Download:
pdf |
pdfU.S. Department of Transportation
Office of the Chief Information Officer (OCIO)
Privacy Threshold Assessment (PTA)
Federal Aviation Administration
Drug and Alcohol Testing Program for Personnel Engaged in Specified Aviation
Activities Notice of Proposed Rulemaking (NPRM)
KARYN
MARIE
GORMAN
1
Digitally signed
by KARYN MARIE
GORMAN
Date: 2024.02.27
13:54:23 -05'00'
�U.S. Department of Transportation
Privacy Threshold Assessment (PTA)
The Privacy Threshold Assessment (PTA) is an analytical tool used to determine the scope
of privacy risk management activities that must be executed to ensure that the
Department’s initiatives do not create undue privacy risks for individuals.
The Privacy Threshold Assessment (PTA) is a privacy risk management tool used by
the Department of Transportation (DOT) Chief Privacy Officer (CPO). The PTA
determines whether a Department system 1 creates privacy risk for individuals that
must be further analyzed, documented, or mitigated, and determines the need for
additional privacy compliance documentation. Additional documentation can include
Privacy Impact Assessments (PIAs), System of Records notices (SORNs), and Privacy
Act Exemption Rules (Exemption Rules).
The majority of the Department’s privacy risk emanates from its direct collection, use,
storage, and sharing of Personally Identifiable Information (PII), 2 and the IT systems
used to support those processes. However, privacy risk can also be created in the
Department’s use of paper records or other technologies. The Department may also
create privacy risk for individuals through its rulemakings and information collection
requirements that require other entities to collect, use, store or share PII, or deploy
technologies that create privacy risk for members of the public.
To ensure that the Department appropriately identifies those activities that may create
privacy risk, a PTA is required for all IT systems, technologies, proposed rulemakings,
and information collections at the Department. Additionally, the PTA is used to alert
other information management stakeholders of potential risks, including information
security, records management and information collection management programs. It is
also used by the Department’s Chief Information Officer (CIO) and Associate CIO for IT
Policy and Governance (Associate CIO) to support efforts to ensure compliance with
other information asset requirements including, but not limited to, the Federal Records
Act (FRA), the Paperwork Reduction Act (PRA), the Federal Information Security
Management Act (FISMA), the Federal Information Technology Acquisition Reform Act
(FITARA) and applicable Office of Management and Budget (OMB) guidance.
Each Component establishes and follows its own processes for developing, reviewing,
and verifying the PTA prior to its submission to the DOT CPO. At a minimum the PTA
must be reviewed by the Component business owner, information system security
For the purposes of the PTA the term “system” is used throughout document but is not limited to traditional
IT systems. It can and does refer to business activity and processes, IT systems, information collection, a
project, program and/or technology, and proposed rulemaking as appropriate for the context of the assessment.
2
The term “personally identifiable information” refers to information which can be used to distinguish or trace
an individual's identity, such as their name, social security number, biometric records, etc. alone, or when
combined with other personal or identifying information which is linked or linkable to a specific individual,
such as date and place of birth, mother’s maiden name, etc.
1
1
�U.S. Department of Transportation
manager, general counsel, records officers, and privacy officer. After the Component
review is completed, the Component Privacy Office will forward the PTA to the DOT
Privacy Office for final adjudication. Only PTAs watermarked “adjudicated” and
electronically signed by the DOT CPO are considered final. Do NOT send the PTA
directly to the DOT PO; PTAs received by the DOT CPO directly from program/business
owners will not be reviewed.
If you have questions or require assistance to complete the PTA please contact your
Component Privacy Officer or the DOT Privacy Office at [email protected]. Explanatory
guidance for completing the PTA can be found in the PTA Development Guide found on
the DOT Privacy Program website, www.dot.gov/privacy.
2
�U.S. Department of Transportation
PROGRAM MANAGEMENT
SYSTEM name: Drug and Alcohol Testing of Certificated Repair Station Employees
Located Outside of the United States Notice of Proposed Rulemaking (NPRM)
Cyber Security Assessment and Management (CSAM) ID: N/A
SYSTEM MANAGER CONTACT Information:
Name: Nancy Rodriguez Brown
Email:[email protected]
Phone Number: 202-267-8442
Is this a NEW system?
☒ Yes (Proceed to Section 1)
☐ No
☐ Renewal
☐ Modification
Is there a PREVIOUSLY ADJUDICATED PTA for this system?
☐ Yes:
Date:
☐ No
1 SUMMARY INFORMATION
1.1
System TYPE
☐ Information Technology and/or Information System
Unique Investment Identifier (UII):
Cyber Security Assessment and Management (CSAM) ID:
☐ Paper Based:
☒ Rulemaking
Rulemaking Identification Number (RIN):
Rulemaking Stage:
☒ Notice of Proposed Rulemaking (NPRM) 2120-AK09
☐ Supplemental NPRM (SNPRM):
☐ Final Rule:
Federal Register (FR) Notice:
https://www.regulations.gov/document/FAA-2012-1058-0092
3
�U.S. Department of Transportation
☐ Information Collection Request (ICR)3
☐ New Collection
☐ Approved Collection or Collection Renewal
☐ OMB Control Number:
☐ Control Number Expiration Date:
☐ Other:
1.2
System OVERVIEW: The Federal Aviation Administration is developing a
Privacy Threshold Assessment for the Drug and Alcohol Testing of Certificated
Repair Station Employees Located Outside of the United States Notice of
Proposed Rulemaking (NPRM). The FAA Modernization and Reform Act of 2012
mandates the FAA to include certain aviation entities located outside the
territory of the United States in its requirement to conduct drug and alcohol
testing. Additionally, the NPRM is promulgated under section 2112 of the FAA
Extension, Safety, and Security Act of 2016, which directed the publication of a
notice of proposed rulemaking under 49 U.S.C. 44733. As a result, the FAA
published in December 2023, the NPRM, Drug, and Alcohol Testing of
Certificated Repair Station Employees Located Outside of the United States,
which would require a part 145 repair station located outside the territory of
the U.S. to implement a drug and alcohol testing program meeting the
requirements of 49 CFR part 40 and 14 CFR part 120, which must cover its
employees who perform maintenance functions on part 121 air carrier aircraft.
If adopted, this rule would require foreign repair stations to obtain a Drug and
Alcohol Testing Program Operations Specification (A449) in the FAA’s
Operations Specifications database.
Additionally, these repair stations would be required to report annual drug and
alcohol testing program statistics through the Department of Transportation
Drug and Alcohol Management Information System (DAMIS 4). Foreign repair
stations would submit their annual reports electronically via DAMIS or submit a
paper copy via email or fax or the United States Postal Service. A senior
program analyst enters the data directly into DAMIS. The annual reports collect
the company’ name, doing business as name if applicable, address, email
address, telephone number, name of certifying official, and signature. If the
report was prepared by someone other than the certifying official, the reports
collect their name and phone number. If a Consortium/Third Party
Administrator (C/TPA) performs administrative services for an employer’s drug
and alcohol program operation, the report collects their name and phone
See 44 USC 3501-3521; 5 CFR Part 1320
DAMIS is own by DOT. The FAA is not creating any new systems with this rule. The required information
will be added to an existing DOT and FAA systems.
3
4
4
�U.S. Department of Transportation
number. See the Department of Transportation, Drug and Alcohol Testing Data
Collection Form for a complete list of data that is collected.
This rule would also require foreign repair stations to report to the FAA's
Federal Air Surgeon all drug or alcohol test violations (e.g., verified positive
drug test results or prohibited alcohol-related conduct) for any safety-sensitive
employee or applicant who holds a medical certificate issued under 14 CFR part
67, and all violations of refusing to submit to a drug or alcohol test by any
safety-sensitive employee or applicant who holds a certificate issued under 14
CFR parts 61, 63, or 65. These reports collect personally identifiable
information about individuals who have tested positive on or refused a DOT
drug or alcohol test, which may include the employee's name, position,
employee number 5, and date of birth. This is currently an existing requirement
for domestic employers subject to testing under 14 CFR part 120 and would
extend to foreign repair stations if the NPRM is finalized as proposed. As with
the current requirement for domestic employees, all information will be
entered into the Compliance and Enforcement Tracking System (CETS) 6.
2 INFORMATION MANGEMENT
2.1
SUBJECTS of Collection
Identify the subject population(s) for whom the system collects, maintains, or
disseminates PII. (Check all that apply)
☒ Members of the public: Note: The information collected is about aviation
entities outside of the United States and not individuals.
☐ Citizens or Legal Permanent Residents (LPR)
☐ Visitors
☐ Members of the DOT Federal workforce
☐ Members of the DOT Contract workforce
☐ System Does Not Collect PII. If the system does not collect PII, proceed
directly to question 2.3.
CETS does not collect the SSN but asked for the employee ID number. Some companies may use the
employee’s SSN as their employee ID number. Individual of foreign repair station are most likely not US
citizens and would not have SSN.
6
There is an adjudicated PTA for CETS dated 03/02/2023; CSAM ID 1381
5
5
�U.S. Department of Transportation
2.2
2.3
What INFORMATION ABOUT INDIVIDUALS will be collected, used, retained,
or generated?For reports of specific employee violations to the FAA, reports
collect personally identifiable information about individuals who have tested
positive on or refused a DOT drug or alcohol test, which may include the
employee’s name, position, employee number, and date of birth.
Does the system RELATE to or provide information about individuals?
☒ Yes:
☐ No
If the answer to 2.1 is “System Does Not Collect PII” and the answer to 2.3 is “No”,
you may proceed to question 2.10.
If the system collects PII or relate to individual in any way, proceed to question 2.4.
2.4
Does the system use or collect SOCIAL SECURITY NUMBERS (SSNs)? (This
includes truncated SSNs)
☐ Yes:
Authority:
Purpose:
2.5
☒ No: The system does not use or collect SSNs, including truncated SSNs.
Proceed to 2.6.
Has an SSN REDUCTION plan been established for the system?
☐ Yes:
☐ No:
2.6
Does the system collect PSEUDO-SSNs?
☐ Yes:
☐ No: The system does not collect pseudo-SSNs, including truncated SSNs.
6
�U.S. Department of Transportation
2.7
Will information about individuals be retrieved or accessed by a UNIQUE
IDENTIFIER associated with or assigned to an individual?
☐ Yes
Is there an existing Privacy Act System of Records notice (SORN) for the
records retrieved or accessed by a unique identifier?
☐ Yes:
SORN:
☒ No:
Explanation:
Expected Publication:
2.8
☐ Not Applicable: Proceed to question 2.9
Has a Privacy Act EXEMPTION RULE been published in support of any
Exemptions claimed in the SORN?
☐ Yes
Exemption Rule:
☐ No
Explanation:
Expected Publication:
2.9
☒ Not Applicable: SORN does not claim Privacy Act exemptions.
Has a PRIVACY IMPACT ASSESSMENT (PIA) been published for this system?
☐ Yes:
☒ No: This is the initial PTA for the NPRM.
2.10
☐ Not Applicable: The most recently adjudicated PTA indicated no PIA was
required for this system.
Does the system EXCHANGE (receive and/or send) DATA from another
INTERNAL (DOT) or EXTERNAL (non-DOT) system or business activity?
☐ Yes:
☒ No
2.11
Does the system have a National Archives and Records Administration
(NARA)-approved RECORDS DISPOSITION schedule for system records?
☒ Yes:
Schedule Identifier:
Schedule Summary:
7
�U.S. Department of Transportation
☒ In Progress
NCl-237-83-1, Item 12, 2100 RULES AND REGULATIONS RECORDS is in the
procress of being updated.
☐ No: Click here to enter text.
3 SYSTEM LIFECYCLE
3.1
3.2
The systems development life cycle (SDLC) is a process for planning, creating,
testing, and deploying an information system. Privacy risk can change
depending on where a system is in its lifecycle.
Was this system IN PLACE in an ELECTRONIC FORMAT prior to 2002?
The E-Government Act of 2002 (EGov) establishes criteria for the types of
systems that require additional privacy considerations. It applies to systems
established in 2002 or later, or existing systems that were modified after 2002.
☐ Yes:
☐No
☒Not Applicable: The system is not currently an electronic system. Proceed
to Section 4.
Has the system been MODIFIED in any way since 2002?
☐ Yes: The system has been modified since 2002.
☐ Maintenance.
☐ Security.
☐ Changes Creating Privacy Risk:
☐ Other:
3.3
☐ No: The system has not been modified in any way since 2002.
Is the system a CONTRACTOR-owned or -managed system?
☐ Yes: The system is owned or managed under contract.
Contract Number:
Contractor:
3.4
☐ No: The system is owned and managed by Federal employees.
Has a system Security Risk CATEGORIZATION been completed?
The DOT Privacy Risk Management policy requires that all PII be protected
using controls consistent with Federal Information Processing Standard
Publication 199 (FIPS 199) moderate confidentiality standards. The OA Privacy
8
�U.S. Department of Transportation
Officer should be engaged in the risk determination process and take data types
into account.
☐ Yes: A risk categorization has been completed.
Based on the risk level definitions and classifications provided above,
indicate the information categorization determinations for each of the
following:
Confidentiality:
Integrity:
Availability:
☐ Low
☐ Low
☐ Low
☐ Moderate
☐ Moderate
☐ Moderate
☐ High
☐ High
☐ High
☐ Undefined
☐ Undefined
☐ Undefined
Based on the risk level definitions and classifications provided above,
indicate the information system categorization determinations for each of
the following:
Confidentiality:
Integrity:
Availability:
3.5
☐ Low
☐ Low
☐ Low
☐ Moderate
☐ Moderate
☐ Moderate
☐ High
☐ High
☐ High
☐ Undefined
☐ Undefined
☐ Undefined
☐ No: A risk categorization has not been completed. Provide date of
anticipated completion. Click here to enter text.
Has the system been issued an AUTHORITY TO OPERATE?
☐ Yes:
Date of Initial Authority to Operate (ATO):
Anticipated Date of Updated ATO:
☐ No:
☐ Not Applicable: System is not covered by the Federal Information Security
Act (FISMA).
4 COMPONENT PRIVACY OFFICER ANALYSIS
The Component Privacy Officer (PO) is responsible for ensuring that the PTA is as
complete and accurate as possible before submitting to the DOT Privacy Office for
review and adjudication.
COMPONENT PRIVACY OFFICER CONTACT Information
Name: Essie L. Bell
Email: [email protected]
Phone Number: 202-267-6034
9
�U.S. Department of Transportation
COMPONENT PRIVACY OFFICER Analysis
Click here to enter text.
5 COMPONENT REVIEW
Prior to submitting the PTA for adjudication, it is critical that the oversight offices
within the Component have reviewed the PTA for completeness, comprehension and
accuracy.
Component Reviewer
Name
Business Owner
Nancy Rodriguez Brown
Information System
Security Manager (ISSM)
Click here to enter text.
General Counsel
Privacy Officer
Records Officer
Michael McKinley
Review Date
2/1/2024
2/22/2024
Essie L. Bell
2/1/2024
Richard Allen
2/1/2024
Table 1 - Individuals who have reviewed the PTA and attest to its completeness, comprehension and accuracy.
10
�U.S. Department of Transportation
Control Control Name Primary PTA
#
Question
AP-1
AP-2
AR-1
AR-2
AR-3
Satisfied
Other
N/A Component PO Assessment
than
Satisfied
49 CFR part 40 and 14 CFR part 120
DOT CPO
Assessment
Authority to
Collect
Purpose
Specification
1.2 Overview
1.2 Overview
X
X
Purposed Defined
Concur
Governance
and Privacy
Program
Privacy
Impact and
Risk
Assessment
Common
Control
X
Addressed by DOT Privacy
Concur
Program
Management
X
Privacy
Requirements
for
Contractors
and Service
Providers
3.3 Contractor
System
The NPRM requires repair stations located outside the Concur
territory of the U.S. to implement a drug and alcohol
testing program and report to report to the FAA's
Federal Air Surgeon all drug or alcohol test violations.
This information will be entered into the Compliance
and Enforcement Tracking System (CETS). The FAA
already collects the information from domestic repair
station and there is a Privacy Impact Assessment for
CETS available at
https://www.transportation.gov/individuals/privacy/piacompliance-and-enforcement-tracking-system-cets. A
PIA is not required for the NPRM. Since the
information is collected form non-US citizen no update
is required is for CETS.
This is a NPRM, owned and managed by Federal
Concur
employees.
1
Concur
�U.S. Department of Transportation
Control Control Name Primary PTA
#
Question
AR-4
AR-5
AR-6
AR-7
AR-8
DI-1
DI-2
DM-1
Privacy
Monitoring
and Auditing
Privacy
Awareness
and Training
Privacy
Reporting
PrivacyEnhanced
System
Design and
Development
Accounting of
Disclosures
Data Quality
Common
Control
Data Integrity
and Data
Integrity
Board
Minimization
of PII
3.4 - Security
Risk
Categorization
Satisfied
Other
N/A Component PO Assessment
than
Satisfied
Addressed by DOT CPO.
DOT CPO
Assessment
Concur
Common
Control
X
Addressed by DOT CPO.
Concur
Common
Control
2.5 - SSN
Reduction
X
Addressed by DOT CPO.
Concur
2.7 - SORN
1.2 - System
Overview
2.2 –
Information
About
Individuals
X
The proposed rulemaking does not require collection of Concur
the SSN.
X
Not a Privacy Act System of Records.
Concur
Business owner is responsible for ensuring DOT
Privacy Risk Management Policy and the FIPPs are
applied to all data holdings and systems.
Activity does not constitute sharing covered by the
CMA.
Concur
Collection of PII commensurate with purpose of the
system.
Concur
X
X
X
2
Concur
�U.S. Department of Transportation
Control Control Name Primary PTA
#
Question
DM-2
Data
Retention and
Disposal
2.11 - Records
Disposition
Schedule
DM-3
Minimization
of PII Used in
Testing,
Training, and
Research
Consent
2.2 –
Information
About
Individuals
IP-1
IP-2
Individual
Access
2.7 - SORN
2.8 –
Exemption
Rule
Satisfied
X
Other
N/A Component PO Assessment
than
Satisfied
Record schedule for the rule is in place but requires
updating.
X
DOT CPO
Assessment
Concur
NPRM is not proposing to use information for testing,
training or research.
Concur
Control is N/A to the primary purposes and records of
the system. Business owner is responsible for ensuring
DOT Privacy Risk Management Policy and the FIPPs
are applied to all data holdings and systems.
Concur
The proposed rulemaking does not require collection of
information that is not already required under existing
FAA regulations. No SORN coverage is required.
Control is N/A to the primary purposes and records of
Concur
the system. Business owner is responsible for ensuring
DOT Privacy Risk Management Policy and the FIPPs
are applied to all data holdings and systems.
X
The proposed rulemaking does not require collection of
information that is not already required under existing
FAA regulations. No SORN coverage is required.
IP-3
Redress
2.7 - SORN
X
Control is N/A to the primary purposes and records of
the system. Business owner is responsible for ensuring
3
Concur
�U.S. Department of Transportation
Control Control Name Primary PTA
#
Question
IP-4
SE-1
SE-2
TR-1
TR-2
TR-3
UL-1
Complaint
Management
Inventory of
PII
Privacy
Incident
Response
Privacy
Notice
System of
Records
Notices and
Privacy Act
Statements
Dissemination
of Privacy
Program
Information
Internal Use
Common
Control
Common
Control
Common
Control
Satisfied
Other
N/A Component PO Assessment
than
Satisfied
DOT Privacy Risk Management Policy and the FIPPs
are applied to all data holdings and systems.
DOT CPO
Assessment
X
The proposed rulemaking does not require collection of
information that is not already required under existing
FAA regulations. No SORN coverage is required.
Addressed by DOT Privacy.
Concur
X
Not an IT system under FISMA.
Concur
X
Addressed by DOT Privacy.
Concur
2.7 - SORN
X
No SORN coverage is required.
Concur
2.7 - SORN
X
No SORN coverage is required.
Concur
Addressed by DOT Privacy
Concur
No internal sharing
Concur
Common
Control
2.10 - Internal
and External
Use
X
X
4
�U.S. Department of Transportation
Control Control Name Primary PTA
#
Question
UL-2
Information
Sharing with
Third Parties
2.10 - Internal
and External
Use
Satisfied
Other
N/A Component PO Assessment
than
Satisfied
X No internal sharing
5
DOT CPO
Assessment
Concur
�U.S. Department of Transportation
1
�
| File Type | application/pdf |
| File Title | PTA-AVS-Drug and Alcohol Testing Program for Personnel Engaged in Specified Aviation Activities Notice of Propose Rulemaking (NP |
| Author | Shams-Ramsey, Maria CTR (OST) |
| File Modified | 2024-02-27 |
| File Created | 2024-02-27 |