Draft PIA

Privacy-FAA-SAS-PIA-5262021.docx

Safety Assurance System External Portal

Draft PIA

OMB: 2120-0774

Document [docx]
Download: docx | pdf

DOT Logo U.S. Department of Transportation

­­









U.S. Department of Transportation Logo

Privacy Impact Assessment

Federal Aviation Administration [FAA]

Office of Aviation Safety (AVS)

Safety Assurance System (SAS)

Responsible Official

  1. John Frye, System Owner

  2. Email: [email protected]

  3. Phone Number: [Telephone Number]


Reviewing Official

  1. Karyn Gorman
    Acting Chief Privacy & Information Asset Officer
    Office of the Chief Information Officer
    [email protected]
    [Publication Date]

Shape1

Executive Summary

Title 49 United States Code (U.S.C.) § 4471 tasks the Federal Aviation Administration (FAA) to promote the safe flight of civil aircraft in air commerce by prescribing regulations and minimum standards for safety and security in air commerce. The FAA’s Flight Standards Service (FS) created the System Approach for Safety Oversight (SASO) Program Office to develop and implement a comprehensive system for safety approach and oversight of aviation certificate holders and applicants (CH/As). SASO Program Office implemented a set of system safety practices called the Safety Assurance System (SAS). SAS supports the FAA’s FS and Office of Hazardous Materials Safety (AXH) by monitoring and managing aviation certificate holders, applicants for aviation certificates (CH/As), and risk activities in aviation safety.2


In accordance with E-Government Act of 2002, the FAA is developing this Privacy Impact Assessment (PIA) because SAS collects personally identifiable information (PII) of members of the public and FAA employees and contractors.


What is a Privacy Impact Assessment?

The Privacy Act of 1974 articulates concepts for how the federal government should treat individuals and their information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of personally identifiable information (PII). The E-Government Act of 2002, Section 208, establishes the requirement for agencies to conduct privacy impact assessments (PIAs) for electronic information systems and collections. The assessment is a practical method for evaluating privacy in information systems and collections, and documented assurance that privacy issues have been identified and adequately addressed. The PIA is an analysis of how information is handled to—i) ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; ii) determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and iii) examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.3

Conducting a PIA ensures compliance with laws and regulations governing privacy and demonstrates the DOT’s commitment to protect the privacy of any personal information we collect, store, retrieve, use and share. It is a comprehensive analysis of how the DOT’s electronic information systems and collections handle personally identifiable information (PII). The goals accomplished in completing a PIA include:

  • Making informed policy and system design or procurement decisions. These decisions must be based on an understanding of privacy risk, and of options available for mitigating that risk;

  • Accountability for privacy issues;

  • Analyzing both technical and legal compliance with applicable privacy law and regulations, as well as accepted privacy policy; and

  • Providing documentation on the flow of personal information and information requirements within DOT systems.

Upon reviewing the PIA, you should have a broad understanding of the risks and potential effects associated with the Department activities, processes, and systems described and approaches taken to mitigate any potential privacy risks.


Introduction & System Overview

SASO Program Office, Flight Standards (FS), performs oversight for the FAA to assure the highest level of safety in the National Airspace System (NAS) by verifying an aviation organization or designee complies with and uses safety-related standards, regulations and associated procedures. SAS is a web-based application used by FS and AXH personnel as an oversight tool to capture data associated with the certification, Continued Operational Safety (COS) (surveillance) and certificate management of certificate holder and applicants (CH/A). SAS collects and stores information on members of the public to assist in aviation safety surveillance and certification programs and grants external user accounts to CH/As. SAS collects and stores information on FAA employees and contractors (personnel) to access the web-based application to assist them with the monitoring of aviation certificate applicants and CHs. The Office of Hazardous Materials Safety (AXH) uses SAS for certificate holder surveillance; Other Regulated Entity (ORE) oversight, which includes the investigation of reported hazardous material incidents; and data related to when CHs find hazardous materials in a passenger’s baggage. See Appendix A for list of all PII collected and maintained in SAS through the external portal and various forms.

SAS provides an external portal (sas.faa.gov) for members of the public (CH/As) to start the certification process and an internal portal (sas.avs.faa.gov) for FAA employees to manage the certification process and resolve incidents involving hazardous materials. SAS was implemented to standardize the oversight of Title 14 of the Code of Federal Regulations (CFR) parts 121 and 135 for air operators, parts 141-142, 145 and 147 for air agencies, and 49 CFR part 175 for hazardous materials transported on aircraft. SAS consists of five modules that provide for the initial certification and COS of CH/As: Configuration, Planning, Resource Management, Data Collection, and Analysis Assessment Action.

Note: Any reference to “FAA”, or “FAA employees/personnel” includes both FS and AXH employees unless otherwise specified.

External Portal:

CH/As use the SAS external portal, https://sas.faa.gov, to submit an aviation certificate application, amend an existing certificate, or communicate with their local FSDO. Members of the public most likely to use SAS are air carriers, commuter airlines, repair stations, and other business entities involved in aviation activities. The certificate application process begins with the applicant registering for a SAS account on the external portal. The external portal also includes an access point for the uploading of passenger discrepancies by air carriers in the SAS Passenger Module.

User Registration Process

Members of the public (CH/As) submit a registration request by selecting the “Sign up for SAS” link at https://sas.faa.gov. The CH/A selects whether they are an applicant for certification or current certificate holder. All CH/As must acknowledge they have read the certification process and associated requirements. The CH/A submits their full name, zip code and email address to start the user registration process. The CH/A’s information transmits securely within SAS to the FAA Point of Contact (POC) at the local Flight Standards District Office (FSDO), as determined by the applicant’s zip code. The CH/A receives an automated email notification of receipt generated by SAS, a User ID, temporary log in password and a link to log into the SAS Provisioning Portal. CH/As, click the link and log in to the Provisioning Portal with their User ID and temporary password. SAS prompts each CH/A to complete security questions and replace the temporary password with a new password. SAS generates and sends an email notification of successful registration to the CH/A. CH/As will authenticate into SAS by logging their User ID and password for each subsequent sessions. CH/As have full access to the External Portal once approved for a SAS account. CH/As complete the provisioning step one-time, yet, must complete the “Sign up for SAS” step for each new certificate application. The CH/A clicks on the registration link (valid for only 24 hours) which takes the applicants to the Pre-Application Information Submission Page.

Pre-Application Process

  • The applicant continues with the certification request at the Pre-Application Information Submission page. The CH/A submits their Personally Identifiable Information (PII) into SAS, including but not limited to the following:

  • Full name;

  • Job title;

  • Business address;

  • Country (if foreign);

  • Business phone number; and

  • Business email address.

Upon submission, the applicant navigates through the Pre-Application Statement of Intent (FAA Form 8400-6) and enters the following PII:

  • Full name and mailing address of the company;

  • Address of principal base where operations will be conducted;

  • Company email address;

  • Doing Business As (DBA);

  • Chief Executive Officer’s (CEO’s) full name, telephone number, mailing address, and email address)

  • Management personnel (complete list of full names, title, telephone number, and email addresses of individuals in management positions in the company);

  • Proposed type of operation (check boxes dealing with 14 CFR Part 121, 135 or 141, 142, 145 and 147);

  • Proposed type of agency and ratings (check boxes);

  • Aircraft serial number;

  • Aircraft make, model and series;

  • Open-text box to provide additional information on the proposed operation or business;

  • Full name, signature, and job title of company’s authorized representative;

  • FAA Precertification number;

  • Full name of FAA representative; and

  • Open-text box of remarks from FAA representative.

CH/A’s may make changes to their pre-application page at any time before submission. If changes are needed after submission, the applicant must contact the FAA to reject the pre-application submission, start the process over as outlined previously and resubmit the pre-application.

The final screen in the Pre-Application Information Submission page allows users to upload the FAA Form 8400-6 Pre-Application Statement of Interest (PASI) form (for 121, 135, 145 and 147); FAA Form 8420-8 Application for Pilot School Certification (141); the Letter of Intent (142); and FAA Form 8310-3 Repair Station Form; and any additional forms required for certification and compliance. FAA Form 8400-6, 8310-3 and 8420-8 collect PII from the CH/A, which is referenced in Appendix A. The form’s open text field could include unsolicited PII from the applicant, yet, a Certification Program Manager (CPM) or Principal Inspector (PI) redacts any PII prior to uploading the form or manually inputting the data into SAS. Applicants upload and submit Form 8400-6, 8420-8, or 8310-3 electronically, or print out the form and mail it to the local FSDO. The CPM or PI uploads or manually inputs hard copy forms (if received by mail) into SAS. Hard copy forms are stored in a locked cabinet, and or electronic forms are stored on a Knowledge Services Network (KSN) site until destruction in accordance to the records retention schedule. The local FSDO uses Form 8400-6, 8420-8, and 8310-3 to assess the size and scope of the proposed operation, and contact the individual applicant.

System Functionality

When CH/As log in, the External Portal home screen displays, which contains a menu with the following options: Pre-Application Information (as described above); Certification Request, Configuration, Data Collection Tools, Schedule of Events, and Document Management.

Certification Request

The Certification Request tab allows CH/As reviewing the status of the application (Applicant Information) and/or Certification Information. Data that is stored in this tab includes the following:

  • Designator Code;4

  • Applicant Name;

  • SAS ID;

  • FSDO location;

  • FAA Precertification Number;

  • Proposed Type of Operation;

  • Date of Proposed Start-Up;

  • Certification Status;

  • Last updated by (SAS System or User);

  • Date and Time of Last Update; and

  • Applicant POC’s Name, email Address, phone Number, and mailing address.


If the CH/As submitted their application using the external portal, they can make changes to their application or certification information only if FS personnel sends the application back to the CH/A electronically within SAS, and CH/As resubmit their amended information with the new application.

Configuration

The Configuration Tab consists of Configuration data, Operating data, and Repair Station Form 8310-3. Configuration data is a set of characteristics or attributes that describe a CH’s scope of operations and specifications. CH/As can change their configuration data in the SAS external portal and submit the proposed changes to their FSDO for approval, known as a Change Request. The FSDO receives and approves the request in SAS if sent within the External Portal. If the changes are submitted via email, then the FSDO will input the Change Request in SAS. Configuration data includes information on the following categories:

  • Operations specifications information includes route structures, fleet size, number of aircraft in fleet, fleet composition, number of repairmen, facility locations, and number of seats in aircraft.

  • Vitals includes the company’s Chief Executive Officer’s (CEO) full name, address, business phone number, county of operations, fax number, and email address.

  • Contractor’s information includes all the full names, addresses, telephone numbers, email addresses, fax numbers, and company names for all service providers that contracts with the certificate holding company.

Operating Profile (OP)



The Operating Profile is a list of systems/subsystems, elements and questions that are applicable to a CH/A’s scope of operation. CH/As create the Operating Profile (OP) in the external portal, based on the list of the functions that a CH/A performs, as well as applicable regulatory requirements, hazard analysis, configuration information, and performance history. The OP contains information about the applicant, such as personnel policies, procedures manuals, quality control, training and technical data, its record system, housing and facilities, tools and equipment, and parts and materials. FS personnel use this information to determine safety risks as part of their risk assessment duties. The OP contains the list of assessments the FAA conducts as a part of the oversight of the CH/A.







Repair Station Form 8310-3



The Repair Station Form 8310-3 is the application for an aviation repair station to become an authorized Part 145 Repair Station, to change ratings, to change location, housing or facilities, change in ownership and other. The 8310-3 form collects the company name, location, business address, doing business as name (D/B/A), authorized signatory for the company, job title, and authorization signature, which certifies the individual is authorized by the repair station to make the application, as well as the FAA’s safety inspector’s name, title and signature. The owner of the repair station applying for a certificate (or an individual authorized by the owner) fills out the form, appends attachments to the application, and submits within SAS or mailing a hard copy to the local FSDO. Once received, a FSDO employee uploads the hard copy or manually inputs the data into SAS. Hard copy 8310-3s are stored in a locked file cabinet at the local FSDO once uploaded into SAS. There is no renewal process for the repair station once certified. If the certificate is suspended or revoked, the repair station must restart the certification process.

Data Collection Tools (DCTs)

CH/As use Element Design (ED) DCTs to submit data on themselves utilizing the Self-Assessment/Self-Audit for 14 CFR Part 121, 135, 141, 142, 145 and 147. An ED DCT consists of questions designed by the FAA to determine if a CH/A meets the regulatory requirements and safety standards. CH/As may enter data in DCTs as part of the initial certification or other processes. Most of the data fields are drop-down, populated text. The DCTs do not collect PII, though, use to make informed decisions about the CH/A’s operating system(s) before approving or accepting them when required to do so by regulation, and during recurring Performance Assessments (PAs).

Schedule of Events



The Schedule of Event tab provides a checklist of events; drop down menus indication the status of the event; and fields to select proposed, current, accepted baseline and completion dates using electronic calendars. The CH/A sets a timeline for the completion of events for their certification process. For example, CH/A submit proposed dates of completion for each event that is listed. Each event has an open text field for CH/As to input comments on the status of events, which are viewed by FAA personnel comments. These events include meetings and other items needed for certification.

Document Management

The Document Management tab allows CH/As to submit supporting documentation to ASIs. If PII is inadvertently included in this documentation, FAA personnel will redact the PII. Folders contained in the Document Management tab are for the following: Formal Application, Other Certification, Configuration Changes, and Data Collection. CH/As upload documents in the Formal Application folder for certificate application review. CH/As upload supporting documents that they believe are applicable to their certificate application but are not listed in the Formal Application folder in the Other Certification folder. When uploading documents, CH/As enter a description of the uploaded document in an open-text comment box. SAS sends the applicable ASI a notification when the applicant for which they are assigned uploads a document in the Document Management. ASIs and the CH/A can submit documents in this tab.

Internal Portal

FAA personnel, such as Aviation Safety Inspectors (ASIs), Principal Inspectors (PIs) and Hazardous Material Aviation Safety Inspectors (HM ASIs), and other FAA personnel access the SAS internal portal via their Personal Identity Verification (PIV) card at https://sas.avs.faa.gov. SAS requires FAA personnel to complete training and submit a user request form to a FAA AVS Manager. A FAA AVS Manager must approve the FAA user’s access to the system. An email notification is sent to the FAA user once access has been granted. ASIs/PIs and HM ASIs use the SAS to help with their certification and safety oversight by providing tools for planning and scheduling, helping to identify hazards within an environment, and helping to eliminate or control risk. Safety Inspectors also utilize the internal portal to perform Design Assessments (DAs) and Performance Assessments (PAs) based on safety principles and enter all information collected via the DCT into SAS.

A typical certification transaction for FS personnel within SAS begins when a certificate holder submits a change request of configuration data or certificate application through the SAS external portal. When an applicant submits an FAA Form 8400-6, 8420-8, 8310-3 or Letter of Intent (142), they select the nearest FSDO and that FSDO will be notified of the submission. Once an application is received, review for accuracy and approval occurs. CH/As receive and amend rejected applications for resubmission. The Certification Project Team5 reviews the submission with the requested changes; reviews the regulatory requirements, FAA’s policy and guidance for the process; verifies the accuracy of answers provided by the CH/A, and determines if the changes in the process design meet the requirements for approval and acceptance. This review process allows the CH/A and the FAA to see how the proposed changes affects the CH/A operating profile and Comprehensive Assessment Plan (CAP).6 Once a change is approved, SAS updates the CH/A operating profile and CAP to reflect the new information.

The Internal Portal web site contain five (5) interactive panes: a main Home/Links pane; a Notifications pane; a Messages pane; a Broadcasts pane and an Activity Recording pane.

Home/Links



The Home/Links pane contains a fly out window that contains links FAA use at each phase of the CH/A process. This menu has links for: Activity Recording; Certification Projects; Configuration Module, Planning Module, Resource Management Module, Data Collection Module, Reports, and Create DCTs.



Notifications Pane



FAA employees receive automated alerts that an action is due stored in this pane.



Messages Pane



FAA employees use this pane to send and respond to messages directly to CH/As. The message is a free text field and may include limited PII sent at the sender’s discretion.

Broadcast Pane

FAA employees receive official messages, such as updates to SAS software and DCT, within this pane. No PII is ever included in these official messages to internal users.

Activity Recording Pane

Aviation Safety Inspectors (ASIs) use this pane to document inspections, such as Activity to Go Reports, and other work associated with certificate holders and individual airman. See Appendix B for the list of information collected in these reports.

Hazardous Materials Incident Reporting

The Office of Hazardous Materials Safety (AXH), as prescribed by 49 CFR Parts 171-180, use the SAS internal portal to conduct surveillance on CHs and other entities that offer or transport hazardous materials. AXH surveillance includes the investigation of hazardous materials incidents, or data related to a CH’s discovery of hazardous materials in a passenger’s baggage. 49 CFR 175.31 requires each person as defined by 49 CFR 171.8 who discovers a discrepancy7 relative to the transportation of hazardous materials, to notify the nearest FAA Regional or Field Security office by telephone or email ([email protected]) outside of SAS.8 AXH personnel monitor the email inbox and manually enter reports into the Passenger Module in SAS. AXH personnel must collect the following data for each hazardous material discrepancy:

  • Full name and telephone number of the person reporting the discrepancy;

  • Name of the aircraft operator;

  • Specific location of the shipment concerned;

  • Type of hazardous material found;

  • Name of the shipper;

  • Nature of the discrepancy; and

  • Address of the shipper or individual responsible for the discrepancy, if known, by the air carrier.

AXH personnel evaluate all the reports for risk based on item reported and the hazardous material regulations.9 All higher-risk items or conditions are processed as enforcement investigations outside of SAS. Only low-risk items or conditions are processed within SAS and passengers of record are mailed a stakeholder outreach letter. SAS sends the outreach letter as the only communication to the passenger of record. The letter states the following information:

  • the discovery of hazardous material found in the passenger’s bag;

  • legal citation (49 CFR 175.10) that prohibits the transport of hazardous materials;

  • contact information for the passenger to reach out in regards to confiscated items; and

  • notation that the discrepancy matter is closed.

SAS retains all data, including the name and address of the shipper, contained in the outreach letters until a configurable time (set by AXH via a SAS utility) when the name and address of the shipper is expunged from SAS. SAS retains the name of the aircraft operator, name of the hazardous material, and location found for trend analysis.10

Shipping incidents that deal with hazardous material leakages require the individual or entity that discovers the spill to report the information to the Department of Transportation (DOT), and many instances to the FAA.11 The report is made on DOT FORM F 5800.1, sent to the DOT, and investigated by AXH personnel if the report is made to the FAA. AXH personnel would input some of the following information from FORM F 5800.1 into the SAS Other Regulated Entities (ORE) Module:

  • Full name of the reporting CH (air operator);

  • Business address of the reporting CH (air operator);

  • Full name and mailing address of the shipper;

  • Full name of the CH’s authorized representative;

  • Job title of CH’s authorized representative; and

  • Business address, telephone number, email address and fax number of CH’s authorized representative.

AXH personnel conduct the investigation against the person/company that offered the shipment of the hazardous material. AXH input fact-based findings into the comments box within the module. This module would capture any referral to the AXH enforcement process (not in SAS). If the investigation leads to enforcement actions, AXH personnel complete the investigation in EIS,12 yet, SAS would not annotate the enforcement decision or disposition.

Fair Information Practice Principles (FIPPs) Analysis

The DOT PIA template is based on the fair information practice principles (FIPPs). The FIPPs, rooted in the tenets of the Privacy Act, are mirrored in the laws of many U.S. states, as well as many foreign nations and international organizations. The FIPPs provide a framework that will support DOT efforts to appropriately identify and mitigate privacy risk. The FIPPs-based analysis conducted by DOT is predicated on the privacy control families articulated in the Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP) v313, sponsored by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Federal Chief Information Officers Council and the Privacy Controls articulated in Appendix J of the NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations14.

Transparency

Sections 522a(e)(3) and (e)(4) of the Privacy Act and Section 208 of the E-Government Act require public notice of an organization’s information practices and the privacy impact of government programs and activities. Accordingly, DOT is open and transparent about policies, procedures, and technologies that directly affect individuals and/or their personally identifiable information (PII). Additionally, the Department should not maintain any system of records the existence of which is not known to the public.

The FAA employs multiple techniques informing members of the public and FAA personnel of the purposes for which the FAA collects, uses, disseminates, and retains their PII within SAS.

The FAA privacy policy link is available on the SAS website that provides notice to certificate holders and applicants (CH/As) on the FAA’s authorized use of CH/A data. The FAA privacy policy demonstrates DOT’s commitment to provide transparency about its privacy practices to certificate holders and applicant individuals and/or organizations involved in aviation safety surveillance activities who use SAS, and are published on the DOT website at www.transportation.gov/privacy.

SAS does provide a Privacy Act Statement (PAS) on the external portal homepage, www.sas.faa.gov, to inform external users that information collection is needed to create user accounts and allow individual access to the system to start the initial certification process.

SAS manages and maintain certificate holder applications and existing certificates. These certificate applications and existing certificates are maintained in SAS pursuant to System of Record Notice SORN DOT/FAA 847 – Aviation Records on Individuals – November 9, 2010 – 75 FR 68849. DOT/FAA 847 advises the public of the FAA’s privacy practices regarding the collection, use, sharing, safeguarding, maintenance, and disposal of information about an individual collected in aviation safety matters including initial certification and continued operational safety requirements.

The FAA relies upon DOT/ALL 13 – Internet/Intranet Activity and Access Records (67 FR 30757, May 7, 2002) SORN to provide notice to all members of the public and DOT employees and contractors of its privacy practices regarding information about DOT employees (including contractors) collected or transmitted by agency networks while performing their business duties and gaining access to SAS.

The publication of this PIA demonstrates DOT’s commitment to provide transparency about its privacy practices to all users of SAS.

Individual Participation and Redress

DOT provides a reasonable opportunity and capability for individuals to make informed decisions about the collection, use, and disclosure of their PII. As required by the Privacy Act, individuals should be active participants in the decision-making process regarding the collection and use of their PII and they are provided reasonable access to their PII and the opportunity to have their PII corrected, amended, or deleted, as appropriate.

SAS collects information directly from CH/As (individuals or businesses) and individuals conducting surveillance activities of existing certificate holders. SAS collects the following information from the certificate holders and applicants to complete user registration and complete the certificate application process, and/or individuals, such as designees, flight instructors, and examiners, that perform continued operational surveillance activities for the SASO:

  • CH/A’s full name;

  • CH/A’s company name;

  • Email address;

  • Requested three-letter company identifier;

  • Business email address with zip code;

  • Business telephone number;

  • Airman certificate number and type;

  • User ID;

  • Password recovery questions;

  • Password;

  • Job title;

  • Address of principal bases where operations will be conducted;

  • Company email address;

  • Doing Business As (DBA);

  • CEO’s full name, telephone number, mailing address, and email address;

  • List of full names, telephone numbers, and email addresses of company individuals with management positions;

  • Aircraft owner’s full name and address;

  • Aircraft registration number;

  • Aircraft make, model, and serial number;

  • Aircraft certificate class and type;

  • Full name, signature, and job title of company’s authorized representative;

  • Full name of flight school;

  • Telephone number of flight school;

  • Address of principal business office;

  • Location of satellite base(s);

  • Full name, signature, and certificate number of flight instructor;

  • Full name of repair station and number;

  • Official mailing address of repair station;

  • Full name of repair station owner(s); and

  • Date, full name of authorized POC, job title, and signature.

AXH personnel input information from DOT forms, like FORM F 5800.1, collected from authorized points of contact of businesses, such as certificated air carriers, reporting hazardous materials leakages or transport incidents involving hazardous materials.

Regarding redress, CH/As cannot alter, amend or delete their user profile in SAS. However, since some of these individuals can be associated with multiple certificates, CH/As can change the information on the certificate or application that is associated with their user profile.

The CH/A cannot alter or amend the application information once the certificate application has been submitted and accepted by Flights Standards. If changes are needed to be made to the application, the CH/A must contact the Flight Standards office by phone (1-855-835-5322) or email ([email protected]) and have FAA send the application back to the external user to make the edits or alterations in SAS. Once the changes are made to their PII, the application can be submitted via electronically ([email protected]) or via postal mail to the address of the local FSDO nearest to the CH/A’s location.

Additionally, under the provisions of the Privacy Act, CH/As and FAA employees and contractors may request searches in SAS to determine if any records have been added that may pertain to them. CH/As and FAA employees and contractors wishing to know if their records appear in SAS as well as individuals wanting to contest information about them that is contained in those systems may inquire in person or in writing to:

Federal Aviation Administration

Privacy Office

800 Independence Avenue (Ave), SW

Washington, DC 20591


The request must include the following information:


  • Name

  • Mailing address,

  • Phone number and/or email address, and

  • A description of the records sought, and if possible, the location of the records.


Individuals may also use the above address to register a complaint or ask a question regarding FAA’s privacy practices.

Additional information about the Department’s privacy program may be found at https://www.transportation.gov/privacy. Individuals may also contact the DOT Chief Privacy Officer at [email protected].

Purpose Specification

DOT should (i) identify the legal bases that authorize a particular PII collection, activity, or technology that impacts privacy; and (ii) specify the purpose(s) for which it collects, uses, maintains, or disseminates PII. The PII contained in PTB is utilized for transit subsidy usage reconciliation, reporting for the agency, monitoring, and tracking participant usage.

The following legal authorities authorize the FAA’s collection of PII belonging to airmen, air carrier representatives, repair stations, flight schools, or other business entities:

  • Administrative: 49 U.S.C. §44103 empowers the Administrator of the FAA to regulate the transportation of hazardous material by air.



  • General Requirements: 49 U.S.C. §44701 empowers the Administrator of the FAA to prescribe minimum standards required in the interest of safety for performance of aircraft, aircraft engines, and propellers;…minimum safety standards for an air carrier to whom a certificate is issued under section 44705 of this title.”



  • Title 14 of the Code of Federal Regulations (14 CFR) Part 121 provides the regulatory authority for the collection of PII of “each person who, after January 19, 1996, applies for or obtains an initial air carrier or operation certificate….to conduct scheduled passenger-carrying operations…”



  • Issuance of Certificates: 49 U.S.C. §44702 empowers the Administrator of the FAA to “issue airman certificates, design organization certificates, production certificates…in consideration of the duty of an air carrier to provide service with the highest possible degree of safety in the public interest”.



  • Air Carrier Operating Certificates: 49 U.S.C. §44705 empowers the Administrator of the FAA to “issue an air carrier operating certificate to a person desiring to operate an air carrier.”



  • 14 CFR Part 135 provides the regulatory authority that corresponds to this legal authority for “each certificate holder that was issued an air carrier or operating certificate and operations specifications before 1/19/1996 and conducts scheduled passenger-carrying operations.”



  • Examining and Rating Air Agencies (Repair Stations): 49 U.S.C. §44707 empowers the Administrator of the FAA to “examine and rate the (2) repair stations and shops that repair, alter, and maintain aircraft, aircraft engines, propellers, and appliances”.



  • 14 CFR Part 145 provides the regulatory authority for the collection of PII from “any person who holds, or is required to hold, a repair station certificate under this part.”



  • Reports of Violations: 14 CFR §13.1 provides the legal authority for the reporting of any violation of the Hazardous Materials Transportation Act relation to the transportation or shipment by air of hazardous materials, or any rule, regulation, or order issued, to the appropriate personnel of any FAA regional or district office.



  • Immediate notice of certain hazardous material incidents: 49 CFR § 171.15 and Detailed hazardous materials incident reports: 49 CFR § 171.16 empower “each person in physical possession of hazardous material at the time of any incident that occurs during transportation must submit a Hazardous Material Incident report on DOT Form 5800.1 within 30 days of discovery of the incident.” 14 CFR Part 175 provides the regulatory authority to support the reporting requirement as prescribed by the following legal authority.



Any PII, such as full name, business email address, company name, business address, telephone number, airman certificate number, or job title, is used in SAS for the purpose of processing and managing aviation certificate applications, existing certificates, and hazardous material reporting incidents.

SAS’s PII collection is consistent with the purposes for which it is collected, as described in DOT/FAA 847 – Aviation Records on Individuals – November 9, 2010 – 75 FR 68849.

Data Minimization & Retention

DOT should collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was originally collected.

The FAA manages risk by minimizing the amount of PII collected by SAS to the information that is relevant and necessary to assist SAS in processing aviation certificate applications and managing existing certificates, and safety oversight of aviation surveillance activities. SAS automatically purges, based on configuration by AXH, PII from outreach letters sent to passengers after a set time that allows for reprinting of a letter if the first letter is not received.

The FAA retains records and disposes of them in accordance with the National Archives and Records Administration (NARA) DAA-0237-2020-003415 schedule, Safety Assurance System. The classes of data and their retention schedules proposed for SAS are outlined below:

  • Records concerning CH/As’ certificate applications and certificate data destroyed 5 years after the certificate and/or entity is no longer active, or no longer needed for reference, whichever is sooner.

  • Records concerning risk assessment data specific to CHs or OREs destroyed 5 years after the certificate is no longer active or when no longer needed for reference, whichever is sooner.

  • Records concerning the oversight plan (data collection) of CHs and OREs destroyed 10 years or when no longer needed for reference, whichever is sooner.

  • Records concerning resourcing and not resourcing work assignments destroyed after 10 years or when no longer needed for reference, whichever is sooner.

  • Records concerning the CH/A’s or ORE’s operating system destroyed 10 years or when no longer needed for reference, whichever is sooner.

  • Records concerning FAA employees’ evaluation, analysis, and track actions about the CH/A’s or RE’s operating systems destroyed 10 years or when no longer needed for reference, whichever is sooner.

  • Records concerning internal user’s (FAA employee’s) information destroyed 10 years after the employee has departed the FAA and after all related records have been disposed.

  • Records concerning passenger and related hazardous good violations data destroyed 10 years. All passenger PII expunged by automation after outreach letter processing.



The schedule is currently in draft form and pending approval by NARA upon final review.

The system access records are retained and disposed of by the FAA in accordance with NARA, Information Systems Security Records, General Records Schedule (GRS) 3.2, Item 30: System Access records. The records are destroyed when business use ceases.

Use Limitation

DOT shall limit the scope of its PII use to ensure that the Department does not use PII in any manner that is not specified in notices, incompatible with the specified purposes for which the information was collected, or for any purpose not otherwise permitted by law.

FAA limits the use of PII through Privacy Act Statements (PAS), SORNs, and privacy training and awareness to those FAA personnel with a business need for the information. SAS uses PII collected from members of the public for the purposes for which it was created, which is to create an account, process initial aviation certificate applications, Repair Station applications, amend an existing aviation certificate, or communicate with the local FSDO. SAS uses PII from FAA personnel for purposes, which it was created, which is to authorize personnel’s access to SAS, and perform performance and design assessments for safety oversight and risk management of aviation activities.

Records in SAS are not shared outside of DOT, and are maintained for the purposes of managing oversight of all aviation certificate holders and applicants. Records in SAS may be used in accordance with SORN DOT/FAA 801 - Aircraft Registration System, as follows:


  • To provide basic aircraft information, such as aircraft’s owner name, address, U.S. Registration number, aircraft type, legal documents related to the title or financing of an aircraft to the public (including government entities, title companies, financial institutions, international organizations, FAA designee airworthiness inspectors).


Records in SAS may be used in accordance with SORN DOT/FAA 847 – Aviation Records of Individuals, as follows:


  • To disclose information to the National Transportation Safety Board (NTSB) in connection with its investigative responsibilities.


  • To make airman, aircraft and operator record elements available to users of FAA’s Skywatch system, including the Department of Defense (DoD), the Department of Homeland Security (DHS), the Department of Justice (DOJ) and other authorized government users, for their use in managing, tracking and reporting aviation-related security events.


In addition to other disclosures generally permitted under 5 U.S.C. § 552a (b) of the Privacy Act, all or a portion of the records or information contained in this application may be disclosed outside DOT as a routine use pursuant to 5 U.S.C. § 552a (b) (3) as provided in the SORN that applies to those records.


The Department has also published 15 additional routine uses applicable to all DOT Privacy Act systems of records. These routine uses are published in the Federal Register at 75 FR 82132, December 29, 2010, and July 20, 2012, 77 FR 42796, under ‘‘Prefatory Statement of General Routine Uses’’ (available at http://www.transportation.gov/privacy/privacyactnotices).

Data Quality and Integrity

In accordance with Section 552a(e)(2) of the Privacy Act of 1974, DOT should ensure that any PII collected and maintained by the organization is accurate, relevant, timely, and complete for the purpose for which it is to be used, as specified in the Department’s public notice(s). TRANServe’s WebApplication has its own internal process for ensuring that the correct types of info are inputted such as only letters included in name fields and not numbers etc.

External users and FAA personnel are responsible for ensuring the accuracy of their information when registering for an account, completing their pre-application information (Form 8400-6), providing safety oversight, applying to become a certified repair station (Form 8310-3), applying for a pilot certificate (Form 8420-8), and completing a hazardous material spillage incident (Form 5800.1) within SAS. Air carrier representatives directly enter their full name, air carrier name, work telephone number and work email address when using the AXH Passenger Module to report a hazardous material, passenger discrepancy event. The air carrier representative doing the reporting enters a shipper’s full name and address.

Data entered directly by members of the public and FAA personnel is assumed to be accurate. All users enter, review, revise and update their own profiles within SAS. Authorized FAA personnel perform a variety of data checks on entered information; e.g. open-text fields are validated for length and banned characters.

Security

DOT shall implement administrative, technical, and physical measures to protect PII collected or maintained by the Department against loss, unauthorized access, or disclosure, as required by the Privacy Act, and to ensure that organizational planning and responses to privacy incidents comply with OMB policies and guidance.


The FAA protects PII by reasonable security safeguards against loss or unauthorized access, destruction, usage, modification, or disclosure are in place to protect PII. These safeguards incorporate standards and practices required for Federal information systems under the Federal Information System Management Act (FISMA), and as detailed in Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, dated March 2006, and NIST Special Publication (SP) 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, dated April 2013.

SAS is a comprehensive, information security program that contains management, operational, and technical safeguards that are appropriate for the protection of PII. These safeguards strive to achieve the following objectives:

    • Ensure the security, integrity, and confidentiality of PII

    • Protect against any reasonable, anticipated threats or hazards to the security and integrity of PII

    • Protect against unauthorized access to or use of PII



Records in SAS are secured in accordance with applicable rules and policies, including all applicable DOT automate system’s security and access policies. Strict controls exist to minimize the risk of compromising the information that is being stored. All SAS records, including uploaded documents and attachments, reside in an encrypted database, and are protected from unauthorized access through appropriate administrative and physical safeguards. Access to the computer system containing the records in SAS is limited to those individuals who have a need to know the information for the performance of their official duties, completed SAS portal training, been approved by a FAA AVS manager, and have received appropriate clearances and permissions.

Use of SAS is subject to the FAA Rules of Behavior, which are included in the Security Awareness Training that each SASO Program Office member and FAA personnel must complete annually. The training allows FAA personnel to understand how privacy influences their role and perform their duties properly and securely in situations involving the use of PII.

External users access SAS with their User ID and password created by them during registration. FAA personnel access SAS via their PIV card through Integrated Windows Authentication. SAS takes appropriate security measures to safeguard PII and other sensitive data, and users must be authenticated prior to using the system.

Additionally, the Office of Aviation Safety (AVS) has developed an incident response plan for SAS, which includes procedures for detection of an incident, remediation, and response where appropriate, to protect and inform affected individuals.

SAS is assessed in accordance with the Office of Management and Budget (OMB) Circular A-130 Appendix I, Responsibilities for Protecting and Managing Federal Information Resources and the DOT Certification and Accreditation Guidance. SAS was issued a three (3) year authority to operate (ATO) on March 30, 2020. SAS is categorized as a moderate risk system in accordance with NIST Federal Information Processing Standards (FIPS) 199.

Accountability and Auditing

DOT shall implement effective governance controls, monitoring controls, risk management, and assessment controls to demonstrate that the Department is complying with all applicable privacy protection requirements and minimizing the privacy risk to individuals.

FAA is responsible for identifying, training, and holding Agency personnel accountable for adhering to FAA privacy and security policies and regulations. FAA follows the Fair Information Principles as best practices for the protection of information associated with SAS. The FAA Rules of Behavior (ROB) for IT systems governs SAS. FAA’s Office of the Chief Information Officer, Office of Information Systems Security, Privacy Division are responsible for governance and administration of FAA Order 1370.121, FAA Information Security and Privacy Program and Policy.


Mandatory annual security and privacy training, as well as FAA ROBs and periodic staff meetings, provides necessary guidance to the handling of PII by FAA employees and contractors within SAS. The FAA ROB for IT systems must be read, understood, and acknowledged by each FAA user prior to a FAA user’s authorization to access FAA information systems, including SAS. The FAA conducts periodic security and privacy compliance reviews consistent with the requirements of OMB Circular A-130, Section 8b(3), Securing Agency Information Systems.


SAS contains audit provisions to ensure proper usage by authorized FAA users and monitoring for unauthorized usage. Authorized SASO supervisors conduct quality control reviews of CH/A certificate applications.

Responsible Official

John Frye

Business Owner, SAS

Information Technology Program Manager (IT PM), SASO Program

Prepared by: [Name of Component Privacy Officer (Title)]

Approval and Signature

Karyn Gorman
Acting Chief Privacy & Information Asset Officer
Office of the Chief Information Officer




Appendix A

Information collected within SAS Forms

Form 8400-6, Pre-Application Statement of Intent

To be completed by all applicants:

  • Full name and mailing address of Company;

  • Address of principal base where operations will be conducted;

  • Proposed start-up date;

  • Requested three-letter company identifier;

  • Company email address;

  • Doing business As (DBA); and

  • Management personnel (Full name, title, telephone number, and email address).

To be completed by Air Operators:

  • Proposed type of operation (check boxes);

  • Aircraft serial number and types;

  • Aircraft make, model, and series;

  • Number of passenger seats or cargo payload capacity;

  • Geographic area of intended operations;

  • Open-text comments box to enter additional information to provide FAA a better understanding of proposed operation or business; and

  • Full name and title of authorized point of contact for company

  • Signature and date

To be completed by Air Agencies:

  • Proposed type of agency and ratings (check boxes)

To be completed by FAA District Office (FSDO):

  • Precertification number and District office;

  • Remarks (open-text box for comment to be submitted by FSDO personnel)

Form 8420-8, Application for Pilot School Certification

To be completed by Pilot schools:

  • Full name of school;

  • Telephone number of school;

  • Address of principal business office;

  • Location of main operations base;

  • Location of satellite base(s);

  • Reason for application submission – issuance, renewal or amending to pilot school certificate;

  • Identification of training courses;

  • Signature and job title of authorized POC.

To be completed by FAA personnel:

  • Approved or disapproved (check box) for pilot school certificate

  • Open-text box for comments/recommendations of FAA inspector

  • Signature of approving inspector and job title

Form 8310-3, Application for Repair Station Certificate and/or Rating

To be completed by the Repair Station:

  • Full name of repair station and number;

  • Reason for submission – check box (original application, changes in name, ratings, or location, or other);

  • Location where business is conducted;

  • Official mailing address;

  • Doing business as;

  • Rating applied for (check boxes);

  • List of maintenance functions contracted to outside agencies (open-text box for comments);

  • Full name of owner(s); and

  • Date, full name of authorized POC, job title, and signature.

To be completed by FAA personnel:

  • Remarks by FAA personnel (open-text box);

  • Findings (check boxes);

  • Office;

  • Full name(s) and signature(s) of FAA inspectors;

  • Action taken (approved or disapproved; check boxes);

  • Certificate number; and

  • Full name, signature, and title of supervision or assigned inspector.



Appendix B

SAS Standard Reports

SAS reports allows users to generate reports matching the selected criteria. The table below provides a brief description of each standard report. Reports are protected by role-based access.



Configuration (Module 1)

Contractor/Maintenance Provider List

The Contractor/Maintenance Provider List report displays the Maintenance Providers (including Essential Maintenance Providers) and Training contractors as entered by 14 CFR part 121 and 121/135 certificate holders as part of Configuration Data under the Contractors tab. The report contains the following PII: Business Name; Business Address; Region, and FAA Regional Office.

Maintenance Provider History Report

The Maintenance Provider History report displays the maintenance providers (including essential maintenance providers) as entered by CFR Part 121, 135 and 145 certificate holders as part of Configuration Data under the Contractors tab. The report provides users with the ability to view the contractor data by selecting a date range and see what contractors were available on a historical basis. The report contains the following PII: Business Name, Business Address, Region, and Regional Office.

Operating Profile Report


The Operating Profile report allows users to view the Operating Profile of a selected certificate holder or to search on the set of certificate holders that have the same functions. The report contains the following PII: Region, FAA Regional Office; Business Name.

Pre-application Report


This report lists the status of the PASI form and pre-application information that has been submitted to FAA (e.g. date submitted, accepted). The report contains the following PII: FAA Regional Office; Business Name, and full name of CH/A.

National Dashboard Report

This report graphs the trends in status for applicants over the last nine quarters for an office. The user can view either the total number of applicants per quarter or the change in number of applicants from the previous quarter. The report does not contain PII.

CH/A Report

This report lists applicant and CH/A details grouped by Status and Office. The report is grouped by status and then sorted by: Office, CFR Part and Company Name. The report contains the following PII: Full name of CH/A, Business Name, and FAA Regional Office.

Waitlist Report

This report lists waitlisted applicants grouped by office. Two views are available: (1) a list view and (2) a graphical view, which shows a map with proportionally sized dots indicating the number of waitlisted applicants at an office location. Days on the Waitlist is calculated for each applicant by counting calendar days between the date the applicant was placed on the Waitlist and the date the report is run. The report contains the following PII: Full name of CH/A, Business name, and FAA Regional Office.

Applicant Contact Overdue Status Report

This report shows applicants who are due letters from the FAA according to their status and can be run in one of the three following ways:

  (1) 30 Day View: Show applicants whose Accept for Resource Analysis date is more than 30 calendar days ago;

  (2) 60 Day View: Shows waitlisted applicants whose Date Last Official Notification is more than 60 calendar days ago; and

  (3) 10 Day View: Shows transferred applicants whose Date Last Official Notification is more than 10 calendar days ago. The report contains the following PII: Full name of CH/As, Business Name, and FAA Regional Office.

Active Questions by Configuration Attribute Report

The Active Questions by Configuration Attribute report displays active questions based on configuration attribute values contained within question scoping rules. The report may be generated for AFS or AXH questions. The report contains the following PII: Full name of CH/As, Business name, and FAA Regional Office.

Active Certificate Holders by Configuration Attribute Report

The Active Certificate Holders by Configuration Attribute report displays active certificate holders by configuration attribute based on the certificate holders configuration data. The report contains the following PII: Full name of CH/As, Business name, and FAA Regional Office.

Planning [Module 2]


CHAT Report


This report displays details of the Certificate Holder Assessment Tool (CHAT) records. The report can be used by inspectors to see the list of CHAT updates and the related Risk Indicators that have been selected by a Principal Inspector for a CH or set of CHs. The report contains the following PII: FAA Regional Office; Business Name, Principal Investigator’s comments.

Planning for Coordinated Visits Report

The Planning for Coordinated Visits report lists all certificate holders for a selected CH/A, usually a repair station, that need to be contacted for a planning meeting. Any assessments added for visits to the repair station by the certificate holders are listed. Other certificate holders who have not added any assessments for visits to the repair station are also listed. The report contains the following PII: Full name of CH/As, Business name, and FAA Regional Office.

Counts of Coordinated Visits versus non-Coordinated Visits DCTs Report

The Counts of Coordinated Visits vs non-Coordinated Visit DCTs report displays graphically the number of DCTs including EMP and non-EMP that are part of coordinated visits and those that are not, at different levels of the AFS organization. The report contains the following PII: Full name of CH/A, DCT ID, and Business name.

Counts of Outsourced Non-Environmental Management Plan (EMP) DCTs Report

The Outsourced non-EMP DCTs dashboard shows the counts of DCTs that are performed by certificates of CFR Parts (121,121/135 & 135) with non-EMP Maintenance Provider as the Related Affiliated Designator that are outsourced to a resource outside of the office of the certificate holder. It displays the National and Office level counts by CFR Part 121, 121/135 & 135. The report contains the following PII: Full name of CH/A, DCT IDs, and Business name.

Resource Management (Module 3)

Resource Shortfall Report


The Resource Shortfall report displays the DCTs that have been assigned with “Resource Not Available” (RNA) status. The report contains the following PII: FAA Regional Office, Business Name, and Full name.

Leveraging Resource Report

The Leveraging Resource Report allows users to determine the physical location of users with specific technical disciplines or specialties. The report displays the physical location of SAS users, as recorded in the SAS User Profile, superimposed on a map of the U.S. The size of the circle on the map corresponds to the number of users at that location. The map is interactive, allowing you to filter the results by clicking on a specific circle or by dragging a rectangle on the map to select multiple locations. The report contains the following PII: Full name of CH/As, FAA Regional office, and Business name.

Office/Divisional/National (ODN) Work Summary Report

The ODN Work Summary Report provides summary counts and detailed views of all AFS ad-hoc and planned (CAP, OWL) work items in an office, division, and nationally. The report presents data across various dimensions including Work Item Type, Work Item Status, Specialty, Origin, Safety-related Concern (SRC), CFR Part, CH/A, Technical Discipline, AFS Business Function, Resource, and Resource Status. This report will be helpful for management to identify unassigned work items and gauge individual resource availability based on current resource assignments. The report contains the following PII: Full name of CH/As, Business name, and FAA Regional office.



Data Collection (Module 4)

Count of DCTs by Status Report


This report provides a graphical representation, in the form of a bar graph, of the total counts of DCTs by status. The reports displays the DCT Status on the horizontal axis and the total counts by Specialty on the vertical axis. This report contains no PII.

DCT Findings Report


The DCT Findings report is organized by DCT Title and DCT ID to display all the question responses by response type (e,g. negative, positive, N/A, and Not Observable – N/O). The report contains the following PII: FAA Regional Office, Business Name, Full name, and DCT ID.

DCT Status Report

This report is designed to help an office track the status of DCTs for a specified quarter. The report assists in tracking DCTs through all the phases of the SAS lifecycle. The report contains the following PII: Business name, Full name, and DCT ID.

8430-13 Report

The 8430-13 report provides office managers using SAS with a list of the 8430-13 numbers used by resources in their office. An 8430-13 is a number on a physical paper form that is part of a booklet. Inspectors fill the forms out when performing inspections as part of their job function. The report contains the following PII: FAA Regional office, Business name, Full name, and DCT ID.

En Route/Random Instructions Report

This report is designed to help an inspector find the special instructions provided at the National and PI level before they create an Ad hoc En Route or Random Inspection. The report always displays the latest National and PI level En Route and Random Instructions for both the specialties for a CH/A and assist the inspector in planning an En Route or Random inspection. The report contains the following PII: ASI’s full name and telephone number.

Released DCT Comparison Report

The Released DCT Comparison Report displays changes between the current and previous major versions of standard and custom DCTs by release date. The reports does not contain PII.

Data Review Report

This report provides management, data reviewers and data evaluation program managers to view returned DCTs with the full name of the ASI, the DCT reviewer’s full name, the changes to a question(s), Common Data Fields Changes, Review Comments per question, and any Returned message(s).

DCT Flight Standards Information System (FSIMS)Transmission Report

The DCT FSIMS Transmission Report provides information about the transmission of standard DCTs, released from Authoring, to the FSIMS FTP folder. Data includes organization full name, batch ID, date/time queued, batch state, zip file name, peer group, specialty, DA/PA, Master List of Functions (MLF) label/title, version, and DCT status. The report is intended to improve communication between SAS and FSIMS, particularly in case of batch or DCT transmission failures.

Activity Findings Report

The Activity Findings Report displays the responses for each completed activity recorded in SAS. The Activity Findings report is organized by Activity Code/Title and Activity ID to display the activity findings reported as part of the inspections. Common uses for this report include seeking trends in unfavorable results and/or unfavorable opinion codes for one or more CFR Parts and/or CH/As including the activity question responses by response type (e.g., negative, positive, N/A, and N/O). Inspectors can run the report to search on trends by response type for an Activity. Other interesting trends include looking at questions that are often answered N/O or N/A. Such results could indicate that the content of the question isn't meeting the need in the field for a particular set of Activities. The report contains the following PII: ASI’s full name and telephone number.

Investigation Tracking Report

The Investigation Tracking Report is used to track the status and activities associated with an investigation task created on the Office Workload List. The report contains the following PII: ASI’s full name.

On-the-Job Training (OJT) Activity Report

The OJT Activity Report provides managers, the OJT Program Manager (PM), and inspectors a means to view X023 and X024 OJT records. The report is filterable by office, resource, status, date range, and JTA number. This report is useful to view OJT records for an office as well as records assigned to specific inspectors and the status of those records. This report is filterable to a single inspector/trainee and is useful in determining status of their entered training assignments. The report contains the following PII: ASI’s full name and office location.

Analysis, Assessment and Action (AAA) (Module 5)

Action Item Tracking Tool (AITT) Report

The AITT report provides actions listed by CH/A, Office, and Source as submitted and updated by users. The report contains the following PII: Full name.

Assessment Determination and Actions Report


The Assessment Determination and Actions report lists all of the assessment determinations and related actions for CH/As based on his criteria entered by the user. The report displays details about the determination including the justification text and details about which actions (if any) were selected. This report contains the following PII: FAA Regional office.


Assessment Findings Report


The Assessment Findings Report provides the question response data type (e.g. positive, negative, N/A, and N/OO by DCT within assessments. The report contains the following PII: Full name.

AAA Trending Dashboard Report

The AAA Trending Dashboard report provides the counts and trends of AAA Assessment Determination results by Office, CFR, CH/A, Specialty and MLF.

The report will contain the following two sections:

  1. Count of Assessment Determinations by MLF in a Bar chart format allowing the user to drill down to the Assessment Determination and Actions Report to see what actions were taken (if any); and

  2. Assessment Determinations by Quarter in a tabular format allowing the user to drill down to the Action Item Tracking Tool (AITT) Report to see all the actions taken on the assessment to address findings (if any).

The report does not contain any PII.

AAA mmary Dashboard eport

The AAA Summary Dashboard report provides a summary of AAA actions by Action type and Assessment Determination and also provides the number of DCTs with Negative findings without an assessment in a given timeframe.

The report will contain the following three sections:

  1. AAA Actions by Action Type and Assessment Determination in a Bar Chart format allowing the user to drill down to the Assessment Determination and Actions Report;

  2. Assessements with AAA Actions by Office in a Map view with the counts of actions by office allowing the user to drill down to the Action Item Tracking Tool (AITT) Report; and

  3. DCTs with Negative findings without an assessment in the given timeframe allowing the user to drill down to the DCT Status Report.

The report does not contain any PII.


























2 CH/As include airmen, air carriers, commuter airlines, repair stations and other relevant business entities, which are considered members of the public.

3Office of Management and Budget’s (OMB) definition of the PIA taken from guidance on implementing the privacy provisions of the E-Government Act of 2002 (see OMB memo of M-03-22 dated September 26, 2003).

4 The Designator Code is the first four characters in a user’s operator certificate number issued by the FAA.

5 Certification Project Team consists of a Certification Project Manager (CPM) and Aviation Safety Inspectors (ASIs) and other employees as needed.

6 The CAP is a quarterly plan developed by inspectors and their managers to plan and schedule oversight activities.

7 A discrepancy involves hazardous materials that are improperly described, certified, labeled, marked or packaged.

8 There is no set form provided by AXH to CHs to report incidents.

9 The quantity and hazard class of the item determines risk. Explosives are high risk, while aerosols are low risk, not investigated and entered into the Passenger Module.

10 AXH sets the period for the SAS automation to expunge PII. The time is kept short to allow for the reprinting of the letter is the first one fails to be received.

11 49 CFR 171.15,16

12 EIS (CSAM ID: 1374) has an adjudicated PIA dated August 29, 2012. A new PTA is in development.

14 http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf

15 w

22


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorShams-Ramsey, Maria CTR (OST)
File Modified0000-00-00
File Created2022-05-07

© 2024 OMB.report | Privacy Policy