Privacy Threshold Assessment for OE/AAA System

Privacy Threshold
Assessment (PTA)

Obstruction Evaluation /
Airport Airspace Analysis (OE/AAA)
Federal Aviation Administration (FAA)/
Air Traffic Organization

6/30/2014

X

Claire W. Barrett

Claire W. Barrett
DOT Chief Privacy & Information Asset Officer
Signed by: CLAIRE W BARRETT

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

Privacy Threshold Analysis (PTA)
The PTA is used to assist in determining the need for privacy and other information collection
compliance documentation for a particular system, business activity, program, information
collection, and/or technology.
Under the E-Government Act of 2002 (P.L. 107-347), system owners and developers are
required to complete Privacy Impact Assessments (“PIAs”) to determine the privacy implications
of projects/systems that handle information in an identifiable form.1 The Privacy Threshold
Assessment (PTA) supports the analysis used to determine whether a PIA is required for your
project/system. A PTA is required for every IT system, rulemaking, or program’s use of PII at
the Department. Additionally, the responses are used to alert other information asset
stakeholders to the existence of a project/system so that they may identify any additional
requirements relative to their area of responsibilities. After completing this form, please return it
to your Operating Administration’s (OA) line of business (LOB) Privacy Office (PO).
Upon receipt, the LOB Privacy Office will review your response and may request additional
information. When the LOB Privacy Office has determined that the PTA is both complete and
accurate it will be forwarded to the FAA Privacy Office and then the DOT Privacy Office for
final adjudication. Please DO NOT send the PTA directly to the FAA or DOT Privacy Office;
PTAs received by the FAA or DOT Privacy Office directly from program/system owners will
not be adjudicated. If the DOT Privacy Office determines that a Privacy Impact Assessment
(PIA) and/or System of Records Notice (SORN) are required, you will be notified and
appropriate templates sent to you. If other compliance documentation and/or activities are
needed, then those requirements will be included in the PTA adjudication.
If you have questions or require assistance to complete the PTA please contact your LOB
Privacy Office or the FAA Privacy Office at 9-AWA-PTA/AWA/FAA.
PTAs expire and must be reviewed and re-certified not less than every three years.
Note: To ensure that ALL project/technology/systems are appropriately reviewed for privacy
risk a PTA must be submitted for each project/technology/system. There is no distinction made
between national security systems or technologies/systems managed by contractors.

1

For the purposes of the PTA the term “system” refers to a project, technology system, business activity, program
and/or technology.

September 20, 2013

1

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

PROGRAM MANAGEMENT
DATE submitted for review: DOT reviewed 4/21/2014, FAA responses 5/8/2014
NAME of Project/Technology/System: Obstruction Evaluation / Airport Airspace Analysis
(OE/AAA)
Name of Project/Technology/System in CSAM: Obstruction Evaluation / Airport Airspace
Analysis (OE/AAA)
NAME of Project/Technology/System MANAGER: John Page
EMAIL for Project/System MANAGER: [email protected]
Phone number for Project/System Manager::202-267-9354

1 SUMMARY INFORMATION
1.1

Project TYPE
Information Technology and/or System2
A Notice of Proposed Rule Making or a Final Rule
This activity initiates a new electronic collection of information in a n
identifiable form from 10 or more members of the public.
Other: <>

1.2

System DESCRIPTION and PURPOSE
Obstruction Evaluation and Airport Airspace Analysis (OE/AAA) is a system that helps
defend against encroachment of obstacles on navigable airspace. All proposed
construction must be evaluated to determine if it affects airspace at an airport. OE/AAA
is the repository for case files of construction, alteration, establishment or expansion of a
structure or sanitary landfill regarding air commerce and the efficient use and
preservation of the navigable airspace and of airport traffic capacity at public-use
airports.

2

The E-Government Act of 2002 defines these terms by reference to the definition sections of Titles 40 and 44 of
the United States Code. The following is a summary of those definitions: “Information Technology” means any
equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage,
manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data
or information. See 40 U.S.C. § 11101(6). “Information System” means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
See: 44 U.S.C. § 3502(8).

September 20, 2013

2

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

The FAA is responsible for issuing a determination based on extensive analysis
completed in accordance with 49 United States Code (USC) Section 44718 and Title 14
of the Code of Federal Regulations (14 CFR), parts 77 & 157. By regulation or by order
when necessary, the Secretary of Transportation shall require a person to give adequate
public notice to the FAA of construction, alteration, establishment or expansion of a
structure or sanitary landfill when notice will promote safety in air commerce and the
efficient use and preservation of the navigable airspace and of airport traffic capacity at
public-use airports. On completing the study, the FAA will issue a report disclosing
completely the extent of the adverse impact on the safe and efficient use of the navigable
airspace findings that will result from constructing or altering the structure.
The FAA requires the sponsor of the construction to provide contact information (Name,
address, telephone/fax number, email address) about the sponsor and representative. This
is required within OE/AAA to maintain a means of contacting parties responsible for the
filing. The OE/AAA Public web site (https://oeaaa.faa.gov) makes available to the
public, via display or download, the contact information as part of the case record.
The FAA also maintains contact mailing list information within OE/AAA of all known
aviation interested persons and groups that may be contacted to provide input to an
aeronautical study when Public Notice and a comment period are warranted. Interested
persons voluntarily provide their name, address, telephone/fax number and email address
to the FAA in order to participate in this process. Searches are performed primarily using
the case record number. OE/AAA exchanges data with internal and external systems.
Contact mailing lists are compiled using a specific set of latitude/longitude coordinates
and specified radii. When a mailing list is used for a specific case it is retrieved using the
file/case number. Any other contact mailing list not related to a specific file/case would
be generated using manually entered lat/long and radius. The system takes the given
lat/long and radius information and queries the database to compile the recipient contacts
that have specified their area of interest within the search parameters.
Records are stored and retrieved by file/case numbers.
1.3

If this system is a technology or system, does it relate solely to INFRASTRUCTURE?
(For example, is the system a Local Area Network [LAN] or Wide Area Network
[WAN?])
No
Yes
Is there a log kept of communication traffic?
No Please continue to the next question.
Yes Monthly Website Hit Statistics, Daily Usage Statistics, Top 40 URLs, Top
10 entry pages, Top 40 referrers, Top 5 Users, Usage by Country. Additionally,
audit logs including user names, passwords, ip addresses, contact information,
time and date stamps and login/logout records are kept for configuration

September 20, 2013

3

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

management and to track general usage and establish accountability of user
activity.

2 INFORMATION COLLECTION
2.1

SUBJECTS of Collection
Identify for which subject population(s) the system3 collects, maintains, or disseminates
information in an identifiable form 4 (Check all that apply)
Members of the public.
Members of the DOT federal workforce.
Members of non-DOT federal workforce including Transportation Security
Administration (TSA) and US Coast Guard (USCG).
Members of the DOT contract workforce.
None of the above. Please skip ahead to question 2.6.

2.2

Could the system relate to or provide information in an IDENTIFIABLE FORM about
individuals?5
No. Please skip ahead to question 2.6.

2.3

Yes Contact information of Sponsor/Representative and Interested Party.
What INFORMATION ABOUT INDIVIDUALS6 could be collected, generated or
retained?
Sponsor/Representative
Name, address, telephone/fax number, email address, and internet protocol (IP) addresses.
Contact information is not limited to business contact information and may include home
information.
Interested Party
Name, address, telephone/fax number and email address.

3

For the purposes of the PTA the term “system” should be understood to mean “program” and or “technology” as
appropriate.
4
In the E-Government Act of 2002, “information in an identifiable form” is defined as “information in an IT system
or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other
identifying number or code, telephone number, email address, etc.), or (ii) by which an agency intends to identify
specific individuals in conjunction with other data elements; i.e., indirect identification. (These data elements may
include a combination of gender, race, birth date, geographic indicator and other descriptors.)”
5
Projects can relate to individuals in a number of ways. For example, a project may include a camera for the
purpose of watching a physical location. Individuals may walk past the camera and images of those individuals may
be recorded. Projects could also relate to individuals in more subtle ways.
6
Individual is not limited to live US nationals, DOT policy is to cover all humans, living or dead, regardless of
nationality.

September 20, 2013

4

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

2.4

Will this collection be retained in a Privacy Act SYSTEM of RECORDS?
No
Yes
Is there an existing System of Records Notice (SORN)?
No
Yes
SORN:

2.5

Does the system use or collect SOCIAL SECURITY NUMBERS (SSNs)? (This
includes truncated SSNs)
No
Yes <>

2.6

Does the system EXCHANGE (receive and/or send) DATA from another internal
(DOT) system or business activity?
No
Yes The OE/AAA System exchanges data including contact information for the
sponsor and representative with the Federal NOTAMs System (FNS). The OE/AAA
System exchanges data, excluding sponsor/representative contact information (ie
latitude/longitude, structure height, etc…), with National Flight Data Center (NFDC),
Aero Nav Services, Aviation Safety-Flight Standards Service (AFS-460) and Sector
Design Analysis Tool (SDAT). OE/AAA does not share contact mailing information
about interested parties.

2.7

Does the system EXCHANGE (receive and/or send) DATA from another external
(non-DOT) system or business activity?
No
Yes The OE/AAA System exchanges data including contact information for the
sponsor and representative with US Navy’s Mission Compatibility Assessment Tool
(MCAT), and the Federal Communications Commission’s (FCC) Antenna Structure
Registration (ASR) system. The OE/AAA System does not send, however, it receives
data from the United States Census Bureau, United States Geological Survey (USGS),
Environmental Systems Research Institute (ESRI), National Geospatial-Intelligence
Agency (NGA), US Air Force 84th Radar Evaluation Squadron (USAF 84th RADES),
and the National Oceanic and Atmospheric Administration (NOAA) but this data does
not include sponsor/representative contact information.

2.8

Does the system have an approved RECORDS DISPOSITION schedule?
No

September 20, 2013

5

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

Yes Schedule #N1-237-77-03, Item 64, approved 12/02/77, 2.
Obstruction Evaluation Case Files.
Documents relating to aeronautical studies of the effect of proposed construction or
alteration on the use of navigable airspace.
a. Files containing information on structures that do not exceed obstruction standards of
FAR Part 77. Destroy when 3 years old. NC1-237-77-3 Item 64, Approved 12/2/77
b. Files containing information on structures that exceed obstruction standards of FAR
Part 77 and which were circularized for comment and/or of a controversial nature.
Transfer closed files to FRC when 3 years old. Destroy when structure is dismantled.
NC1-237-77-3 Item 64, , Approved 12/2/77
Schedule #N1-237-75-04, Item 7, approved 4/21/75
AIRSPACE ANALYSIS OF AIRPORTS - Airport Airspace Analysis Case Files.
Documents relating to aeronautical studies of the effect of proposed construction,
alteration, activation, and deactivation of airports on the use of airspace.
PERMANENT. Transfer closed case files to FRC when 5 years old. Offer to NARA
when 10 years old.NC-237-75-4 Item 7, Approved 4/21/75
This schedule was approved by the Records Information Management Office (RIMP) on
9/9/2013 #9887.

3 PROJECT LIFECYCLE
3.1

Was this system IN PLACE prior to 2002?
Yes. 2001
No.
This is a new development effort
This is an existing project
Date first developed:2000
Date last: 6/27/2013

3.2

Has the system been MODIFIED in any way since 2002?
No.
Yes. Enhancements are made quarterly to incorporate user requested functionality.
These enhancements do not include changes to data elements.

September 20, 2013

6

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

3.3

Has the CERTIFICATION & ACCREDITATION (C&A) been completed?
Unknown
Under Development
Expected Date of Completion: <> Note:
this only applies to non C&A’ed systems)
No.
Yes.
Date of Authority to Operate (ATO): 08/26/2010
Please indicate the determinations for each of the following:
Confidentiality:
Low
Moderate
High
Undefined
Integrity:
Low
Moderate
High
Undefined
Availability
Low
Moderate
High
Undefined
Not Applicable

September 20, 2013

7

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

TO BE COMPLETED BY THE DOT PRIVACY OFFICE
Adjudication Review COMPLETED: June 30, 2014
DOT Privacy Office REVIEWER: Claire W. Barrett
DESIGNATION
This is NOT a Privacy Sensitive System – the system contains no Personally
Identifiable Information.
This IS a Privacy Sensitive System
IT System.
National Security System.
Legacy System.
HR System.
Rule.
Other:
DETERMINATION
PTA is sufficient at this time.
Privacy compliance documentation determination in progress.
PIA
PIA is not required at this time: System was created prior to 2002 and new
privacy risks have not been introduced since tht time.
PIA is required.
System covered by existing PIA: <>
New PIA is required. <>
PIA update is required. <>
SORN
SORN not required at this time. PII is not retrieved by personal identifier and
record subjects are not about individuals.
SORN is required.
System covered by existing SORN: <>
New SORN is required. <>
SORN update is required. <>

September 20, 2013

8

DOT Privacy Program

Compliance Documentation
Privacy Threshold Assessment (Template v1.2)

DOT PRIVACY OFFICE COMMENTS
The DOT Privacy Office has determined that the Obstruction Evaluation / Airport Airspace
Analysis (OE/AAA) is a privacy sensitive system as it contains professional contact information
of individuals associated with parties subject to FAA authority. A Privacy Impact Assessment is
not required for systems developed prior to 2002 and have not created any new or additional
privacy risk as a result in changes to the system or underlying data uses. See “OMB Guidance
for Implementing the Privacy Provisions of the E-Government Act of 2002 – M-03-22.”OE/AA
records are not retrieved by unique associated with an individual and therefore the records are
not subject to protection under the Privacy Act of 1974.
NOTE: The website privacy policy for the OE/AAA is inconsistent with the DOT Web Site
privacy policy. Please review the policy against the standard Department policy (www.dot.gov)
and revise accordingly. Of particular concern is the lack of reference to the use of web analytic
tools. An updated privacy policy is required to be posted within 30 days of this PTA
adjudication. If an updated policy is not provided at that a 30 day Plan of Action and Milestones
(POA&M) will be created for the system.
The adjudicated PTA should be uploaded into CSAM as evidence that the required privacy
analysis for this system has been completed and CSAM entries modified as appropriate to reflect
the disposition.
The PTA should be updated and submitted to the DOT PO for adjudication upon introduction of
new privacy risk to the system, the next security certification and accreditation (C&A) cycle, or
three years from the date of PTA approval, whichever is soonest.

September 20, 2013

9