Privacy Threshold Assessment

2133-0029 Privacy Threshold Assessment_final.pdf

Shipbuilding Orderbook and Shipyard Employment

Privacy Threshold Assessment

OMB: 2133-0029

Document [pdf]
Download: pdf | pdf
Privacy Threshold Assessment
(PTA)
Maritime Administration
Information Collection
2133-0029
Shipbuilding Orderbook and Shipyard
Employment
	

DOT Privacy Program

Template
Privacy Threshold Assessment (PTA) Template v2.0

Privacy	Threshold	Assessment	(PTA)	
The	Privacy	Threshold	Assessment	(PTA)	is	an	analytical	tool	used	to	determine	the	scope	of	
privacy	risk	management	activities	that	must	be	executed	to	ensure	that	the	Department’s	
initiatives	do	not	create	undue	privacy	risks	for	individuals.	
The Privacy Threat Assessment (PTA) is a privacy risk management tool used by the
Department of Transportation (DOT) Chief Privacy Officer (CPO). The PTA determines
whether a Department system1 creates privacy risk for individuals that must be further
analyzed, documented, or mitigated, and determines the need for additional privacy
compliance documentation. Additional documentation can include Privacy Impact
Assessments (PIAs), System of Records notices (SORNs), and Privacy Act Exemption Rules
(Exemption Rules).
The majority of the Department’s privacy risk emanates from its direct collection, use,
storage, and sharing of Personally Identifiable Information (PII),2 and the IT systems used
to support those processes. However, privacy risk can also be created in the Department’s
use of paper records or other technologies. The Department may also create privacy risk
for individuals through its rulemakings and information collection requirements that
require other entities to collect, use, store or share PII, or deploy technologies that create
privacy risk for members of the public.
To ensure that the Department appropriately identifies those activities that may create
privacy risk, a PTA is required for all IT systems, technologies, proposed rulemakings, and
information collections at the Department. Additionally, the PTA is used to alert other
information management stakeholders of potential risks, including information security,
records management and information collection management programs. It is also used by
the Department’s Chief Information Officer (CIO) and Associate CIO for IT Policy and
Governance (Associate CIO) to support efforts to ensure compliance with other information
asset requirements including, but not limited to, the Federal Records Act (FRA), the
Paperwork Reduction Act (PRA), the Federal Information Security Management Act
(FISMA), the Federal Information Technology Acquisition Reform Act (FITARA) and
applicable Office of Management and Budget (OMB) guidance.
Each Component establishes and follows its own processes for developing, reviewing, and
verifying the PTA prior to its submission to the DOT CPO. At a minimum the PTA must be
reviewed by the Component business owner, information system security manager, general
counsel, records officers, and privacy officer. After the Component review is completed, the
Component Privacy Office will forward the PTA to the DOT Privacy Office for final
adjudication. Only PTAs watermarked “adjudicated” and electronically signed by the DOT
1

For the purposes of the PTA the term “system” is used throughout document but is not limited to traditional IT
systems. It can and does refer to business activity and processes, IT systems, information collection, a project,
program and/or technology, and proposed rulemaking as appropriate for the context of the assessment.
2
The term “personally identifiable information” refers to information which can be used to distinguish or trace an
individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined
with other personal or identifying information which is linked or linkable to a specific individual, such as date and
place of birth, mother’s maiden name, etc.
May 15, 2015

1

DOT Privacy Program

Shipyard Orderbook and Shipyard Employment
Privacy Threshold Assessment (PTA)

CPO are considered final. Do NOT send the PTA directly to the DOT PO; PTAs received by
the DOT CPO directly from program/business owners will not be reviewed.
If you have questions or require assistance to complete the PTA please contact your
Component Privacy Officer or the DOT Privacy Office at [email protected]. Explanatory
guidance for completing the PTA can be found in the PTA Development Guide found on the
DOT Privacy Program website, www.dot.gov/privacy.

April 8, 2020

2

Shipyard Orderbook and Shipyard Employment

DOT Privacy Program

Privacy Threshold Assessment (PTA)

	

PROGRAM	MANAGEMENT	

	

SYSTEM	name: Shipyard Orderbook and Shipyard Employment
Cyber	Security	Assessment	and	Management	(CSAM)	ID:	N/A	
SYSTEM	MANAGER	CONTACT	Information:	
Name:	Beth	Gearhart
Email: [email protected]		
Phone	Number: 202-366-1867
Is	this	a	NEW	system?
☐	 Yes	(Proceed to Section 1)	
☒	 No		
☒	Renewal		
☐	Modification		
Is	there	a	PREVIOUSLY	ADJUDICTED	PTA	for	this	system?	
☐	 Yes:
Date: <>
☒	No

1 SUMMARY	INFORMATION	
1.1

System	TYPE	
☐	 Information	Technology	and/or	Information	System		
Unique	Investment	Identifier	(UII):		<>
Cyber	Security	Assessment	and	Management	(CSAM)	ID:	<>	
☐	 Paper	Based:		
☐	 Rulemaking		
Rulemaking	Identification	Number	(RIN):	<>	
	 Rulemaking	Stage:	
☐	 Notice	of	Proposed	Rulemaking	(NPRM)
☐	 Supplemental	NPRM	(SNPRM):
☐	 Final	Rule: 	
Federal	Register	(FR)	Notice:	<>	

April 8, 2020

3

Shipyard Orderbook and Shipyard Employment

DOT Privacy Program

Privacy Threshold Assessment (PTA)

☒ Information	Collection	Request	(ICR)3
☐	 New	Collection		
☒	 Approved	Collection	or	Collection	Renewal	
☒	 OMB	Control	Number:		2133‐0029	
☒	 Control	Number	Expiration	Date:		May 31, 2020	
☐	 Other: <>
1.2

System	OVERVIEW:
In compliance with the Merchant Marine Act of 1936, as amended MARAD conducts this information
collection (survey) to obtain information from the shipbuilding and ship repair industry to be used primarily to
determine if an adequate mobilization base exists for national defense and for use in a national emergency.
For additional information, see 2133-0029, Support Statement

2 INFORMATION	MANGEMENT	
2.1

SUBJECTS	of	Collection	
Identify the subject population(s) for whom the system collects, maintains, or
disseminates PII. (Check all that apply)
☒	 Members	of	the	public:
☐	 Citizens	or	Legal	Permanent	Residents	(LPR)	
☐	 Visitors	
☐	Members	of	the	DOT	Federal	workforce
☐	Members	of	the	DOT	Contract	workforce	
☒	System	Does	Not	Collect	PII.	If the system does not collect PII, proceed directly
to question 2.3.

2.2
2.3

What	INFORMATION	ABOUT	INDIVIDUALS	will	be	collected,	used,	retained,	or	
generated?	 	
Does	the	system	RELATE	to	or	provide	information	about	individuals?	
☐	 Yes:Click here to enter text.	
☒	No

3

See 44 USC 3201-3521; 5 CFR Part 1320

April 8, 2020

4

DOT Privacy Program

Shipyard Orderbook and Shipyard Employment
Privacy Threshold Assessment (PTA)

If the answer to 2.1 is “System	Does	Not	Collect	PII” and the answer to 2.3 is “No”,
you may proceed to question 2.10.
If the system collects PII or relate to individual in any way, proceed to question 2.4.

2.4

Does	the	system	use	or	collect	SOCIAL	SECURITY	NUMBERS	(SSNs)?	(This	includes	
truncated	SSNs)		
☐	 Yes:
Authority:	<<	Provide	explicit	legal	authority	for	collection	or	use	of	SSN	in	the	
system.>> 	
Purpose:	<<	Describe	how	the	SSN	is	used	and	why	it	is	necessary	as	opposed	to	
lower‐risk	identifiers.>>
☐	 No: The system does not use or collect SSNs, including truncated SSNs. Proceed
to 2.6.

2.5

Has	an	SSN	REDUCTION	plan	been	established	for	the	system?	
☐	Yes:	<<	Provide	the	details	of	the	reduction	plan	including	date	conducted,	
alternatives	evaluated,	determination	reached	and	any	steps	taken	to	reduce	the	SSN	
collection	and	use.>>
☐	No:	<<	A	system	without	an	SSN	reduction	plan	is	in	violation	of	the	Privacy	Act.	
Explain	why	a	reduction	plan	has	yet	to	be	completed	and	provide	an	anticipated	
completion	date.>> 	

2.6

Does	the	system	collect	PSEUDO‐SSNs?		
☐	Yes:	<<	Describe	how	the	pseudo‐SSNs	are	used	to	accomplish	the	authorized	
purpose	and	why	they	are	necessary	as	opposed	to	lower‐risk	identifiers.>>
☐	 No: The system does not collect pseudo-SSNs, including truncated SSNs.

2.7

Will	information	about	individuals	be	retrieved	or	accessed	by	a	UNIQUE	
IDENTIFIER	associated	with	or	assigned	to	an	individual?		
☐	 Yes
Is	there	an	existing	Privacy	Act	System	of	Records	notice	(SORN)	for	the	
records	retrieved	or	accessed	by	a	unique	identifier?	
☐	Yes:	
SORN:	<>	

April 8, 2020

5

Shipyard Orderbook and Shipyard Employment

DOT Privacy Program

Privacy Threshold Assessment (PTA)

☐	 No:		
Explanation:		 	
Expected	Publication:		Click here to enter text.
☐	Not	Applicable:	Proceed to question 2.9	
2.8

Has	a	Privacy	Act	EXEMPTION	RULE	been	published	in	support	of	any	
Exemptions	claimed	in	the	SORN?	
☐	Yes		
Exemption	Rule:	<<	Provide	the	full	Exemption	Rule	Name,	the	Federal	Register	
SORN	citation,	and	the	URL.>>	
☐	No	
Explanation:	<<	An	explanation	must	be	provided	for	failure	to	comply	with	all	
the	requirements	of	the	Privacy	Act	without	an	Exemption	Rule.>> 	
Expected	Publication:	<<	List	the	expected	date	of	publication	for	an	Exemption	
Rule	that	will	bring	the	system	into	compliance	with	the	Privacy	Act.>>
☐	Not	Applicable:	SORN does not claim Privacy Act exemptions.	

2.9

Has	a	PRIVACY	IMPACT	ASSESSMENT	(PIA)	been	published	for	this	system?	
☐	 Yes:	<<	Provide	the	full	PIA	Name,	the	publication	date,	and	the	URL.	>>
☐	 No: Click here to enter text.
☐	Not	Applicable:	The most recently adjudicated PTA indicated no PIA was
required for this system.	

2.10

Does	the	system	EXCHANGE	(receive	and/or	send)	DATA	from	another	INTERNAL	
(DOT)	or	EXTERNAL	(non‐DOT)	system	or	business	activity?	
☐	 Yes:	<>	
☒	 No

2.11

Does	the	system	have	a	National	Archives	and	Records	Administration	(NARA)‐
approved	RECORDS	DISPOSITION	schedule	for	system	records?	
☐	Yes:
Schedule	Identifier:	<<	Identify	the	relevant	NARA	schedule,	including	the	
schedule	number,	title,	section,	and	URL.>>
Schedule	Summary:	<< Provide	a	synopsis	of	the	relevant	portion(s)	of	the	
schedule.>>	
☐	In	Progress:	<< Include	proposed	schedule,	when	it	will	be	submitted	to	NARA,	or	
job	code.>>		
☒	 No:	Click here to enter text.	

April 8, 2020

6

Shipyard Orderbook and Shipyard Employment

DOT Privacy Program

Privacy Threshold Assessment (PTA)

3 SYSTEM	LIFECYCLE	
The systems development life cycle (SDLC) is a process for planning, creating,
testing, and deploying an information system. Privacy risk can change depending on
where a system is in its lifecycle.
3.1

☐	

3.2

Was	this	system	IN	PLACE	in	an	ELECTRONIC	FORMAT	prior	to	2002?	
The E-Government Act of 2002 (EGov) establishes criteria for the types of systems
that require additional privacy considerations. It applies to systems established in
2002 or later, or existing systems that were modified after 2002.
Yes: <>	
☒Not	Applicable: System is not currently an electronic system. Proceed to Section
4.
Has	the	system	been	MODIFIED	in	any	way	since	2002?	
☐	Yes: The system has been modified since 2002.
☐	 Maintenance.
☐	 Security.		
☐	Changes	Creating	Privacy	Risk: <<		Describe	any	modification	that	may	
introduce	new	privacy	risk,	including	but	not	limited	to:	paper	to	electronic	
conversions,	changing	anonymous	information	into	information	in	identifiable	
form,	significant	system	management	changes	(including	application	of	new	
technologies),	significant	system	or	data	merging,	use	of	new	authentication	
technologies	in	support	of	public	access,	commercial	data	sources,	new	
interagency	uses,	changes	in	internal	flow	or	data	collection,	or	alternation	of	
data	characterization.>>	
☐	Other: Click here to enter text.
☐	No: The system has not been modified in any way since 2002.

3.3

Is	the	system	a	CONTRACTOR‐owned	or	‐managed	system?	
☐ Yes: The system is owned or managed under contract.
	

Contract	Number:		<> 	

	

Contractor:	 << Contractor	Name	>>	

☐	 No: The system is owned and managed by Federal employees.
3.4

Has	a	system	Security	Risk	CATEGORIZATION	been	completed?	
The DOT Privacy Risk Management policy requires that all PII be protected using
controls consistent with Federal Information Processing Standard Publication 199
(FIPS 199) moderate confidentiality standards. The OA Privacy Officer should be
engaged in the risk determination process and take data types into account.

April 8, 2020

7

Shipyard Orderbook and Shipyard Employment

DOT Privacy Program

Privacy Threshold Assessment (PTA)

☐	Yes: A risk categorization has been completed.
Based on the risk level definitions and classifications provided above, indicate
the information categorization determinations for each of the following:
Confidentiality:

☐ Low

☐ Moderate

☐ High

☐ Undefined

Integrity:

☐ Low

☐ Moderate

☐ High

☐ Undefined

Availability:

☐ Low

☐ Moderate

☐ High

☐ Undefined

Based on the risk level definitions and classifications provided above, indicate
the information system categorization determinations for each of the following:
Confidentiality:

☐ Low

☐ Moderate

☐ High

☐ Undefined

Integrity:

☐ Low

☐ Moderate

☐ High

☐ Undefined

Availability:

☐ Low

☐ Moderate

☐ High

☐ Undefined

☐	 No:	A risk categorization has not been completed.	Provide date of anticipated
completion.
3.5

Has	the	system	been	issued	an	AUTHORITY	TO	OPERATE?	
☐ Yes:
Date	of	Initial	Authority	to	Operate	(ATO):	 <>
Anticipated	Date	of	Updated	ATO:	<>		
☐ No:	<>
☐	Not	Applicable: System is not covered by the Federal Information Security Act
(FISMA).

4 COMPONENT	PRIVACY	OFFICER	ANALYSIS	
The Component Privacy Officer (PO) is responsible for ensuring that the PTA is as complete
and accurate as possible before submitting to the DOT Privacy Office for review and
adjudication.
COMPONENT	PRIVACY	OFFICER	CONTACT	Information		
Name:	Shelly Nuessle	
Email: [email protected]	
	

Phone	Number: 202-366-1104
	

April 8, 2020

8

Shipyard Orderbook and Shipyard Employment

DOT Privacy Program

Privacy Threshold Assessment (PTA)

	
COMPONENT	PRIVACY	OFFICER	Analysis:	
	
Since this report simply collects numbers and job classifications, no personal information is
contained in the reports. This reporting is consolidated manually for consumption and is
not entered into an electronic system except by the system owner.

5 COMPONENT	REVIEW	
Prior to submitting the PTA for adjudication, it is critical that the oversight offices within
the Component have reviewed the PTA for completeness, comprehension and accuracy.
Component	Reviewer	

Name	

Review	Date	
4/8/2020

Business Owner

Beth Gearhart

General Counsel

Mitch Hudson

Information System
Security Manager (ISSM)

Shelly Nuessle

4/8/2020

Privacy Officer

Shelly Nuessle	

4/8/20

Records Officer

Steve Snipes

Table 1 - Individuals who have reviewed the PTA and attest to its completeness, comprehension and accuracy.

April 8, 2020

9

DOT Privacy Program

Shipyard Orderbook and Shipyard Employment
Privacy Threshold Assessment (PTA)

April 8, 2020

10


File Typeapplication/pdf
File TitleMicrosoft Word - 2133-0029 Privacy Threshold Assessment.docx
Authorshelly.nuessle
File Modified2021-09-02
File Created2020-04-10

© 2024 OMB.report | Privacy Policy