AGENCY:

Office of the Secretary, DOT.

ACTION:

Notice to establish a system of records.

SUMMARY:

DOT proposes to establish a new system of records under the Privacy Act of 1974.

EFFECTIVE DATE:

June 17, 2002. If no comments are received, the proposal will become effective on the above date. If comments are received, the comments will be considered and, where adopted, the documents will be republished with changes.

ADDRESSES:

Address all comments concerning this notice to Yvonne L. Coates, Department of Transportation, Office of the Secretary, 400 7th Street, SW., Washington, DC 20590, (202) 366-6964 (telephone).

FOR FURTHER INFORMATION CONTACT:

Yvonne L. Coates, Department of Transportation, Office of the Secretary, 400 7th Street, SW., Washington, DC 20590, (202) 366-6964 (telephone), (202) 366-7024 (fax) Yvonne.Coates@ost.dot.gov (Internet address).

SUPPLEMENTARY INFORMATION:

The Department of Transportation system of records notices subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended, have been published in the Federal Register and are available from the above mentioned address. Start Printed Page 30758

DOT/ALL 13

System Name:

Internet/Intranet Activity and Access Records.

Security Classification:

Unclassified, sensitive.

System Location:

The system is located in the Department of Transportation. These offices are located within the Office of the Secretary (OST), Federal Aviation Administration (FAA), the United States Coast Guard (USCG), the Research and Special Programs Administration (RSPA), the Federal Highway Safety Administration (FHWA), Federal Motor Carrier Safety Administration (FMCSA), the National Highway Safety Administration (NHTSA), the Federal Transit Administration (FTA), the Maritime Administration (MARAD), the Federal Railroad Administration (FRA), the Bureau of Transportation Statistics (BTS), the St. Lawrence Seaway Development Corporation (SLSDC), Transportation Administrative Service Center (TASC), and the Transportation Security Administration (TSA).

Categories of Individuals Covered by the System of Records:

All DOT employees, contractors, or other users authorized or unauthorized who access the Internet/Intranet through any of the authorized DOT network computers or mainframe/enterprise servers, including individuals who send and receive electronic communications, access Internet/Intranet sites, or access system databases, files, or applications from DOT computers or sending electronic communications to DOT computers. An “Internet/Intranet Access Point” is one of the authorized gateways, through which all Internet/Intranet traffic passes. For statistical purposes, the system monitors the amount of traffic using different Internet/Intranet protocols, but does not view the content of transmissions (e.g., it does not monitor the text of electronic mail messages).

Categories of Records in the System:

Records and reports in this system may include:

1. The source Internet/Intranet Protocol (IP) address of the computer used to make the Internet/Intranet connection.

2. The destination IP address of the site visited (could include URL address)

3. The date and time of the connection

4. The size of the transmission

5. Keywords propagated by Internet/Intranet web sites

6. Technical machine data as the system may generate (e.g., Machine-name field and Medium Access Control [MAC] address from the last device the machine traversed.)

7. Electronic mail systems, including the email address of sender and receiver of the electronic mail message, subject, date, and time.

8. Profile customization purposes to personalize levels of access.

9. Records on user access to DOT's office automation networks as well as denials of access.

10. Records relating to mainframe/enterprise server access.

11. Verification and authorization records.

Logs of Internet/Intranet access and use from a DOT computer generally do not directly contain names or similar personal identifiers. However, for official government business purposes and through research or investigation, an individual whose PC was assigned an IP address at a given time may be identifiable by name.

Authority for Maintenance of the System:

49 U.S.C. 322, 49 U.S.C. 40122(g), 49 U.S.C. 40101, 40 U.S.C. 1441, 5 U.S.C. 302

Purposes:

Data in the system of records is used by DOT systems and security personnel or persons authorized to assist these personnel, to plan and manage systems services and otherwise perform their official duties. Such services would include, but are not limited to, analyzing engineering and statistical use data to assist in making business decisions regarding upgrading hardware, software, and communications technology to meet changing Internet/Intranet use requirements.

The system is also used to monitor for improper use.

Authorized managers may use the records in the system to investigate improper use or other improper activity by an employee, contractor or other individual relating to DOT computer systems use or access; to initiate disciplinary or other such action; and/or where the record(s) may appear to indicate a violation or potential violation of law, to refer such record(s) to the appropriate investigative organization within the agency or the Department of Transportation, or to other law enforcement agencies for investigation.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

—To provide information to any person(s) authorized to assist in an approved investigation of improper access or usage of DOT computer systems.

—To an actual or potential party or his or her authorized representative for the purpose of negotiation or discussion of such matters as settlement of the case or matter, or informal discovery proceedings.

—To contractors, grantees, experts, consultants, detailees, and other non-DOT employees performing or working on a contract, service, grant cooperative agreement, or other assignment from the Federal government, when necessary to accomplish an agency function related to this system of records.

—To other government agencies where required by law.

—See Prefatory Statement of General Routine Uses.

Disclosure to Consumer Reporting Agencies:

None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:

The information is collected at each monitoring location and the data may be merged into computers within DOT. Data may be stored on an internal hard disk and periodically backed up onto magnetic tape. The data on the systems are protected by passwords. Software may be maintained on the firewall server. The length of time of storage may be governed by available disk space on the server. When it is necessary to print a hard copy, copies will be stored in a locked file cabinet.

Retrievability:

Records may be retrieved by user name, user ID, e-mail address, or other identifying search term employed, depending on the record category. The Department does not usually connect IP addresses with a person. However, in some instances, for official government business purposes, the Department may connect the IP address with an individual, and records may be retrieved by IP address.

Safeguards:

To safeguard against the risk of unauthorized disclosure, the DOT maintains the information at secured facilities in limited access areas of the DOT data processing facilities. The systems are also software-protected by a Start Printed Page 30759set of multiple passwords. There is backup capability to address issues of availability and continuity of operations. Previous week's backup tapes may be sent to an off-site storage location in some cases.

DOT limits access to monitoring software of the computer(s) to authorized personnel only. In addition, DOT limits who can use the computer(s), and limits dissemination of any passwords used to operate the computer(s). DOT maintains any hard copies of sensitive information in secure file cabinets.

Retention and Disposal:

The information is retained at DOT Headquarters by the system administrators and Regional Administrators. When there is no longer disk space available on the monitors' hard disks, the files are released to the operating system for re-write. This means the files are “marked” internally as eligible for the computer operating system to overwrite with subsequent data. DOT will comply with requirements of the National Archives and Records Administration (NARA). NARA regulations state that electronic files created to monitor system usage are authorized for erasure or deletion when the agency determines that they are no longer needed for administrative, legal, audit, or other operational purposes. Generally, these (and any associated hard copy) files will be authorized for deletion after 30 days unless needed for official purposes. Not all locations, HQ or regions, will be collecting information at all times.

System manager(s) and Address:

a. Department of Transportation, Office of the Secretary, Office of the Chief Information Officer, S-80, 400 7th Street, SW., Washington, DC 20590.

b. Department of Transportation, Federal Aviation Administration, Assistant Administrator for Information Services and Chief Information Officer, AIO-1, FAA Headquarters, FOB-10A, 800 Independence Avenue, SW., Washington, DC 20591.

c. Department of Transportation, United States Coast Guard Headquarters, Commandant, G-C, 2100 2nd Street, SW., Washington, DC 20593.

d. Department of Transportation, Research and Special Programs Administration, Office of the Administrator, DRP-1, 400 7th Street, SW., Washington, DC 20590.

e. Department of Transportation, Federal Highway Safety Administration, Office of the Federal Highway Administrator, HOA-1, 400 7th Street, SW., Washington, DC 20590.

f. Department of Transportation, Federal Motor Carrier Safety Administration, Office of the Administrator, MC-A, 400 7th Street, SW., Washington, DC 20590.

g. Department of Transportation, National Highway Safety Administration, Office of the Administrator, NOA-01, 400 7th Street, SW., Washington, DC 20590.

h. Department of Transportation, Federal Transit Administration, Office of the Administrator, TOA-1, 400 7th Street, SW., Washington, DC 20590.

i. Department of Transportation, Maritime Administration, Office of Maritime Administrator, MAR-100, 400 7th Street, SW., Washington, DC 20590.

j. Department of Transportation, Federal Railroad Administration, The Administrator, ROA-1, 400 7th Street, SW., Washington, DC 20590.

k. Department of Transportation, Bureau of Transportation Statistics, Office of the Director, K-1, 400 7th Street, SW., Washington, DC 20590.

l. Department of Transportation, St. Lawrence Seaway Development Corporation, The Administrator, 400 7th Street, SW., Washington, DC 20590.

m. Department of Transportation, Transportation Administrative Service Center, Director, SVC-1, 400 7th Street, SW., Washington, DC 20590.

n. Department of Transportation, Transportation Security Administration (TSA), Under Secretary, TSA-1, 400 7th Street, SW., Washington, DC 20590.

Notification Procedure:

To determine whether the system may contain records relating to you, write to the System Manager.

Record Access Procedures:

Same as “Notification Procedure.” Provide full name, assigned computer location, and a description of information that you seek, including the time frame during which the records(s) may have been generated. Individuals requesting access must comply with the Department of Transportation's Privacy Act regulations on verification of identity (49 C.F.R. 10.37).

Contesting Record Procedures:

Same as “Notification Procedure” and “Record Access Procedure.”

Record Source Categories:

Information is collected from computers located at each of the Internet/Intranet Access locations. A software program installed on each of the machines retrieves the information from a hub or connection to the Internet/Intranet. Regional offices may be collecting information from time-to-time. Personal computers at data collection points are used to capture data in a passive mode. Most records are generated internally, i.e., computer activity logs; individuals covered by the system; and management officials.

Exemptions Claimed for the System:

None.