Privacy Threshold Assessment

/

<9 oc/o

Office of the DOT
Chief Information Officer

Privacy Threshold Assessment
(PTA)
DOT/Maritime Administration
Office of Deepwater Ports and Offshore Activities
IC 2133-0524, Application for Conveyance of Port
Facility Property

BRIAN
FRANKLIN
BULLOCK

Digitally signed by
BRIAN FRANKLIN
BULLOCK
Date: 2019.05.20
14:37:08 -04'00'

«Component/System Name>>

DOT Privacy Program
Privacy Threshold Assessment (PTA)

adjudication. Only PTAs watermarked "adjudicated’' and electronically signed by the DOT
CPO are considered final. Do NOT send the PTA directly to the DOT PO; PTAs received by
the DOT CPO directly from program/business owners will not be reviewed.
If you have questions or require assistance to complete the PTA please contact your
Component Privacy Officer or the DOT Privacy Office at [email protected]. Explanatory
guidance for completing the PTA can be found in the PTA Development Guide found on the
DOT Privacy Program website, www.dot.gov/privacy.

May 15,2015

PTA Template v 2.0

2

«Component/System Name»

DOT Privacy Program
Privacy Threshold Assessment (PTA)

Rulemaking Identification Number (RIN): «Provide RIN assigned by OMB's
electronic docketing system»
Rulemaking Stage:
□ Notice of Proposed Rulemaking (NPRM)
□ Supplemental NPRM (SNPRM):
□ Final Rule:
Federal Register (FR) Notice: «ProvidefuII Rulemaking Name, Federal
Register citation, and web address ifavailable.»
13 Information Collection Request (ICR)3
□ New Collection
3 Approved Collection or Collection Renewal
3 OMB Control Number: 2133-0524
[3 Control Number Expiration Date: June 30, 2018
□ Other: «Describe the type ofproject»
1.2

System OVERVIEW: The Port Conveyance Program collects information from
applicants and landholding recipients as the result of a submitted application for
property or through post-conveyance follow-up questions. The only entities that
are eligible to receive property through the Port Conveyance Program are states,
territorites and possessions of the United States, the District of Columbia and their
jurisdictions, therefore information is ONLY collected regarding these entities.
GENERALLY, PH IS NOT COLLECTED FROM PROPERTY APPLICANTS OR
RECIPIENTS. Most of the information that is secured is publicly available (by
local statute or by regulation) and is often available on the applicant's website
or other publicly available documents. Further, MARAD does not have an
electronic repository for storing information above and beyond the DOT
network, which is encrypted and requires access through a PIV card issued by
DOT. The primary method to request information and store the responses consists
of sending information by email and receiving responses by e-mail; however,
respondents have the option to submit responses by postal mail. Replies that are
sent by paper mail to MARAD are scanned in an electronic format and stored on the

3See 44 USC 3201-3521; 5 CFR Part 1320

May 15, 2015

PTA Template v 2.0

4

«Component/System Name»

DOT Privacy Program
Privacy Threshold Assessment (PTA)

II!

Hf

If the answer to 2.1 is "System Does Not Collect PH” and the answer to 2.3 is "No",
you may proceed to question 2.10.
If the system collects PII or relate to individual in any way, proceed to question 2.4.

iti
ill

Hi

;;
“

HI

%
2.4

Does the system use or collect SOCIAL SECURITY NUMBERS (SSNs)? (This includes
truncated SSNs)
□ Yes:
Authority: « Provide explicit legal authority for collection or use ofSSN in the
system,»
Purpose: « Describe how the SSN is used and why it is necessary as opposed to
lower-risk identifiers.»
IS No: The system does not use or collect SSNs, including truncated SSNs. Proceed
to 2.6.

2.5

Has an SSN REDUCTION plan been established for the system?
□ Yes: « Provide the details of the reduction plan including date conducted,
alternatives evaluated, determination reached and any steps taken to reduce the SSN
collection and use.»
□ No: « A system without an SSN reduction plan is in violation of the Privacy Act.
Explain why a reduction plan has yet to be completed and provide an anticipated
completion date.»

2.6

Does the system collect PSEUDO-SSNs?
□ Yes: « Describe how the pseudo-SSNs are used to accomplish the authorized
purpose and why they are necessary as opposed to lower-risk identifiers.»
S No: The system does not collect pseudo-SSNs, including truncated SSNs.

2.7

Will information about individuals be retrieved or accessed by a UNIQUE
IDENTIFIER associated with or assigned to an individual?
□ Yes
Is there an existing Privacy Act System of Records notice (SORN) for the
records retrieved or accessed by a unique identifier?
□ Yes:
SORN;

May 15,2015

PTA Template v 2.0

6

«Component/System Name>>

DOT Privacy Program
Privacy Threshold Assessment (PTA)

The records are kept indefinitely to coincide with the timeline of property transfers,
which are also in perpetuity, https://www.archives.gov/records-mgmt/rcs /schedules
/departments/department-of-transportation/rg-0357/ncl-357-81-02_sfll5.pdf »
Schedule Summary: « Provide a synopsis of the relevant portion(s) of the
schedule.»
□ In Progress: «Include proposed schedule, when it will be submitted to NARA, or
job code.»
□ No:

3

SYSTEM LIFECYCLE

The systems development life cycle (SDLC) is a process for planning, creating,
testing, and deploying an information system. Privacy risk can change depending on
where a system is in its lifecycle.
3.1

□

3.2

Was this system IN PLACE in an ELECTRONIC FORMAT prior to 2002?
The E-Government Act of 2002 (EGov) establishes criteria for the types of systems
that require additional privacy considerations. It applies to systems established in
2002 or later, or existing systems that were modified after 2002.
Yes: «Provide date was the system established as an electronic system.>>
^Not Applicable: System is not currently an electronic system. Proceed to Section
4.
Has the system been MODIFIED in any way since 2002?
□ Yes: The system has been modified since 2002.
□ Maintenance.
□ Security.
□ Changes Creating Privacy Risk: « Describe any modification that may
introduce new privacy risk, including but not limited to: paper to electronic
conversions, changing anonymous information into information in identifiable
form, significant system management changes (including application of new
technologies), significant system or data merging, use of new authentication
technologies in support of public access, commercial data sources, new
interagency uses, changes in internal flow or data collection, or alternation of
data characterization.»
□ Other: « Describe »
□ No: The system has not been modified in any way since 2002.

3.3

Is the system a CONTRACTOR-owned or -managed system?
□ Yes: The system is owned or managed under contract.
Contract Number: «Contract#»

May 15,2015

PTA Template v 2.0

8

DOT Privacy Program

«Component/System Name>>
Privacy Threshold Assessment (PTA)

Name: «Provide the full name of the Component Privacy Officer and any preferred
shortening. Shelly Nuessle »
Email: «Provide the Component Privacy Officer's official DOT email address and
dedicated Component Privacy email account. [email protected]»
Phone Number: «Provide the Component Privacy Officer's direct phone number.
202-366-1104»
COMPONENT PRIVACY OFFICER Analysis
identifies any discrepancies in cited compliance UClmlies, proposesresotutiohs, and addresses
■idler.

fthh&utlL

VK&JbkhU

&y&te'rn
<

PIPy irh ny'-.Pp

DVU-

5

Cum*,

COMPONENT REVIEW

Prior to submitting the PTA for adjudication, it is critical that the oversight offices within
the Component have reviewed the PTA for completeness, comprehension and accuracy.
Component Reviewer
Business Owner
General Counsel
Information System
Security Manager [ISSM]
Privacy Officer
Records Officer

Name

Review Date

[BUslnesgDwnejHRey^wer]/ /
^General Counsel ffeviewer]
[ISSM Reviewer]

[Business Owner Review Date]
[General Counsel Review Date]
[ISSM Review Date]

[Rr/vacwOfficer Reviewq-1

<

(Lv-A cUo- VXcu..0lA VnvCuy.

May 15, 2015

hlliUJxIL, .X.

PTA Template v 2.0

AX'l-iX.OlA

10

TO BE COMPLETED BY THE DOT PRIVACY OFFICE
Adjudication Review COMPLETED: 5/20/2019
DOT Privacy Office REVIEWER: Brian F. Bullock
DESIGNATION
I I This is NOT a Privacy Sensitive System - the system contains no Personally
Identifiable Information.
^ This IS a Privacy Sensitive System
IXI
I I
I I
I I
I I
I I

IT System.
National Security System.
Legacy System.
HR System.
Rule.
Other:

DETERMINA TION
IXI PTA is sufficient at this time.
I I Privacy compliance documentation determination in progress.
PIA
IXI PIA is not required at this time:
I I PIA is required.
I I
I I

System covered by existing PIA: «Identify PIA»
New PIA is required. «Rationale»

I I

PIA update is required. «Rationale»

SORN
IXI SORN not required at this time.
I I SORN is required.
I I

System covered by existing SORN:

I I

New SORN is required. «Rationale»

H

SORN update is required. «Rationale»

DOT PRIVACY OFFICE COMMENTS
The DOT Chief Privacy Officer (DOT CPO) has determined that the Port Conveyance Program
collects personally identifiable information (PII) on individuals and constitutes a privacy
sensitive system. However, based on the discussions held with MARAD the week of the May 13,
2019, information maintained by the system is necessary business contact information of state
and local government employees who are official points of contact, and the information is
incidental to the purpose of the system (to convey real property to governmental entities). The
DOT CPO has determined that a Privacy Impact Assessment (PIA) is not required.
Although business contact information for individuals working in their official governmental
capacity is present in the system, the information maintained the system pertains to entities that
are eligible to receive property through the program (states, territories and possessions of the
United States). It does not pertain to the individuals, themselves, and based on discussions with
MARAD the week of May 13, 2019, this information is retrieved only by the name of the
eligible entity. Therefore, a Privacy Act system of records notice (SORN) is not required.
POA&Ms
•

AR-2 (b) - Privacy Impact and Risk Assessment
Issue: The PTA that was submitted is not complete (Pages 3,5,7, and 9 are missing) the
DOT CPO is unable to fully assess the privacy risks and requisite mitigations that are
applied to the system, based on the information provided herein. Requirement: MARAD
must submit a new PTA that includes all missing pages to the DOT CPO. Timeline: 30
days from the adjudication of this PTA.

The adjudicated PTA should be uploaded into CSAM as evidence that the required privacy
analysis for this system has been completed and CSAM entries modified as appropriate to reflect
the disposition.
The PTA should be updated not later than the next security assessment cycle and must be
approved by the DOT CPO prior to the authorization decision. Component policy or substantive
changes to the system may require that the PTA be updated prior to the next security assessment
cycle.