Download:
pdf |
pdfU.S. Department of Transportation
Privacy Impact Assessment
Federal Aviation Administration (FAA)
Office of Information Technology (AIT)
Pilot Records Database (PRD)
Responsible Official
Bryan W. Brown
AFS-620 Manager
Flight Standards Service
Regulatory Support Division Data Systems Branch
[email protected]
Reviewing Official
Claire W. Barrett
Chief Privacy & Information Asset Officer
Office of the Chief Information Officer
[email protected]
CLAIRE W
BARRETT
Digitally signed by CLAIRE W
BARRETT
DN: c=US, o=U.S.
Government, ou=OSTHQ,
ou=DOT Headquarters,
cn=CLAIRE W BARRETT
Date: 2017.01.23 17:52:13
-05'00'
�FAA/AIT
Pilot Records Database (PRD)
Executive Summary
Section 203 of the Airline Safety and Federal Aviation Administration Extension Act of 2010, Pub. L. 111216, requires the Federal Aviation Administration (FAA) to create a database to provide air carriers 1
electronic access to information maintained by the FAA concerning pilots’ training, certification and
enforcement history, certain records related to pilots’ employment history and qualifications, and national
driver registry records, in order for the air carrier to make a decision whether or not to hire an individual
as a pilot.
To meet this requirement, the FAA has developed the Pilot Records Database (PRD) to provide air carriers
a centralized electronic repository of pilot information to access before allowing an individual to begin
services as a pilot. The PRD improves aviation safety by automating the current FAA and air carrier
processes for performing a standard check of a pilot’s history prior to employment.
This Privacy Impact Assessment (PIA) is being developed pursuant to Section 208 of the E-Government Act
of 2002 because the FAA is deploying new technologies that compile information in a centralized database
(the PRD) that is otherwise maintained by the FAA in separate systems and is introducing a new business
process for air carriers to access information in identifiable form from the PRD.
What is a Privacy Impact Assessment?
The Privacy Act of 1974 articulates concepts for how the federal government should treat individuals and
their information and imposes duties upon federal agencies regarding the collection, use, dissemination,
and maintenance of personally identifiable information (PII). The E-Government Act of 2002, Section 208,
establishes the requirement for agencies to conduct privacy impact assessments (PIAs) for electronic
information systems and collections. The assessment is a practical method for evaluating privacy in
information systems and collections, and documented assurance that privacy issues have been identified and
adequately addressed. The PIA is an analysis of how information is handled to—i) ensure handling
conforms to applicable legal, regulatory, and policy requirements regarding privacy; ii) determine the risks
and effects of collecting, maintaining and disseminating information in identifiable form in an electronic
information system; and iii) examine and evaluate protections and alternative processes for handling
information to mitigate potential privacy risks. 2
Conducting a PIA ensures compliance with laws and regulations governing privacy and demonstrates the
DOT’s commitment to protect the privacy of any personal information we collect, store, retrieve, use and
share. It is a comprehensive analysis of how the DOT’s electronic information systems and collections
handle personally identifiable information (PII). The goals accomplished in completing a PIA include:
-
Making informed policy and system design or procurement decisions. These decisions must be based
on an understanding of privacy risk, and of options available for mitigating that risk;
Accountability for privacy issues;
Analyzing both technical and legal compliance with applicable privacy law and regulations, as well as
accepted privacy policy; and
1
“Air carrier” refers to 14 CFR Part 121 and 135 air carriers, 125 and 135 operators, 91K fractional ownerships, or Proxies
acting on behalf of an air carrier.
2
Office of Management and Budget’s (OMB) definition of the PIA taken from guidance on implementing the privacy provisions
of the E-Government Act of 2002 (see OMB memo of M-03-22 dated September 26, 2003).
-1-
�FAA/AIT
-
Pilot Records Database (PRD)
Providing documentation on the flow of personal information and information requirements within
DOT systems.
Upon reviewing the PIA, you should have a broad understanding of the risks and potential effects
associated with the Department activities, processes, and systems described and approaches taken to
mitigate any potential privacy risks.
Introduction & System Overview
The Federal Aviation Administration (FAA) carries out aviation safety programs to ensure the safest, most
efficient aerospace system in the world. The Federal Aviation Act of 1958, as amended, vests the FAA with
responisibility for:
•
Regulating civil aviation to promote safety;
•
Encouraging and developing civil aeronautics, including new aviation technology;
•
Developing and operating a system of air traffic control and navigation for both civil and military
aircraft;
•
Developing and carrying out programs to control aircraft noise and other environmental effects of
civil aviation; and
•
Regulating United States commercial space transportation.
Background
In response to a series of air carrier accidents attributed to pilot error, the Pilot Records Improvement Act
of 1996 (PRIA) mandated that air carriers request and receive FAA records, air carrier and other operator
records, and the National Driver Register (NDR) records before allowing an individual to begin service as a
pilot.
The FAA currently relies on a mostly paper-based process for providing air carriers with access to records
under the PRIA. 3 In addition to requests under the PRIA, an air carrier may request information about
their prospective pilots under the Freedom of Information Act (FOIA), and by asking their prospective
employees to seek the records from the FAA using the Privacy Act (PA). These methods for accessing pilot
records can be time consuming and resource intensive for air carriers, pilots, and the FAA. Air carriers
must complete multiple forms4, and pilots must be notified of access requests, and consent to their
release. If the pilot initiates the records request, the pilot must complete the Form 8060-11A, Airman
Notice and Right to Receive Copy – Air Carrier and Other Records The FAA must then conduct separate
searches of each of its applicable databases and compile the record for the requestor. This process has
been in place since enactment of the PRIA in 1997.
On February 12, 2009, Colgan Air, Inc., flight 3407 crashed, resulting in the death of all 49 passengers on
board and one person on the ground. The National Transportation Safety Board (NTSB) determined that
3
A complete overview of the PRIA process is available at https://www.faa.gov/pilots/lic_cert/pria/.
4
FAA forms that are required to be completed by the hiring air carrier before allowing an individual to begin service as a pilot
include the FAA 8060-10 FAA Records Request; 8060-11 Air Carrier and Other Records Request; 8060-12 Authorization for
Release of DOT Drug and Alcohol Testing Records Under PRIA and Maintained Under Title 49 of the Code of Federal Regulations
(49 CFR) Part 40 and 8060-13, National Driver Register Records Request (PRIA).
-2-
�FAA/AIT
Pilot Records Database (PRD)
the probable cause of this accident was the captain’s inappropriate response to the activation of the stick
shaker, which led to an aerodynamic stall from which the airplane did not recover. Additional safety issues
identified by the NTSB included certain deficiencies in the air carrier’s recordkeeping system, as well as the
air carrier’s analysis of the flight crew’s qualifications and previous performance.
The NTSB Aircraft Accident Report discussed the accident and the safety issues. The report focused on
strategies to prevent flight crew monitoring failures, pilot professionalism, fatigue, remedial training, pilot
training records, airspeed selection procedures, stall training, FAA oversight, flight operational quality
assurance programs, use of personal portable electronic devices on the flight deck, the FAA’s use of safety
alerts for operators to transmit safety-critical information, and weather information provided to pilots.
The report included recommendations of safety issues for the FAA to address.
As a result of this incident, and others, Congress enacted the Airline Safety and Federal Aviation
Administration Extension Act of 2010, which replaced PRIA with PRD (thereby changing the process for air
carriers to access pilot record, and increases the timeline of creating and providing records for hiring
decision.) The law mandates that the FAA create the PRD and that the PRD contain FAA, air carrier and
National Driver Register (NDR 5) data for use by air carriers in their pilot hiring decision process. The FAA
Extension, Safety, and Security Act of 2016 (Public Law 114-190), Section 2101 requires the FAA establish
the system no later than April 30, 2017.
Pilot Records Database (PRD)
The PRD improves aviation safety by automating the current processes for an air carrier to access
information from the FAA about a pilot’s history and qualifications prior to their employment. PRD
provides a centralized, reliable source of historical information on pilots to enable air carriers to make
hiring decisions. By integrating data from the various sources into a single interface, the PRD streamlines
the access and review of pilot records thereby increasing process efficiency and availability of critical pilot
information.
In addition, the PRD facilitates pilot 6 access to records about them maintained by the FAA, such as their
current airman certificates, including airman medical certificates and associated type ratings and
information on any limitations to those certificates and ratings; failed practical tests that were failed on or
after August 1, 2010; closed enforcement actions; and accidents/incidents that occurred on or after
August 1, 2010, prior to the pilot making those certificates available to the air carrier.
The PRD will be implemented in four stages:
Stage 1
Stage 2
Requirements Development: The FAA completed technical requirements documents and
design documents from the Public Law 111-216, Section 203, specifications to build and
establish the PRD application. This stage was completed February 29, 2016.
Initial Operating Capability: PRD provides access to limited pilot information maintained by
FAA currently obtained through PRIA, FOIA, and PA requests for pilot records. Through PRD,
pilots will authorize the collation of records maintained by the FAA and provide consent for
5
Driver records will be provided by the states through the Departments of Motor Vehicles; the PRD will only have a check box
that indicates that the airman requested the report. The PRD will not contain driver records.
6
The PRD application will define a “pilot” as an airman who has the duty position of pilot-in-command or Captain and secondin-command or First Officer.
-3-
�FAA/AIT
Stage 3
Stage 4
Pilot Records Database (PRD)
air carrier(s) specified by the pilot to access those records. The PRD will be available for use by
air carriers on a voluntary basis not later than April 30, 2017. This PIA addresses privacy
protections put in place to protect the collection, maintenance and use of Personally
Identifiable Information (PII) associated with Stage 2.
Enhancement to add Designated Agents (Proxy Users): Not later than July 31, 2017, air
carriers and their designated agents7 would universally use the PRD to conduct preemployment pilot history checks. This PIA will be updated as required to address any
associated changes in privacy risk.
Final Operating Capability: Once implementing regulations are finalized, air carriers would be
required to use the PRD for obtaining all pilot records. Air carriers and operators employing
pilots would also be required to enter historical records into the PRD. Stage 4 is currently
planned for operational launch no later than January 1, 2019 and this PIA will be updated as
required to address any associated changes in privacy risk.
The PRD includes five distinct processes, each of which are explained below: User Validation, User
Registration, PRD Airmen Record (PAR) Development, Providing Consent, and Air Carrier Access.
User Validation
FAA requires a high degree of certainty that the individual requesting access to PRD is who they claim to
be. Once the individual’s identity is validated, the individual will be issued credentials that must be used to
access PRD. The FAA has contracted with Lexis-Nexus for identity verification services and has created a
portal, MyAccess, to facilitate this process. MyAccess is also used to validate the user to the PRD
application. The MyAccess PIA is available at www.dot.gov/privacy.
User Registration
Once validated and assigned a FAA user identification (ID) and password, the user is required to register in
PRD to become an authorized user of the PRD. Individuals may register and be authorized by the FAA for
one of two roles in PRD: pilot or air carrier. Registration is accomplished by the PRD application and all
first-time users will be routed to a registration page. A general description of each of the roles and the
information required for registration is described below.
•
Pilot: Individuals who register in PRD as a pilot may review their records maintained by FAA for
accuracy, create a Pilot Access Record (explained below), provide consent to specified air carriers to
review specific PARs, and designate the number of days the PAR may be accessed by the air carrier.
In order to accomplish the above, the pilot must register in PRD by submitting their full name, their
certificate number and date of issuance. The pilot’s certificate number is checked against information
held in the FAA’s Comprehensive Airman Information System (CAIS) using a web service to ensure
the individual registering is a current pilot. The FAA PRD administrator will review and approve
request.
7
Designated agents include proxies, or third party users and others such as a personnel agency are those acting for an air carrier
to review the pilot information for employment purposes. Designated agents must complete the authentication process just as
pilots and air carriers and be registered in PRD. A valid agreement must exist between the air carrier and the designated agent
and be approved by Flight Standard Service (AFS). Designated agents for the air carrier are also required to be listed in the
Enhanced Vital Information Database (eVID) system and are controlled by the Office of Flight Standards. PRD requires
designated agents to be approved by the PRD administrator before granting them a PRD user role.
-4-
�FAA/AIT
•
Pilot Records Database (PRD)
Air Carrier: Individuals who register on behalf an air carrier may view pilot records in accordance with
authorized consent. Individuals registering in PRD in this capacity enter their air carrier operator,
their full name, phone number and their role at the carrier in the PRD context. FAA will validate the
information against the electronic Vital Information System (eVID), which contains the list of
responsible parties for each air carrier and the list of official designees, including those authorized to
conduct pre-employment screening on behalf of the air carrier.
Once registered, the pilot or air carrier will be able to sign into PRD directly from the sign in button on the
PRD takeoff page by going directly to the PRD Uniform Resource Locator, http://prd.faa.gov/. The link is
also included on the http://www.faa.gov/ website under Regulations and Policies.
PRD Airmen Record (PAR)
The PAR is the synthesis of the pilot records from authorized sources in single format. A new/temporary
PAR is created in “real-time” from the authorized sources each time the pilot accesses PRD. A PAR is only
made available to an air carrier if the pilot consents to its release to that air carrier. If a pilot accesses PRD
and does not provide consent to the release of the PAR created at that time, the system does not maintain
a copy of the PAR.
The information made available through PRD reflects the requirements for the online database established
in the Airline Safety and Federal Aviation Administration Extension Act of 2010. In the Stage 2 environment
PAR will consist of records retrieved from CAIS, the Enforcement Information System (EIS), and the
Accident Incident Data System (AIDS).
8
•
CAIS - CAIS data includes information derived from airman certification applications, temporary
airman certificates, knowledge test results, notices of disapprovals8, disapproved applications,
enforcement actions, correspondence, requests for replacement certificates, changes to the record,
letters of verification of authenticity, and other documents to support the issuance of airman
certificates. 9
•
EIS - EIS displays selected sensitive enforcement information including information on individuals,
investigations, final enforcement actions, and FAA field activities pursuant to enforcement actions
involving the pilot. Enforcement activities managed in EIS are taken pursuant to Federal Aviation Act
of 1958, which requires the FAA to survey and enforce the Federal Aviation Regulations (14 CFR Parts
1 through End) to promote effective and safe aviation. EIS records integrated into a pilot’s PAR are
limited to closed enforcement actions occurring on or after August 1, 2010. 10
•
AIDS - AIDS data available for inclusion in a pilot’s PAR includes selected records of aircraft accidents
and incidents11occurring in the United States (US) and those involving US-registered aircraft, if
outside of the US. AIDS records are limited to accidents and incidents occurring on or after August 1,
2010. The PAR will include the complete record for incidents. For accidents, the PAR will include the
following information from the official NTSB record: the type of event; accident date and location
Notices of disapproval from CAIS in the PRD are limited to those occurring on or after August 1, 2010.
9
CAIS is a subsystem of the Airmen/Aircraft Registry Modernization System. The PIA for this system is located at
https://www.transportation.gov/individuals/privacy/pia-airmenaircraft-registry-modernization-system.
10
The PIA for EIS is located at https://www.transportation.gov/individuals/privacy/pia-enforcement-information-system-eismodernization.
11
“Aircraft accidents” and “incident” are defined in 49 CFR 830.2.
-5-
�FAA/AIT
Pilot Records Database (PRD)
(city, state, zip); NTSB ID number; the pilot’s first name, middle initial, and last name; certification
type; certificate number; and the aircraft registration number, make, and model. The PAR also
includes a link to the NTSB’s Aviation Accident Database & Synopses database 12, where airlines may
review the complete accident report if required. 13
In addition, the PRD will include links to the NDR to facilitate air carrier requests for pilot driver histories.
PRD will not include NDR records and will not integrate driver history into the PAR. Air carriers may use the
PRD to record the date on which they requested applicable NDR records for the pilot. If PRD is used to
track NDR records requests, the check date must be annotated anew for each PAR accessed by the air
carrier for the pilot.
Providing Consent
The FAA requires pilots to provide explicit consent for an air carrier to access information about the pilot in
PRD. eVID provides PRD a list of authorized air carriers. The pilot selects the specific air carrier from the list
in PRD that the pilot consents to allow access to their PAR. In cases when the air carrier information is not
found in eVID, such as a small operator, the pilot may manually enter the air carrier employer’s name, title,
phone number, postal number, postal address, and email address. The pilot also selects the period for
which the consent is valid (30, 60 or 90 days). Before the consent is activated the pilot is provided an
additional opportunity to review the PAR for accuracy. Once the pilot affirms their consent to sharing the
PAR, the PRD stores the consent, user ID, date, and time of consent action, and a snapshot of the PAR at
the time of consent. The pilot may also choose to revoke consent at any time, after which the air carrier
may not access the record until consent for sharing is reestablished by the pilot. A pilot may give consent
for multiple carriers to view a PAR, and may have multiple PARs in PRD, but the pilot may only grant each
air carrier access to one PAR at any given time. To facilitate the pilot’s management of their consent
decisions, the PRD includes an “expiration clock” for each PAR/air carrier consent decision, so that pilots
may proactively determine if consent decisions should be terminated or extended. The PRD notifies pilots
via email of all air carrier’s transactions concerning their records, regardless of whether or not the PAR was
accessed. Pilots may also access the PRD transaction log for their records to review any air carrier requests
to review their PAR. The log identifies the air carrier, and the date and time the air carrier requested
access to the PAR.
Air Carrier Access
Air carrier representatives may access PARs by providing the pilot’s certificate number and last name. In
the event that an air carrier seeks access to a pilot’s records for which consent has not been provided,
consent has expired, or consent has been revoked, the PRD displays a message that there is no record
available. The air carrier’s access to the PAR is limited to the timeframe specified by the pilot when
consent was given.
Air carriers may return to review the PAR as many times as necessary as long as the pilot consent is active.
The pilot name, certificate number and date/time stamp of consent appear on the bottom of each page of
the PAR. Each page of the PAR also includes notice to the air carrier that data contained in the PAR must
12
13
http://www.ntsb.gov/_layouts/ntsb.aviation/index.aspx
Once published the AIDS PIA will be made available at www.transportation.gov/privacy.
-6-
�FAA/AIT
Pilot Records Database (PRD)
be used solely for hiring decisions and must not be copied or distributed except in accordance with
Public Law 111-216.
Fair Information Practice Principles (FIPPs) Analysis
The DOT PIA template based on the fair information practice principles (FIPPs). The FIPPs, rooted in the
tenets of the Privacy Act, are mirrored in the laws of many U.S. states, as well as many foreign nations and
international organizations. The FIPPs provide a framework that will support DOT efforts to appropriately
identify and mitigate privacy risk. The FIPPs-based analysis conducted by DOT is predicated on the privacy
control families articulated in the Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP)
v3 14, sponsored by the National Institute of Standards and Technology (NIST), the Office of Management
and Budget (OMB), and the Federal Chief Information Officers Council and the Privacy Controls
articulated in Appendix J of the NIST Special Publication 800-53 Security and Privacy Controls for Federal
Information Systems and Organizations 15.
Transparency
Sections 522a(e)(3) and (e)(4) of the Privacy Act and Section 208 of the E-Government Act require public
notice of an organization’s information practices and the privacy impact of government programs and
activities. Accordingly, DOT is open and transparent about policies, procedures, and technologies that
directly affect individuals and/or their personally identifiable information (PII). Additionally, the
Department should not maintain any system of records the existence of which is not known to the public.
The Department of Transportation (DOT) deploys multiple techniques to ensure pilots and air carriers are
aware of the PRD and the purposes for which the Department collects and maintains PII in support of the
PRD.
On August 1, 2010, the “Airline Safety and Federal Aviation Administration (FAA) Extension Act of 2010,”
was signed into law and requires the creation of a database that would provide air carriers with electronic
access for to a pilot’s qualifications, training, certification and enforcement history for the air carrier to use
in deciding whether or not to hire that pilot. In addition, Section 2101 of the FAA Extension, Safety, and
Security Act of 2016 (Public Law 114-190), Section 2101 requires the FAA to establish the PRD no later than
April 30, 2017.
The records in PRD are considered copies of records maintained in the CAIS, AIDS, and EIS databases.
These databases are subject to the Department’s system published system of record notice (SORN)
entitled DOT/FAA 847, Aviation Records on Individuals, (November 9, 2010, 75 FR 68849) and are made
available to air carriers consistent with the consent provided by the pilot. Once integrated into the PRD via
the individual pilot PARs, these records are not covered by the Privacy Act as PRD is not used by the
Department in support of its mission. However, the Department is committed to ensuring that these
sensitive records are managed in a manner consistent with the Privacy Act and the Fair Information
Practice Principles, and they will be protected in accordance with the Departmental Privacy Risk
Management Policy, DOT Order 1351.18 and applicable Office of Management and Budget Guidance for
the protection of personally identifiable information.
14
15
http://www.cio.gov/documents/FEA-Security-Privacy-Profile-v3-09-30-2010.pdf
http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
-7-
�FAA/AIT
Pilot Records Database (PRD)
The publication of this PIA further demonstrates the DOT’s commitment to provide appropriate
transparency into the PRD.
Individual Participation and Redress
DOT should provide a reasonable opportunity and capability for individuals to make informed decisions
about the collection, use, and disclosure of their PII. As required by the Privacy Act, individuals should be
active participants in the decision making process regarding the collection and use of their PII and be
provided reasonable access to their PII and the opportunity to have their PII corrected, amended, or
deleted, as appropriate.
At the current time, use of the PRD by air carriers is voluntary and they may continue to use non-PRD
processes to request access to pilot records for required pre-employment screening purposes. Pilots
seeking employment with those air carriers opting to use PRD must follow the air carrier’s direction
concerning the use of PRD.
During the PRD registration process, as described above, the FAA collects the pilot’s name and pilot
certificate number which is used to determine if the individual registering is a current pilot. Pilots are
directly involved in the creation of PARs and dictate which air carriers may access their PARs. Pilots are
responsible for viewing PAR source data maintained in CAIS, EIS, and AIDS to ensure its accuracy before
authorizing air carrier access.
If the pilot determines that the source information for the PAR is inaccurate, the pilot may submit a
correction request to the appropriate system owner through the PRD. The PRD will forward the correction
request to the system owner responsible for the authoritative source of the information within the FAA.
That system owner determines the accuracy of the information and if a correction to the data is
appropriate. If required, the authoritative source makes the necessary correction and submits the
corrected record to the PRD. Pilots may also use the redress processes specific to the source systems
identified in the respective system PIAs and SORNs, which can be found on the Departmental Privacy
Program website – www.transportation.gov/privacy.
To ensure that the records used in the hiring process are complete and accurate, the PRD has been
configured to disallow the creation of partial PARs. Therefore, if any of the data sources are unavailable
PRD will notify/indicate to the pilot that a PAR cannot be created at this time. The pilot would still be able
to access previously created PARs. The PAR must be created by the pilot before the record may be used by
authorized air carriers in the hiring process. Air carriers cannot create PARs. Once created, the PAR may be
viewed whole or in component parts by authorized carriers.
Purpose Specification
DOT should (i) identify the legal bases that authorize a particular PII collection, activity, or technology that
impacts privacy; and (ii) specify the purpose(s) for which its collects, uses, maintains, or disseminates PII.
Section 203 of the Airline Safety and Federal Aviation Administration Extension Act of 2010 directs the FAA
Administrator to establish an electronic database of pertinent information about pilots in FAA, air carrier,
and other records that an air carrier must access and evaluate before allowing an individual to begin
service for that air carrier as a pilot.
-8-
�FAA/AIT
Pilot Records Database (PRD)
The PRD provides a centralized, reliable source of historical information on pilots so as to enable air
carriers to make hiring decisions. In addition, the PRD allows pilots seeking potential employment with an
air carrier to view their current airman certificates, including airman medical certificates and associated
type ratings and information on any limitations to those certificates and ratings; failed practical tests that
were failed on or after August 1, 2010, closed enforcement actions; and accidents/incidents that occurred
on or after August 1, 2010. Pilots must specifically consent to an air carrier’s access to records about the
pilot in the PRD. Air carrier may print or locally save PARs they access; however, the air carrier must take
steps to protect the privacy and fonidentilaity of the PAR including ensuring that PARs are not divulged to
any individual that is not directly involved in the hiring decision. The system includes the following explicit
notice concerning the authorized use of the system and PARs :
•
In accordance with Public Law 111-216, the Airline Safety and Federal Aviation Administration
Extension Act of 2010, this PRD record may be used solely for hiring decisions.
•
This PRD record presents verification of a pilot’s airman and medical certificates; ratings and
limitations information; summaries of legal enforcement actions that have not been overturned
resulting in a finding of a violation—which may include violation on current and previous certificates,
summaries of accidents or incidents and historical employment records. This PRD record contains
personally sensitive information and must be protected from unintended disclosure.
The FAA may take enforcement action up to and including fines and the revocation of air carrier
certificates for any air carrier found to have abusing access or inappropriately using PARs.
Data Minimization & Retention
DOT should collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was
originally collected. DOT should retain PII for only as long as necessary to fulfill the specified purpose(s) and in
accordance with a National Archives and Records Administration (NARA)-approved record disposition schedule.
Section 203 of the Airline Safety and Federal Aviation Administration Extension Act of 2010 requires that
the FAA make certain types of records about pilots available to air carriers through the PRD. Pilots use the
PRD to compile the pilot record (PAR) and authorize specified air carriers to access the records. The PAR is
comprised of records from the following systems:
•
CAIS: The CAIS is the national repository of information derived from the airman certificate
application. CAIS contains all airmen certification records and includes name, contact information,
vital description, unique identifiers, citizenship, aviation experience, aircraft information, knowledge
test results, notices of disapprovals, disapproved applications, enforcement actions and legal
documents (such evidence of ownerships and as bill of sale), divorce decree, and court order. Only
knowledge tests results, notices of disapprovals, disapproved applications, enforcement actions,
requests for replacement certificates, changes to the record, letters of verification of authenticity,
and the necessary documents to support the issuance of airman certificates are displayed in PRD.
Notices of disapproval from CAIS in the PRD are limited to those occurring on or after August 1, 2010.
•
EIS: EIS contains the following information on alleged violators; contact information, date of birth,
certification number and type, alleged violation, enforcement investigation report and aircraft
information. EIS integrated into the PAR are limited closed enforcements occurring on or after
August 1, 2010. The PRD displays enforcement information including information on individuals,
-9-
�FAA/AIT
Pilot Records Database (PRD)
investigations, legal filings related to the case and activities around the enforcement actions taken
against pilots.
•
AIDS: AIDS contains pilot contact information, date of birth, certificate number, and the names and
type of injury of individuals associated with an aviation accident/incident. Only records related to
aircraft accidents and incidents occurring in the US, and those involving US-registered aircraft, if
outside of the US occurring on or after August 1, 2010, may be integrated into the PAR. For incidents,
the full record will be displayed. In the case of accidents, a link to the NTSB web site for the final
report which may contain additional details is provided.
Pilot-created PARs that have been approved for access by air carriers will be maintained as permanent
records until the FAA receives an approved disposition authority from National Archives and Records
Administration (NARA). The proposed retention schedule is outlined in DAA-0237-2016-0012, item 7.2.2,
and proposes records be destroyed/deleted when five years old or if duplicative information
destroyed/delete when no longer needed. PRD will retain administrative logs which include the dates of
pilot and/or air carrier inquiries and the PAR. The administrative logs will reflect that PRD was used in a
pilot hiring decision. FAA maintains a record of the PARs for five years or until no longer needed to meet
FAA business needs.
Use Limitation
DOT shall limit the scope of its PII use to ensure that the Department does not use PII in any manner that is
not specified in notices, incompatible with the specified purposes for which the information was collected,
or for any purpose not otherwise permitted by law.
The PRD exists only to support air carriers’ hiring processes for pilots by providing a central repository for
pilot’s to provide their prospective employers with information maintained about the pilot by the FAA.
When a pilot is seeking employment with an air carrier, that pilot will access the PRD, compile their PAR in
the PRD, and authorize their prospective employer (air carrier) to access the PRD for a limited period of
time for the purpose of the air carrier’s decision to hire the pilot. Thus, the pilot causes the compilation of
the PAR from the FAA’s CAIS, EIS, and AIDS, and directs the air carrier’s access to the PAR. Public Law 111216 provides that air carriers may only use the PAR for hiring decisions and must restrict dissemination of
the information to individuals directly involved in the hiring decision.
Public Law 111-216 also prohibits the FAA from disclosing the information under the Freedom of
Information Act, unless disclosure is (1) of deidentified, summarized information to explain the need for
changes in policies or procedures, (2) information to correct a condition that comprising aviation safety,
(3) information to carry out a criminal investigation or prosecution, or (4) information regarding threats to
civil aviation to comply with 49 U.S.C. 44703. Because the PRD is not the FAA’s authoritative source for the
collection, maintenance, or use of airman information, any disclosures by the FAA, other than those under
the Freedom of Information Act must comply with the requirements of the Privacy Act and the system of
records notice applicable to the source databases (CAIS, EIS, AIDS) relied upon by FAA to support its
mission needs. For further information about how FAA collects, uses, maintains information from these
source databases, see the system of records notice for these systems, DOT/FAA 847, Aviation Records on
Individuals.
- 10 -
�FAA/AIT
Pilot Records Database (PRD)
Data Quality and Integrity
In accordance with Section 552a(e)(2) of the Privacy Act of 1974, DOT should ensure that any PII collected
and maintained by the organization is accurate, relevant, timely, and complete for the purpose for which it
is to be used, as specified in the Department’s public notice(s).
The FAA collects, uses, and retains data that is relevant and necessary for the purpose for which it was
collected. The PRD is not the authoritative source of data. The PRD receives data in real time from CAIS,
EIS, AIDS and eVID. If the pilot believes the PRD contains inaccurate information, the pilot may submit a
correction request through the PRD. The PRD will forward the correction request via email to the
authoritative source of the information. If the authoritative source determines an update is appropriate,
the authoritative source submits the corrected record to the FAA and it will be reflected in the PRD when
updated. The pilot receives notification when an update to the PRD data occurred.
Security
DOT shall implement administrative, technical, and physical measures protect PII collected or maintained
by the Department against loss, unauthorized access, or disclosure, as required by the Privacy Act, and to
ensure that organizational planning and responses to privacy incidents comply with OMB policies and
guidance.
The FAA protects PII with reasonable security safeguards against loss or unauthorized access, destruction,
usage, modification, or disclosure. These safeguards incorporate standards and practices required for
federal information systems under the Federal Information Security Management Act (FISMA) and are
detailed in Federal Information Processing Standards (FIPS) Publication 200, Minimum Security
Requirements for Federal Information and Information Systems, dated March 2006, and National Institute
of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy
Controls for Federal Information Systems and Organizations, dated April 2013.
The PRD is a moderate risk system and was issued a three-year authority to operate on
December 29, 2016. Access to the PRD web application is limited to those with appropriate security
credentials, an authorized purpose, and need-to-know. The FAA deploys role-based access controls in
addition to other protection measures reviewed and certified by the FAA’s cybersecurity professionals to
maintain the confidentiality, integrity, and availability requirements of the system.
Accountability and Auditing
DOT shall implement effective governance controls, monitoring controls, risk management, and assessment
controls to demonstrate that the Department is complying with all applicable privacy protection
requirements and minimizing the privacy risk to individuals.
The FAA’s Office of the Chief Information Officer, Office of information Systems Security, Privacy Division is
responsible for governance and administration of FAA Order 1370-121, FAA Information Security and
Privacy Program and Policy. FAA Order 1370-121 implements the various privacy requirements of the
Privacy Act of 1974 (the Privacy Act), the E-Government Act of 2002 (Public Law 107-347), the Federal
Information Security Management Act (FISMA), DOT privacy regulations, OMB mandates, and other
applicable DOT and FAA information and information technology management procedures and guidance.
- 11 -
�FAA/AIT
Pilot Records Database (PRD)
In addition to these practices, additional policies and procedures will be consistently applied, especially as
they relate to the access, protection, retention, and destruction of PII. Federal and contract employees are
given clear guidance in their duties as they relate to collecting, using, processing, and security privacy data.
Guidance is provided in the form of mandatory annual security and privacy awareness training, as well as
FAA Privacy Rules of Behavior. The DOT and FAA Privacy Offices will conduct periodic privacy compliance
reviews of PRD relative to the requirements of OMB Circular A-130.
Responsible Official
Bryan Brown
AFS-620 Manager
Flight Standards Service
Regulatory Support Division Data Systems Branch
Approval and Signature
Claire W. Barrett
Chief Privacy & Information Asset Officer
Office of the Chief Information Officer
- 12 -
�
| File Type | application/pdf |
| File Title | PIA-AIT-PRD-10/18/2016 |
| Author | Claire W. Barrett |
| File Modified | 2017-01-23 |
| File Created | 2017-01-23 |