[Federal Register Volume 75, Number 44 (Monday, March 8, 2010)]
[Notices]
[Pages 10554-10557]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-4811]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Motor Carrier Safety Administration
Privacy Act of 1974; System of Records Notice
AGENCY: Federal Motor Carrier Safety Administration (FMCSA) Department
of Transportation (DOT).
ACTION: Notice to establish a new system of records.
-----------------------------------------------------------------------
SUMMARY: FMCSA proposes to establish a system of records under the
Privacy Act of 1974 (5 U.S.C. 552a) for its Pre-Employment Screening
Program (PSP), as required by 49 U.S.C. 31150. The system of records
will make crash and inspection data about commercial motor vehicle
(CMV) drivers rapidly available to CMV drivers (operator-applicants)
and prospective employers of those drivers (motor carriers), via a
secure Internet site, as an alternative to requiring them to submit a
Freedom of Information Act (FOIA) request or Privacy Act request to
FMCSA for the data.
[[Page 10555]]
Operator-applicants and motor carriers must pay a fee to access
data in PSP, but use of PSP is optional. Motor carriers may continue to
request the information from FMCSA under FOIA, and operator-applicants
may continue to receive their own safety performance data free of
charge by submitting a Privacy Act request to FMCSA.
The PSP system will be administered by a FMCSA contractor, National
Information Consortium Technologies, LLC (NIC). The PSP contractor will
not be authorized to provide data to any persons other than motor
carriers, for pre-employment screening purposes, and operator-
applicants, as required in section 31150 (b)(3). A data request from
any other person (e.g., a law firm) will be treated as a FOIA request
by FMCSA. FMCSA will perform audits of the PSP contractor to ensure
performance, privacy and security objectives are being met. The PSP
system will only allow operator-applicants to access their own data,
and will only allow motor carriers to access an individual operator-
applicant's data if the motor carrier certifies the data is for pre-
employment screening and that it has obtained the operator-applicant's
written consent. The system of records is more thoroughly detailed
below and in the Privacy Impact Assessment (PIA) that can be found on
the DOT Privacy Web site at http://www.dot.gov/privacy.
DATES: Effective April 7, 2010. Written comments should be submitted on
or before the effective date. FMCSA may publish an amended SORN in
light of any comments received.
ADDRESSES: Send comments to Pam Gosier-Cox, FMCSA Privacy Officer,
FMCSA Office of Information Technology, MC-RI, U.S. Department of
Transportation, 1200 New Jersey Avenue, SE., Washington, DC 20590 or
[email protected].
FOR FURTHER INFORMATION CONTACT: For privacy issues please contact: Pam
Gosier-Cox, FMCSA Privacy Officer, FMCSA Office of Information
Technology, MC-RI, U.S. Department of Transportation, 1200 New Jersey
Avenue, SE., Washington, DC 20590 or [email protected].
SUPPLEMENTARY INFORMATION:
I. The PSP Program
Section 31150 of title 49, U.S. Code (USC), titled ``Safety
performance history screening'' as added by section 4117(a) of the
Safe, Accountable, Flexible, Efficient Transportation Equity Act: A
Legacy for Users (SAFETEA-LU), Public Law 109-59, 119 Stat. 1144, 1728-
1729, August 10, 2005, requires FMCSA to provide persons conducting
pre-employment screening services for the motor carrier industry
electronic with access to the following reports contained in FMCSA's
Motor Carrier Management Information System (MCMIS):
(1) Commercial motor vehicle accident reports.
(2) Inspection reports that contain no driver-related safety
violations.
(3) Serious driver-related safety violation inspection reports.
FMCSA designed PSP to satisfy the requirements of 49 U.S.C. 31150
and to meet the following performance, privacy and security objectives:
Provide driver-related MCMIS crash and inspection data
electronically, via a secure Internet site, for a fee, and in a timely
and professional manner;
Allow operator-applicants to access their own data upon
written or electronic request, and allow motor carriers to access an
operator-applicant's data, for pre-employment screening purposes, with
the operator-applicant's written or electronic consent;
Maintain, handle, store, and distribute the data in PSP in
accordance with 49 U.S.C. 31150 and applicable laws, regulations and
policies; and
Provide a redress procedure by which an operator-applicant
can seek to correct inaccurate information in PSP, via the DataQs
system currently maintained by FMCSA.
II. The Privacy Act
The Privacy Act (5 USC 552a) governs the means by which the United
States Government collects, maintains, and uses personally identifiable
information (PII) in a system of records. A ``system of records'' is a
group of any records under the control of a Federal agency from which
information about individuals is retrieved by name or other personal
identifier.
The Privacy Act requires each agency to publish in the Federal
Register a system of records notice (SORN) identifying and describing
each system of records the agency maintains, including the purposes for
which the agency uses PII in the system, the routine uses for which the
agency discloses such information outside the agency, and how
individuals to whom a Privacy Act record pertains can exercise their
rights under the Privacy Act (e.g., to determine if the system contains
information about them).
IV. Privacy Impact Assessment
FMCSA is publishing a Privacy Impact Assessment (PIA) to coincide
with the publication of this SORN. In accordance with 5 USC 552a(r), a
report on the establishment of this system of records has been sent to
Congress and to the Office of Management and Budget.
System Number:
DOT/FMCSA 007
System Name:
Pre-Employment Screening Program (PSP).
Security Classification:
Unclassified, Sensitive.
System Location:
NIC Primary Data Center
AT&T Data Center, Ashburn, VA 20147.
NIC Secondary Data Center
AT&T Data Center, Allen, TX 75013.
Categories of Individuals Covered by the System of Records:
PSP will include personally identifiable information (PII)
pertaining to CMV, as defined by 49 CFR 390.5, drivers (referred to
herein as operator-applicants).
Categories of Records in PSP:
PSP will contain the following categories of records, in separate
databases:
1. CMV crash and inspection records. Each month, FMCSA will provide
the PSP contractor with a current MCMIS data extract containing the
most recent five (5) years' crash data and the most recent three (3)
years' inspection information. The MCMIS data extract in PSP will
include the following PII data elements, all of which will be
encrypted:
CMV driver name (last, first, middle initial)
CMV driver date of birth
CMV driver license number
CMV driver license state
2. Financial transaction records. The PSP system will contain
records of payments processed by the contractor, NIC, to collect fees
charged to motor carriers and operator-applicants for accessing crash
and inspection data in PSP. The financial transaction records will
include the following PII data elements, which will be encrypted (and,
in some cases, truncated):
Credit card holder name
Credit card account number
Account holder address
Card Verification Value Code (CVV) numbers will be temporarily
captured by the system but will not be retained or stored in PSP.
3. Access transaction records. The PSP system will contain records
of all access transactions processed over the PSP Web site. Access
transaction records will include the following PII data elements, which
will be encrypted:
[[Page 10556]]
CMV driver name (last, first, middle initial)
CMV driver date of birth
CMV driver license number
CMV driver license State
CMV driver address.
Authority for Maintenance of the System:
49 U.S.C. 31150, as added by section 4117 of Public Law 109-59
[Safe, Accountable, Flexible, Efficient Transportation Equity Act: A
Legacy for Users (SAFETEA-LU)].
Purpose(s):
Authorized DOT/FMSCA staff and contractor personnel will use the
following PII in PSP for the following purposes:
To provide system support and maintenance for PSP.
To make CMV crash and inspection records available to
operator-applicants and motor carriers upon receipt of validated access
requests and fee payments.
To process credit card payments and collect fees for the
requested access transactions.
To create a historical record of PSP usage for accounting
and compliance audit purposes.
Routine Uses of Records Maintained in the System, Including Categories
of Users and Purposes of Use:
The PSP system will share PII outside DOT as follows:
Authorized motor carriers may access an individual's
operator-applicant's crash and inspection data in PSP with the
operator-applicant's written consent and payment of a fee.
Validated operator-applicants may access their own crash
and inspection data in PSP upon written request and payment of a fee.
When an operator-applicant makes a request for his or her
own data from PSP, the FMCSA contractor will request that the operator-
applicant provide his or her full name, date of birth, driver license
number, driver license state and current address to verify the identity
of the operator-applicant and this information will be transmitted to
the Validation Authority of the FMCSA contractor (e.g. Lexis-Nexis) to
verify and validate the individual operator-applicant requesting access
to his or her own inspection and crash data.
Other possible routine uses of the information, applicable
to all DOT Privacy Act systems of records, are published in the Federal
Register at 65 FR 19476 (April 11, 2000), under ``Prefatory Statement
of General Routine Uses'' (available at http://www.dot.gov/privacy/privacyactnoties/).
Disclosure to Consumer Reporting Agencies:
None.
Policies and Practices for Storing, Retrieving, Accessing, Retaining,
and Disposing of Records:
Storage:
Records will be stored in secure database servers, and data will be
backed up on a Storage Area Network (SAN) in encrypted/truncated form.
Any paper records received or required for purposes of processing data
requests will be stored in secure file folders at NIC's Primary Data
Center.
Retrievability:
CMV crash and inspection records in the PSP database will be
retrieved by using the operator-applicant's last name, license number,
and license state. Additional operator-applicant information (e.g.,
date of birth, first name, and middle initial) will be used to confirm
the accuracy of the search.
Accessibility (Including Safeguards):
All records in PSP will be protected from unauthorized access
through appropriate administrative, physical and technical safeguards.
Electronic files will be stored in a database secured by password
security, encryption, firewalls, and secured operating systems, to
which only authorized NIC or DOT/FMCSA personnel will have access, on a
need-to-know basis. Paper files will be stored in file cabinets in a
locked file room to which only authorized NIC and DOT/FMCSA personnel
will have access, on a need-to-know basis. All access to the electronic
system and paper files will be logged and monitored. NIC will be
subject to routine audits of the PSP program by FMCSA to ensure
compliance with the Privacy Act, applicable sections of the Fair Credit
Reporting Act and other applicable Federal laws, regulations, or other
requirements.
Access by external users (operator-applicants and motor carriers)
will be restricted within the system based upon the user's role as an
authorized motor carrier or validated operator-applicant. An authorized
motor carrier and validated operator-applicant is an entity or person
who has been provided a unique user identification and password by NIC
and must use the unique identification and password to access data in
PSP. External users will be able to query the CMV crash and inspection
database only (the financial transaction database and access request
database cannot be externally queried). NIC will provide users with an
advisory statement that authorized motor carriers could be subject to
criminal penalties and other sanctions under 18 U.S.C. 1001 for misuse
of the PSP system.
In order for a motor carrier to receive an individual operator-
applicant's crash and inspection data, the motor carrier must certify,
for each request, under penalty of perjury, that the request is for
pre-employment purposes only and that written consent of the operator-
applicant has been obtained. Upon completion of certification, the NIC
will send a notification to the motor carrier that the individual
operator-applicant data is available on secure Web site. The motor
carrier will access this individual's information by entering a unique
identification and password. Motor carriers will be required to
maintain each operator-applicant's signed, written consent form for
five (5) years. Motor carriers are subject to random audits from NIC
and/or FMCSA to ensure that written consent of operator-applicants was
obtained.
The PSP system also allows validated operator-applicants to access
their own crash and inspection data upon written or electronic request.
Upon receipt of an operator-applicant's request, NIC will validate the
identity of the requestor (operator-applicant) by using his or her full
name, date of birth, driver license number, driver license state and
current address against a validation authority.
All PII data elements will be encrypted in the PSP system, as more
fully described under the heading ``Categories of Records in PSP.''
Retention and Disposal:
1. CMV crash and inspection records: Pursuant to General Records
Schedule (GRS) 20 (``Electronic Records,'' February 2008, see http://www.archives.gov/records-mgmt/ardor/grs20.html), governing extract
files, each monthly MCMIS extract in PSP is deleted approximately three
(3) months after being superseded by a current MCMIS extract, unless
needed longer for administrative, legal, audit or other operational
purposes.
2. Financial transaction records: Credit card information is
encrypted/truncated and retained for 30 days.
3. Access transaction records: PSP transaction records are retained
for a period of five years.
System Manager Contact Information:
PSP System Manager: Arlene D. Thompson; Office of Information
Technology; Federal Motor Carrier Safety Administration; U.S.
Department of Transportation; 1200 New Jersey Avenue, SE., W65-319;
Washington, DC 20590.
[[Page 10557]]
MCMIS System Manager: Heshmat Ansari, PhD; Division Chief, IT
Development Division; Office of Information Technology; Federal Motor
Carrier Safety Administration; U.S. Department of Transportation; 1200
New Jersey Avenue, SE., W68-330; Washington, DC 20590.
Freedom of Information Act (FOIA) Office: Federal Motor Carrier
Safety Administration Attn: FOIA Team MC-MMI; DIR Officer, 1200 New
Jersey Avenue, SE., Washington, DC 20590.
Notification Procedure: Individual operator-applicants wishing to
know if their inspection and crash records appear in this system may
directly access the PSP system or make a request in writing to the PSP
System Manager identified under ``System Manager Contact Information.''
Individual operator-applicants wishing to know if their transaction
records and credit card information appear in this system may make a
written request to the following address:
NIC Technologies, Inc., 1477 Chain Bridge Road, Suite 101, McLean,
VA 22101.
Record Access Procedures:
Individual operator-applicants seeking access to information about
them in this system may directly access the PSP system or apply to the
PSP System Manager or the FMCSA FOIA Office identified under ``System
Manager Contact Information.''
Contesting Record Procedures:
Individuals seeking to contest the content of information about
them in this system should apply to the System Manager for either PSP
or MCMIS by following the same procedures as indicated under
``Notification Procedure.'' Individuals may also submit a data
challenge to DataQs by logging into the DataQs Web site (https://dataqs.fmcsa.dot.gov/login.asp).
Record Source Categories:
1. CMV crash and inspection records: All commercial driver crash
and inspection data in PSP is received from a monthly MCMIS data
extract. The MCMIS SORN identifies the source(s) of the information in
MCMIS.
2. Financial transaction records: Credit card information
pertaining to an individual card holder (i.e., operator-applicant) is
obtained directly from the card holder, who is responsible for entering
it accurately on the PSP Web site.
3. Access transaction records: An audit trail of those entities or
persons that accessed the PSP (i.e. authorized motor carriers or
validated operator-applicants) is automatically created when requests
are initiated and when data is released by NIC.
These records are internal documents to be used by NIC and FMCSA
for auditing, monitoring and compliance purposes.
Exemptions Claimed for the System:
None.
Dated: March 2, 2010.
Habib Azarsina,
Departmental Privacy Officer, 202-366-1965.
[FR Doc. 2010-4811 Filed 3-5-10; 8:45 am]
BILLING CODE 4910-EX-P