided under DHS/ALL-004
GITAARS and DHS/ALL-002 DHS Mailing and Other Lists System. DHS/ALL-004
Privacy Threshold Analysis – IC/Form

Page 10 of 11

Version number: 04-2016

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528
202-343-1717, [email protected]
www.dhs.gov/privacy

GITAARS outlines the collection of information from DHS employees in order to
provide authorized individuals with access to DHS information technology
resources. DHS ALL-002 outlines how DHS components maintain records for the
purpose of mailing informational literature or responses to those who request it;
maintaining lists of individuals who attend meetings; maintaining information
regarding individuals who enter contests sponsored by DHS; and for other purposes
for which mailing or contact lists may be created.
A Privacy Act Statement is required as this form retrieves information via unique
identifier. A Privacy Act Statement for this form is being approved concurrently with
this PTA.

Privacy Threshold Analysis – IC/Form

Page 11 of 11

Version number: 04-2016