Download:
pdf |
pdfU.S. Department of Transportation
Office of the Chief Information Officer (OCIO)
Privacy Threshold Assessment (PTA)
Federal Aviation Administration (FAA)
Office of Aviation Safety (AVS)
Unmanned Aircraft System (UAS) Market Survey
KARYN
MARIE
GORMAN
1
Digitally signed
by KARYN MARIE
GORMAN
Date: 2021.03.01
15:44:21 -05'00'
�U.S. Department of Transportation
Privacy Threshold Assessment (PTA)
The Privacy Threshold Assessment (PTA) is an analytical tool used to determine the scope
of privacy risk management activities that must be executed to ensure that the
Department’s initiatives do not create undue privacy risks for individuals.
The Privacy Threat Assessment (PTA) is a privacy risk management tool used by the
Department of Transportation (DOT) Chief Privacy Officer (CPO). The PTA determines
whether a Department system1 creates privacy risk for individuals that must be further
analyzed, documented, or mitigated, and determines the need for additional privacy
compliance documentation. Additional documentation can include Privacy Impact
Assessments (PIAs), System of Records notices (SORNs), and Privacy Act Exemption
Rules (Exemption Rules).
The majority of the Department’s privacy risk emanates from its direct collection, use,
storage, and sharing of Personally Identifiable Information (PII),2 and the IT systems
used to support those processes. However, privacy risk can also be created in the
Department’s use of paper records or other technologies. The Department may also
create privacy risk for individuals through its rulemakings and information collection
requirements that require other entities to collect, use, store or share PII, or deploy
technologies that create privacy risk for members of the public.
To ensure that the Department appropriately identifies those activities that may create
privacy risk, a PTA is required for all IT systems, technologies, proposed rulemakings,
and information collections at the Department. Additionally, the PTA is used to alert
other information management stakeholders of potential risks, including information
security, records management and information collection management programs. It is
also used by the Department’s Chief Information Officer (CIO) and Associate CIO for IT
Policy and Governance (Associate CIO) to support efforts to ensure compliance with
other information asset requirements including, but not limited to, the Federal Records
Act (FRA), the Paperwork Reduction Act (PRA), the Federal Information Security
Management Act (FISMA), the Federal Information Technology Acquisition Reform Act
(FITARA) and applicable Office of Management and Budget (OMB) guidance.
Each Component establishes and follows its own processes for developing, reviewing,
and verifying the PTA prior to its submission to the DOT CPO. At a minimum, the PTA
must be reviewed by the Component business owner, information system security
1
For the purposes of the PTA the term “system” is used throughout document but is not limited to traditional
IT systems. It can and does refer to business activity and processes, IT systems, information collection, a
project, program and/or technology, and proposed rulemaking as appropriate for the context of the assessment.
2
The term “personally identifiable information” refers to information which can be used to distinguish or trace
an individual's identity, such as their name, social security number, biometric records, etc. alone, or when
combined with other personal or identifying information which is linked or linkable to a specific individual,
such as date and place of birth, mother’s maiden name, etc.
1
�U.S. Department of Transportation
manager, general counsel, records officers, and privacy officer. After the Component
review is completed, the Component Privacy Office will forward the PTA to the DOT
Privacy Office for final adjudication. Only PTAs watermarked “adjudicated” and
electronically signed by the DOT CPO are considered final. Do NOT send the PTA
directly to the DOT PO; PTAs received by the DOT CPO directly from program/business
owners will not be reviewed.
If you have questions or require assistance to complete the PTA please contact your
Component Privacy Officer or the DOT Privacy Office at [email protected]. Explanatory
guidance for completing the PTA can be found in the PTA Development Guide found on
the DOT Privacy Program website, www.dot.gov/privacy.
2
�U.S. Department of Transportation
PROGRAM MANAGEMENT
SYSTEM name: Unmanned Aircraft Systems (UAS) Market Survey
Cyber Security Assessment and Management (CSAM) ID: Not applicable
SYSTEM MANAGER CONTACT Information:
Name: Ashley Awwad
Email: [email protected]
Phone Number: 1-816-786-5716
Is this a NEW system?
☒ Yes (Proceed to Section 1)
☐ No
☐ Renewal
☐ Modification
Is there a PREVIOUSLY ADJUDICTED PTA for this system?
☐ Yes:
Date:
☒ No
1 SUMMARY INFORMATION
1.1
System TYPE
☐ Information Technology and/or Information System
Unique Investment Identifier (UII):
Cyber Security Assessment and Management (CSAM) ID:
☐ Paper Based:
☐ Rulemaking
Rulemaking Identification Number (RIN):
Rulemaking Stage:
☐ Notice of Proposed Rulemaking (NPRM)
☐ Supplemental NPRM (SNPRM):
☐ Final Rule:
Federal Register (FR) Notice:
3
�U.S. Department of Transportation
☒ Information Collection Request (ICR)3
☒ New Collection In progress. The 60-day public comment period for the ICR
ends January 19, 2021.
☐ Approved Collection or Collection Renewal
☐ OMB Control Number:
☐ Control Number Expiration Date:
☐ Other: Survey
1.2
System OVERVIEW:
The Unmanned Aircraft System (UAS) Market survey has been constructed by a
team of researchers at the Federal Aviation Administration’s (FAA’s) Civil
Aerospace Medical Institute (CAMI). The purpose of the survey is to receive
feedback from experts in industry and academia on UAS, such as common fatiguerelated practices; minimum knowledge, skills, abilities (KSAs) to operate UAS;
testing; and staffing procedures required for operating UAS. The survey will gain
insight from those involved or plan to be involved in UAS air carrier operations, in
particular UAS engineers, operators, instructors, and managers. The industry leaders
will be able to provide insight to current and future policies from their companies to
conduct UAS air carrier operations. The results from this survey will be used to
inform rulemaking activities, and a new PTA for the rulemaking process will be
conducted at that time. The FAA Office of Aviation Safety (AVS) Office of
Aerospace Medicine (AAM) oversees the UAS Market Survey Program at the Mike
Monroney Aeronautical Center (MMAC) in Oklahoma City, Oklahoma.
The Sample Pool of Survey Participants
The sample pool consists of UAS engineers, operators, instructors, and managers
who have submitted Part 107 Waivers relating to rules governing UAS, or been
identified in academia as a UAS instructor4. The initial distribution list contains 381
individuals, but should increase because the FAA routinely updates the publicly
accessible Part 107 Waivers database, and because academic institutions are
continually developing new UAS programs. The survey will collect responses from
180 participants. To ensure the representativeness of the sample, the 180 respondents
will be distributed across quotas that are set based on occupational duties as reported
by the respondent (pilot/operator = 40, cargo/sensor operator = 40, supervisor = 40,
instructors = 40, engineers = 10, other = 10).
3
See 44 USC 3201-3521; 5 CFR Part 1320
The information for members of academia is collected from Centers of Excellence. FAA has relationships
with academics who offer UAS training.
4
4
�U.S. Department of Transportation
The information from survey participants processed to create the sample pool comes
from publicly available dockets in the Federal Register identifying corporations who
received blanket waivers from Part 107; the FAA’s publicly available Part 107
Waivers website (which identifies individuals who have been granted waivers from
Part 107 relating to rules for operating UAS); Google searches5; and names provided
by the research sponsors and contractors, and it includes: the individual’s name,
company name, and email address (business and/or personal, depending on the email
the user submitted with the FAA during the wavier submission process). FAA’s inhouse contractor, Cherokee Nation 3S LLC (CN3S), creates the sample pool by
pulling this information together from the above mentioned sources. FAA uses this
variety of sources to help ensure the representativeness of the drawn sample.
The sample pool list of potential respondents is stored on an FAA Network shared
drive that requires PIV card credentials via MyAccess6 and is only accessible by
CN3S staff with a need to know.
Survey Administration
The survey will be active for 90 days or completion of the 180-respondent limit,
whichever comes first, and will no longer be accessible by participants after the
survey closes. The survey includes questions with open text boxes, however, the
questions do not lead the participant to respond with PII. If a respondent
inadvertently provides PII in a text box, CN3S contractor staff will delete the PII
before providing results to the FAA.
The FAA’s UAS Market Survey Program has a contract in place with online survey
development software Qualtrics7 to administer the survey. CN3S uses Qualtrics to
create the survey, collect data and create survey item reports. CN3S staff will use
their FAA email address to create a Qualtrics user account to login with username
and password.
CN3S staff sends an email to the sample pool it compiled (noted above) containing
the URL for the survey.8 Members of the sample pool receiving the survey may
choose to take the survey or not, and they have the ability to forward the survey to a
5
CN3S uses Google searches in an effort to ensure the contact information drawn from the Part 107 Waivers
website is current, since the individual’s contact information may have changed between the submission of the
Waiver and FAA’s sending of the survey.
6
MyAccess (CSAM ID: 2009) and has an adjudicated PTA dated December 20, 2016. A new PTA is under
development.
7
In April 2018, Qualtrics achieved International Standards Organization (ISO) 27001 certification and is
Federal Risk and Authorization Management Program (FedRAMP) authorized.
8
The URL for the survey will be active once the ICR is approved and the OMB Control Number granted.
5
�U.S. Department of Transportation
colleague for their participation.9 Recipients in the original sample pool are also able
to opt out of further communication. Unless the recipient opts-out, the recipients will
receive a reminder email approximately halfway through the data collection period.
Once the respondent accesses the link, they receive the informed consent notice10,
which provides an overview of the study, its voluntary nature and ability to opt-out,
informs them about the purposes of the study, and how FAA will use the results. All
participants receive the informed consent prior to taking the survey. Participants
must provide their consent before continuing with the survey. As part of providing
their consent, participants provide their name (first and last) and email address. The
Informed Consent states that this PII will not be associated with the individual’s
survey responses.
When a respondent clicks the link to access the survey, Qualtrics automatically
assigns a unique ID to each survey response record. The survey records in Qualtrics
also include the PII collected via the informed consent – name and email address. At
the conclusion of the survey, CN3S staff logs into Qualtrics with their username and
password and downloads the survey responses to an FAA PIV-protected drive with
access limited to CN3S contractors. CN3S de-identifies the survey responses by
removing the name and email address from the response record. CN3S does not
share this PII with FAA. Likewise, although the individual survey responses are
located on an FAA server, access to these individual responses is restricted to CN3S
only. In addition, CN3S removes any unsolicited PII that respondents may have
provided, unprompted, in open text boxes. CN3S then aggregates the survey
responses for reporting.
Lastly, survey respondents are compensated for their participation. The survey
includes a direct link to a secure website for a third-party FAA contractor, Neese
Personnel, to directly collect personally identifiable information to facilitate
payment, including the respondent’s name, mailing address, phone, and email
address. CN3S verifies the participant’s names with Neese via email, and Neese
facilitates payment by mailing a check to the respondent. The information Neese
Personnel collects will not be shared with FAA.
Neese Personnel will maintain the information associated with payments for three
years to meet requirements set forth by the Fair Labor Standards Act (FLSA). Neese
Personnel stores hard copy documents in locked, access-controlled cabinets, and
electronic data is stored in password- and firewall-protected systems. At the end of
9
The survey contains a question to exclude individuals that are outside of the targeted population noted above.
An Informed Consent notice is a legal and ethical requirement for research involving human participants.
10
6
�U.S. Department of Transportation
the three-year retention period, any hard copy documents are shredded and electronic
files are deleted.
Neither the survey data nor the analysis will be made available to companies or
organizations outside of the FAA. After the survey is closed, CN3S will destroy all
files containing the link between names, addresses, and unique identifiers. After the
survey is closed, CN3S will download Informed Consent documents to FAA-owned
servers with access limited to certain CN3S contractor staff and FAA Management
(but not Primary Investigators11), as required per Institutional Review Board (IRB)
approval and per IRB compliance requirements12. CN3S will provide the Informed
Consent information to the FAA IRB upon its request.
The record schedule for survey records in is progress, as such, all survey records will
be maintained as permanent records until the NARA approves the record schedule.
FAA will maintain on servers the respondent information, but access will be limited
to CN3S personnel.
2 INFORMATION MANGEMENT
2.1
SUBJECTS of Collection
Identify the subject population(s) for whom the system collects, maintains, or
disseminates PII. (Check all that apply)
☒ Members of the public:
☒ Citizens or Legal Permanent Residents (LPR)
☐ Visitors
☐ Members of the DOT Federal workforce
☒ Members of the DOT Contract workforce
☐ System Does Not Collect PII. If the system does not collect PII, proceed
directly to question 2.3.
2.2
What INFORMATION ABOUT INDIVIDUALS will be collected, used, retained,
or generated?
PII collected to administer the survey: PII collected directly from survey respondents
11
The Primary Investigators are the FAA employees sponsoring the research.
12
See the attached PDF for details on the IRB.
AAM-CAMI-004-IRB-P
roc.pdf
7
�U.S. Department of Transportation
for consent purposes: name (first and last) and email address. PII about individuals
in the sample pool includes: name, company name, and email address. In addition,
Qualtrics automatically generates a unique identifier for each survey response when
the participant clicks on the survey link.
PII collected for payment purposes: Neese Personnel collects the following directly
from survey participants: name (first and last), mailing address, phone number, and
email address. No bank information is collected, as Neese Personnel will mail
physical checks to the participants.
2.3
Does the system RELATE to or provide information about individuals?
☒ Yes: First, FAA contractors (CN3S) use their FAA email addresses to establish
user accounts for the Qualtrics software used to facilitate the surveys. Secondly,
CN3S creates a sample pool for the survey by gathering publically available PII
about UAS operators (names, company name, and email addresses) from the Federal
Register, the FAA’s Part 107 Waivers website, and other sources as described above.
Lastly, an FAA contractor, Neese Personnel, collects name, mailing address, phone
number, and email address from survey participants to facilitate their compensation.
☐ No
If the answer to 2.1 is “System Does Not Collect PII” and the answer to 2.3 is “No”,
you may proceed to question 2.10.
If the system collects PII or relate to individual in any way, proceed to question 2.4.
2.4
Does the system use or collect SOCIAL SECURITY NUMBERS (SSNs)? (This
includes truncated SSNs)
☐ Yes:
Authority:
Purpose:
☒ No: The system does not use or collect SSNs, including truncated SSNs.
Proceed to 2.6.
8
�U.S. Department of Transportation
2.5
Has an SSN REDUCTION plan been established for the system?
☐ Yes:
☐ No:
2.6
Does the system collect PSEUDO‐SSNs?
☐ Yes:
☒ No: The system does not collect pseudo-SSNs, including truncated SSNs.
2.7
Will information about individuals be retrieved or accessed by a UNIQUE
IDENTIFIER associated with or assigned to an individual?
☐ Yes
Is there an existing Privacy Act System of Records notice (SORN) for the
records retrieved or accessed by a unique identifier?
☒ Yes:
SORN: DOT/ALL 13, Internet/Intranet Activity and Access Records, 67 FR
30757 (May 7, 2002).
☐ No:
Explanation:
Expected Publication:
☐ Not Applicable: Proceed to question 2.9
2.8
Has a Privacy Act EXEMPTION RULE been published in support of any
Exemptions claimed in the SORN?
☐ Yes
Exemption Rule:
☐ No
Explanation:
Expected Publication:
☐ Not Applicable: SORN does not claim Privacy Act exemptions.
2.9
Has a PRIVACY IMPACT ASSESSMENT (PIA) been published for this system?
☐ Yes:
☒ No: This is a new survey project.
☐ Not Applicable: The most recently adjudicated PTA indicated no PIA was
required for this system.
9
�U.S. Department of Transportation
2.10
Does the system EXCHANGE (receive and/or send) DATA from another
INTERNAL (DOT) or EXTERNAL (non‐DOT) system or business activity?
☒ Yes:
Internal Exchange(s):
There are no internal data exchanges.
External Exchange(s):
Qualtrics: CN3S sends its FAA email address (as username) and password to
Qualtrics for system access. In addition CN3S receives survey responses and
respondent name and email (captured from the informed consent) from Qualtrics.
There is a contract in place to govern this exchange.
Neese Personnel: CN3S sends to Neese Personnel names of survey participants
collected via informed consent to allow Neese to verify their participation and
facilitate payment to them. CN3S sends participant names via encrypted emails.
There is a contract in place to govern this exchange.
☐ No
2.11
Does the system have a National Archives and Records Administration
(NARA)‐approved RECORDS DISPOSITION schedule for system records?
☒ Yes:
Schedule Identifier: National Archives and Records Administration, General
Records Schedule 3.2, approved January 2017, Information System Security
Records, item 30 System access records.
Schedule Summary: Temporary. Destroy when business use ceases. (DAAGRS-2013-0006-0003).
☒ In Progress: The FAA Records Officer is engaged with NARA to create a
retention schedule for its survey records.
☐ No:
10
�U.S. Department of Transportation
3 SYSTEM LIFECYCLE
The systems development life cycle (SDLC) is a process for planning, creating,
testing, and deploying an information system. Privacy risk can change
depending on where a system is in its lifecycle.
3.1
Was this system IN PLACE in an ELECTRONIC FORMAT prior to 2002?
☐
The E-Government Act of 2002 (EGov) establishes criteria for the types of
systems that require additional privacy considerations. It applies to systems
established in 2002 or later, or existing systems that were modified after 2002.
Yes:
☒Not Applicable: System is not currently an electronic system. Proceed to
Section 4.
☐ No:
3.2
Has the system been MODIFIED in any way since 2002?
☐ Yes: The system has been modified since 2002.
☐ Maintenance.
☐ Security.
☐ Changes Creating Privacy Risk:
☐ Other:
☐ No: The system has not been modified in any way since 2002.
3.3
Is the system a CONTRACTOR‐owned or ‐managed system?
☐ Yes: The system is owned or managed under contract.
Contract Number:
Contractor:
☐ No: The system is owned and managed by Federal employees.
3.4
Has a system Security Risk CATEGORIZATION been completed?
The DOT Privacy Risk Management policy requires that all PII be protected
using controls consistent with Federal Information Processing Standard
Publication 199 (FIPS 199) moderate confidentiality standards. The OA Privacy
Officer should be engaged in the risk determination process and take data types
into account.
☐ Yes: A risk categorization has been completed.
Based on the risk level definitions and classifications provided above,
indicate the information categorization determinations for each of the
following:
11
�U.S. Department of Transportation
Confidentiality:
☐ Low
☐ Moderate
☐ High
☐ Undefined
Integrity:
☐ Low
☐ Moderate
☐ High
☐ Undefined
Availability:
☐ Low
☐ Moderate
☐ High
☐ Undefined
Based on the risk level definitions and classifications provided above,
indicate the information system categorization determinations for each of
the following:
Confidentiality:
☐ Low
☐ Moderate
☐ High
☐ Undefined
Integrity:
☐ Low
☐ Moderate
☐ High
☐ Undefined
Availability:
☐ Low
☐ Moderate
☐ High
☐ Undefined
☐ No: A risk categorization has not been completed. Provide date of
anticipated completion.
3.5
Has the system been issued an AUTHORITY TO OPERATE?
☐ Yes:
Date of Initial Authority to Operate (ATO):
Anticipated Date of Updated ATO:
☐ No:
☐ Not Applicable: System is not covered by the Federal Information Security
Act (FISMA).
4 COMPONENT PRIVACY OFFICER ANALYSIS
The Component Privacy Officer (PO) is responsible for ensuring that the PTA is as
complete and accurate as possible before submitting to the DOT Privacy Office for
review and adjudication.
COMPONENT PRIVACY OFFICER CONTACT Information
Name: Essie L. Bell
Email: [email protected]
Phone Number: 202-267-6034
COMPONENT PRIVACY OFFICER Analysis
This is the initial PTA for FAA’s Unmanned Aircraft Systems (UAS) Market Survey. The
purpose of the survey is to receive feedback from experts in industry and academia on
aspects of operating UAS. Respondents are selected because they are employees of
organizations that operate UAS or academic institutions that provide UAS training.
The survey will gain insight from those involved or plan to be involved in UAS air carrier
operations, in particular UAS engineers, operators, instructors, and managers. The results
12
�U.S. Department of Transportation
from this survey will be used to inform rulemaking activities, and a new PTA for the
rulemaking process will be conducted at that time.
The UAS Market Survey is privacy-sensitive as FAA contractor CN3S processes PII from
members of the public, such as the individual’s name, company name, and business or
personal email address to create a sample pool of survey recipients, while a second FAA
contractor, Neese Personnel, collects name, mailing address, phone number, and email
address to facilitate payments to respondents for their participation in the survey.
SORN coverage is not required for the survey, because the responses are not retrieved by
PII. Once CN3S downloads the survey responses, it de-identifies the data, removing the
name and email addresses from the survey responses. The survey responses are then
aggregated for reporting. SORN coverage for the FAA network access records is under
DOT/ALL 13, Internet/Intranet Activity and Access Records, 67 FR 30757 (May 7, 2002).
The RMO has determined that a new retention schedule is required to cover the survey
responses. This retention schedule is in progress. Additionally, the IT access records are
covered under National Archives and Records Administration, General Records Schedule
3.2, approved January 2017, Information System Security Records, item 30 System access
records, which are temporary records that may be destroyed when business use ceases under
DAA-GRS-2013-0006-0003.
Lastly, the following Plan of Action & Milestones (POAMs) are recommending to
remediate the following privacy risks:
DM-2 Data Retention & Disposal
o Issue: A new retention schedule for the substantive survey records is in
progress.
o Requirement: Maintain all survey records as permanent until schedule is
approved by NARA.
o Issue: An FAA contractor, Neese Personnel, maintains the PII of survey
participants for 3 years to meet legal requirements. No corresponding record
schedule was identified for these records.
o Requirement: Identify or create a record schedule for the compensation
records associated with the survey, and establish a process to verify the
destruction of these records.
5 COMPONENT REVIEW
Prior to submitting the PTA for adjudication, it is critical that the oversight offices
within the Component have reviewed the PTA for completeness, comprehension and
accuracy.
Component Reviewer
Name
13
Review Date
�U.S. Department of Transportation
Business Owner
Ashley Awwad
1/13/2021
General Counsel
Sarah Leavitt
2/19/2021
Information System
Security Manager (ISSM)
None
None
Privacy Officer
Essie L. Bell
2/11/2021
Records Officer
Kelly Batherwich
1/5/2021
Table 1 - Individuals who have reviewed the PTA and attest to its completeness, comprehension and accuracy.
14
�U.S. Department of Transportation
Control
#
Control Name
Primary PTA Question
AP‐1
Authority to
Collect
1.2 ‐ Overview
Satisfied Other
N/A
than
Satisfied
X
DOT CPO Notes
POA&M: PRA Package must be approved before
collection.
Note: recommend updating DOT/FAA 847 to
include participation in research.
Recommend updating DroneZone portal to have
explicit opt in to participate in surveys/research.
Survey responses will be de‐identified and not
retrieved by a unique identifier associated with a
respondent. Substantive records do not require
SORN coverage.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
AP‐2
AR‐1
AR‐2
Purpose
Specification
Governance and
Privacy Program
Privacy Impact
and Risk
Assessment
1.2 ‐ Overview
X
Common Control
X
Program Management
Purpose defined.
Addressed by DOT CPO.
POA&M
Issue: Information collection involves members of
the public. Requirement: submit and receive
approval of Privacy Impact Assessment (PIA) from
DOT CPO. PIA should cover all phases of the study
and tools to collect and analyze data. Timeline:
X
1
�U.S. Department of Transportation
Control
#
Control Name
Primary PTA Question
Satisfied Other
N/A
than
Satisfied
DOT CPO Notes
Prior to study activities involving members of the
public.
Privacy
Requirements for
Contractors and
Service Providers
AR‐4
Privacy
Common Control
Monitoring and
Auditing
Privacy Awareness Common Control
and Training
X
POA&M
Issue: unclear whether contract includes standard
language and procedures for data retention
timelines. Requirement: review contracts and
update accordingly. Timeline: prior to collection.
See DM‐2.
Addressed by DOT CPO.
X
Addressed by DOT CPO.
AR‐6
AR‐7
Privacy Reporting
Privacy‐Enhanced
System Design
and Development
Common Control
2.5 ‐ SSN Reduction
X
Addressed by DOT CPO.
SSN not collected.
Business owner is responsible for ensuring DOT
Privacy Risk Management Policy and the FIPPs are
applied to all data holdings and systems.
AR‐8
Accounting of
Disclosures
2.7 ‐ SORN
AR‐5
3.3 ‐ Contractor
System
AR‐3
X
X
X
2
Not maintained in SOR.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
�U.S. Department of Transportation
Control
#
Control Name
Primary PTA Question
Satisfied Other
N/A
than
Satisfied
DI‐1
Data Quality
1.2 ‐ System Overview
X
Not maintained in SOR.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
DI‐2
Data Integrity and
Data Integrity
Board
Minimization of
PII
3.4 ‐ Security Risk
Categorization
X
Activity does not constitute sharing covered by the
CMA.
2.2 – Information
About Individuals
X
Data collection consistent with purpose.
DM‐2
Data Retention
and Disposal
2.11 ‐ Records
Disposition Schedule
X
DM‐3
Minimization of
PII Used in
Testing, Training,
and Research
Consent
2.2 – Information
About Individuals
Cross reference with AR‐3.
POA&M
Issue: it is unclear if there are established
protocols/timelines for data retention timelines.
Requirement: establish protocols and data
retention timleines, and if already established,
include in PIA. Timeline: prior to collection.
System not used for testing, training, research.
DM‐1
IP‐1
2.7 ‐ SORN
X
DOT CPO Notes
X
3
Participants receive informed consent notice.
Participation is voluntary.
�U.S. Department of Transportation
Control
#
Control Name
Primary PTA Question
Satisfied Other
N/A
than
Satisfied
DOT CPO Notes
IP‐2
Individual Access
2.8 – Exemption Rule
X
IP‐3
Redress
2.7 ‐ SORN
X
IP‐4
Complaint
Management
Common Control
X
SE‐1
Inventory of PII
Common Control
X
SE‐2
Privacy Incident
Response
Common Control
X
TR‐1
Privacy Notice
2.7 ‐ SORN
TR‐2
System of Records 2.7 ‐ SORN
Notices and
Privacy Act
Statements
Not maintained in SOR.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
Not maintained in SOR.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
Addressed by DOT CPO.
Not IT system under FISMA.
Addressed by DOT CPO.
X
4
X
Not maintained in SOR.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
Not maintained in SOR.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
�U.S. Department of Transportation
Control
#
Control Name
Primary PTA Question
TR‐3
Dissemination of
Privacy Program
Information
Common Control
UL‐1
Internal Use
2.10 ‐ Internal and
External Use
UL‐2
2.10 ‐ Internal and
Information
Sharing with Third External Use
Parties
Satisfied Other
N/A
than
Satisfied
DOT CPO Notes
X
Addressed by DOT CPO.
X
X
5
No internal data exchange.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13
Information not authorized for disclosure beyond
DOT/DOT‐contractors.
Records created for the purposes of account
creation, logging, auditing, etc. are covered by
DOT/ALL‐13.
�U.S. Department of Transportation
1
�
| File Type | application/pdf |
| File Title | Microsoft Word - Privacy-FAA-CAMI UAS Market Survey-PTA-01.15.21-Adjudicated.docx |
| Author | karyn.gorman |
| File Modified | 2021-03-01 |
| File Created | 2021-03-01 |