
[Federal Register Volume 75, Number 44 (Monday, March 8, 2010)]
[Notices]
[Pages 10554-10557]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-4811]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Motor Carrier Safety Administration


Privacy Act of 1974; System of Records Notice

AGENCY: Federal Motor Carrier Safety Administration (FMCSA) Department 
of Transportation (DOT).

ACTION: Notice to establish a new system of records.

-----------------------------------------------------------------------

SUMMARY: FMCSA proposes to establish a system of records under the 
Privacy Act of 1974 (5 U.S.C. 552a) for its Pre-Employment Screening 
Program (PSP), as required by 49 U.S.C. 31150. The system of records 
will make crash and inspection data about commercial motor vehicle 
(CMV) drivers rapidly available to CMV drivers (operator-applicants) 
and prospective employers of those drivers (motor carriers), via a 
secure Internet site, as an alternative to requiring them to submit a 
Freedom of Information Act (FOIA) request or Privacy Act request to 
FMCSA for the data.

[[Page 10555]]

    Operator-applicants and motor carriers must pay a fee to access 
data in PSP, but use of PSP is optional. Motor carriers may continue to 
request the information from FMCSA under FOIA, and operator-applicants 
may continue to receive their own safety performance data free of 
charge by submitting a Privacy Act request to FMCSA.
    The PSP system will be administered by a FMCSA contractor, National 
Information Consortium Technologies, LLC (NIC). The PSP contractor will 
not be authorized to provide data to any persons other than motor 
carriers, for pre-employment screening purposes, and operator-
applicants, as required in section 31150 (b)(3). A data request from 
any other person (e.g., a law firm) will be treated as a FOIA request 
by FMCSA. FMCSA will perform audits of the PSP contractor to ensure 
performance, privacy and security objectives are being met. The PSP 
system will only allow operator-applicants to access their own data, 
and will only allow motor carriers to access an individual operator-
applicant's data if the motor carrier certifies the data is for pre-
employment screening and that it has obtained the operator-applicant's 
written consent. The system of records is more thoroughly detailed 
below and in the Privacy Impact Assessment (PIA) that can be found on 
the DOT Privacy Web site at http://www.dot.gov/privacy.

DATES: Effective April 7, 2010. Written comments should be submitted on 
or before the effective date. FMCSA may publish an amended SORN in 
light of any comments received.

ADDRESSES: Send comments to Pam Gosier-Cox, FMCSA Privacy Officer, 
FMCSA Office of Information Technology, MC-RI, U.S. Department of 
Transportation, 1200 New Jersey Avenue, SE., Washington, DC 20590 or 
pam.gosier.cox@dot.gov.

FOR FURTHER INFORMATION CONTACT: For privacy issues please contact: Pam 
Gosier-Cox, FMCSA Privacy Officer, FMCSA Office of Information 
Technology, MC-RI, U.S. Department of Transportation, 1200 New Jersey 
Avenue, SE., Washington, DC 20590 or pam.gosier.cox@dot.gov.

SUPPLEMENTARY INFORMATION: 

 I. The PSP Program

    Section 31150 of title 49, U.S. Code (USC), titled ``Safety 
performance history screening'' as added by section 4117(a) of the 
Safe, Accountable, Flexible, Efficient Transportation Equity Act: A 
Legacy for Users (SAFETEA-LU), Public Law 109-59, 119 Stat. 1144, 1728-
1729, August 10, 2005, requires FMCSA to provide persons conducting 
pre-employment screening services for the motor carrier industry 
electronic with access to the following reports contained in FMCSA's 
Motor Carrier Management Information System (MCMIS):
    (1) Commercial motor vehicle accident reports.
    (2) Inspection reports that contain no driver-related safety 
violations.
    (3) Serious driver-related safety violation inspection reports.
    FMCSA designed PSP to satisfy the requirements of 49 U.S.C. 31150 
and to meet the following performance, privacy and security objectives:
     Provide driver-related MCMIS crash and inspection data 
electronically, via a secure Internet site, for a fee, and in a timely 
and professional manner;
     Allow operator-applicants to access their own data upon 
written or electronic request, and allow motor carriers to access an 
operator-applicant's data, for pre-employment screening purposes, with 
the operator-applicant's written or electronic consent;
     Maintain, handle, store, and distribute the data in PSP in 
accordance with 49 U.S.C. 31150 and applicable laws, regulations and 
policies; and
     Provide a redress procedure by which an operator-applicant 
can seek to correct inaccurate information in PSP, via the DataQs 
system currently maintained by FMCSA.

II. The Privacy Act

    The Privacy Act (5 USC 552a) governs the means by which the United 
States Government collects, maintains, and uses personally identifiable 
information (PII) in a system of records. A ``system of records'' is a 
group of any records under the control of a Federal agency from which 
information about individuals is retrieved by name or other personal 
identifier.
    The Privacy Act requires each agency to publish in the Federal 
Register a system of records notice (SORN) identifying and describing 
each system of records the agency maintains, including the purposes for 
which the agency uses PII in the system, the routine uses for which the 
agency discloses such information outside the agency, and how 
individuals to whom a Privacy Act record pertains can exercise their 
rights under the Privacy Act (e.g., to determine if the system contains 
information about them).

IV. Privacy Impact Assessment

    FMCSA is publishing a Privacy Impact Assessment (PIA) to coincide 
with the publication of this SORN. In accordance with 5 USC 552a(r), a 
report on the establishment of this system of records has been sent to 
Congress and to the Office of Management and Budget.
System Number:
    DOT/FMCSA 007

System Name:
    Pre-Employment Screening Program (PSP).

Security Classification:
    Unclassified, Sensitive.

System Location:
     NIC Primary Data Center
    AT&T Data Center, Ashburn, VA 20147.
     NIC Secondary Data Center
    AT&T Data Center, Allen, TX 75013.

Categories of Individuals Covered by the System of Records:
    PSP will include personally identifiable information (PII) 
pertaining to CMV, as defined by 49 CFR 390.5, drivers (referred to 
herein as operator-applicants).

Categories of Records in PSP:
    PSP will contain the following categories of records, in separate 
databases:
    1. CMV crash and inspection records. Each month, FMCSA will provide 
the PSP contractor with a current MCMIS data extract containing the 
most recent five (5) years' crash data and the most recent three (3) 
years' inspection information. The MCMIS data extract in PSP will 
include the following PII data elements, all of which will be 
encrypted:
     CMV driver name (last, first, middle initial)
     CMV driver date of birth
     CMV driver license number
     CMV driver license state
    2. Financial transaction records. The PSP system will contain 
records of payments processed by the contractor, NIC, to collect fees 
charged to motor carriers and operator-applicants for accessing crash 
and inspection data in PSP. The financial transaction records will 
include the following PII data elements, which will be encrypted (and, 
in some cases, truncated):
     Credit card holder name
     Credit card account number
     Account holder address
    Card Verification Value Code (CVV) numbers will be temporarily 
captured by the system but will not be retained or stored in PSP.
    3. Access transaction records. The PSP system will contain records 
of all access transactions processed over the PSP Web site. Access 
transaction records will include the following PII data elements, which 
will be encrypted:

[[Page 10556]]

     CMV driver name (last, first, middle initial)
     CMV driver date of birth
     CMV driver license number
     CMV driver license State
     CMV driver address.

Authority for Maintenance of the System:
    49 U.S.C. 31150, as added by section 4117 of Public Law 109-59 
[Safe, Accountable, Flexible, Efficient Transportation Equity Act: A 
Legacy for Users (SAFETEA-LU)].

Purpose(s):
    Authorized DOT/FMSCA staff and contractor personnel will use the 
following PII in PSP for the following purposes:
     To provide system support and maintenance for PSP.
     To make CMV crash and inspection records available to 
operator-applicants and motor carriers upon receipt of validated access 
requests and fee payments.
     To process credit card payments and collect fees for the 
requested access transactions.
     To create a historical record of PSP usage for accounting 
and compliance audit purposes.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and Purposes of Use:
    The PSP system will share PII outside DOT as follows:
     Authorized motor carriers may access an individual's 
operator-applicant's crash and inspection data in PSP with the 
operator-applicant's written consent and payment of a fee.
     Validated operator-applicants may access their own crash 
and inspection data in PSP upon written request and payment of a fee.
     When an operator-applicant makes a request for his or her 
own data from PSP, the FMCSA contractor will request that the operator-
applicant provide his or her full name, date of birth, driver license 
number, driver license state and current address to verify the identity 
of the operator-applicant and this information will be transmitted to 
the Validation Authority of the FMCSA contractor (e.g. Lexis-Nexis) to 
verify and validate the individual operator-applicant requesting access 
to his or her own inspection and crash data.
     Other possible routine uses of the information, applicable 
to all DOT Privacy Act systems of records, are published in the Federal 
Register at 65 FR 19476 (April 11, 2000), under ``Prefatory Statement 
of General Routine Uses'' (available at http://www.dot.gov/privacy/privacyactnoties/).

Disclosure to Consumer Reporting Agencies:
    None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records:
Storage:
    Records will be stored in secure database servers, and data will be 
backed up on a Storage Area Network (SAN) in encrypted/truncated form. 
Any paper records received or required for purposes of processing data 
requests will be stored in secure file folders at NIC's Primary Data 
Center.

Retrievability:
    CMV crash and inspection records in the PSP database will be 
retrieved by using the operator-applicant's last name, license number, 
and license state. Additional operator-applicant information (e.g., 
date of birth, first name, and middle initial) will be used to confirm 
the accuracy of the search.

Accessibility (Including Safeguards):
    All records in PSP will be protected from unauthorized access 
through appropriate administrative, physical and technical safeguards. 
Electronic files will be stored in a database secured by password 
security, encryption, firewalls, and secured operating systems, to 
which only authorized NIC or DOT/FMCSA personnel will have access, on a 
need-to-know basis. Paper files will be stored in file cabinets in a 
locked file room to which only authorized NIC and DOT/FMCSA personnel 
will have access, on a need-to-know basis. All access to the electronic 
system and paper files will be logged and monitored. NIC will be 
subject to routine audits of the PSP program by FMCSA to ensure 
compliance with the Privacy Act, applicable sections of the Fair Credit 
Reporting Act and other applicable Federal laws, regulations, or other 
requirements.
    Access by external users (operator-applicants and motor carriers) 
will be restricted within the system based upon the user's role as an 
authorized motor carrier or validated operator-applicant. An authorized 
motor carrier and validated operator-applicant is an entity or person 
who has been provided a unique user identification and password by NIC 
and must use the unique identification and password to access data in 
PSP. External users will be able to query the CMV crash and inspection 
database only (the financial transaction database and access request 
database cannot be externally queried). NIC will provide users with an 
advisory statement that authorized motor carriers could be subject to 
criminal penalties and other sanctions under 18 U.S.C. 1001 for misuse 
of the PSP system.
    In order for a motor carrier to receive an individual operator-
applicant's crash and inspection data, the motor carrier must certify, 
for each request, under penalty of perjury, that the request is for 
pre-employment purposes only and that written consent of the operator-
applicant has been obtained. Upon completion of certification, the NIC 
will send a notification to the motor carrier that the individual 
operator-applicant data is available on secure Web site. The motor 
carrier will access this individual's information by entering a unique 
identification and password. Motor carriers will be required to 
maintain each operator-applicant's signed, written consent form for 
five (5) years. Motor carriers are subject to random audits from NIC 
and/or FMCSA to ensure that written consent of operator-applicants was 
obtained.
    The PSP system also allows validated operator-applicants to access 
their own crash and inspection data upon written or electronic request. 
Upon receipt of an operator-applicant's request, NIC will validate the 
identity of the requestor (operator-applicant) by using his or her full 
name, date of birth, driver license number, driver license state and 
current address against a validation authority.
    All PII data elements will be encrypted in the PSP system, as more 
fully described under the heading ``Categories of Records in PSP.''

Retention and Disposal:
    1. CMV crash and inspection records: Pursuant to General Records 
Schedule (GRS) 20 (``Electronic Records,'' February 2008, see http://www.archives.gov/records-mgmt/ardor/grs20.html), governing extract 
files, each monthly MCMIS extract in PSP is deleted approximately three 
(3) months after being superseded by a current MCMIS extract, unless 
needed longer for administrative, legal, audit or other operational 
purposes.
    2. Financial transaction records: Credit card information is 
encrypted/truncated and retained for 30 days.
    3. Access transaction records: PSP transaction records are retained 
for a period of five years.

System Manager Contact Information:
    PSP System Manager: Arlene D. Thompson; Office of Information 
Technology; Federal Motor Carrier Safety Administration; U.S. 
Department of Transportation; 1200 New Jersey Avenue, SE., W65-319; 
Washington, DC 20590.

[[Page 10557]]

    MCMIS System Manager: Heshmat Ansari, PhD; Division Chief, IT 
Development Division; Office of Information Technology; Federal Motor 
Carrier Safety Administration; U.S. Department of Transportation; 1200 
New Jersey Avenue, SE., W68-330; Washington, DC 20590.
    Freedom of Information Act (FOIA) Office: Federal Motor Carrier 
Safety Administration Attn: FOIA Team MC-MMI; DIR Officer, 1200 New 
Jersey Avenue, SE., Washington, DC 20590.
    Notification Procedure: Individual operator-applicants wishing to 
know if their inspection and crash records appear in this system may 
directly access the PSP system or make a request in writing to the PSP 
System Manager identified under ``System Manager Contact Information.'' 
Individual operator-applicants wishing to know if their transaction 
records and credit card information appear in this system may make a 
written request to the following address:
    NIC Technologies, Inc., 1477 Chain Bridge Road, Suite 101, McLean, 
VA 22101.

Record Access Procedures:
    Individual operator-applicants seeking access to information about 
them in this system may directly access the PSP system or apply to the 
PSP System Manager or the FMCSA FOIA Office identified under ``System 
Manager Contact Information.''

Contesting Record Procedures:
    Individuals seeking to contest the content of information about 
them in this system should apply to the System Manager for either PSP 
or MCMIS by following the same procedures as indicated under 
``Notification Procedure.'' Individuals may also submit a data 
challenge to DataQs by logging into the DataQs Web site (https://dataqs.fmcsa.dot.gov/login.asp).

Record Source Categories:
    1. CMV crash and inspection records: All commercial driver crash 
and inspection data in PSP is received from a monthly MCMIS data 
extract. The MCMIS SORN identifies the source(s) of the information in 
MCMIS.
    2. Financial transaction records: Credit card information 
pertaining to an individual card holder (i.e., operator-applicant) is 
obtained directly from the card holder, who is responsible for entering 
it accurately on the PSP Web site.
    3. Access transaction records: An audit trail of those entities or 
persons that accessed the PSP (i.e. authorized motor carriers or 
validated operator-applicants) is automatically created when requests 
are initiated and when data is released by NIC.
    These records are internal documents to be used by NIC and FMCSA 
for auditing, monitoring and compliance purposes.

Exemptions Claimed for the System:
    None.

    Dated: March 2, 2010.
Habib Azarsina,
Departmental Privacy Officer, 202-366-1965.
[FR Doc. 2010-4811 Filed 3-5-10; 8:45 am]
BILLING CODE 4910-EX-P


