AGENCY:

Federal Motor Carrier Safety Administration (FMCSA) Department of Transportation (DOT).

ACTION:

Notice to establish a new system of records.

SUMMARY:

FMCSA proposes to establish a system of records under the Privacy Act of 1974 (5 U.S.C. 552a) for its Pre-Employment Screening Program (PSP), as required by 49 U.S.C. 31150. The system of records will make crash and inspection data about commercial motor vehicle (CMV) drivers rapidly available to CMV drivers (operator-applicants) and prospective employers of those drivers (motor carriers), via a secure Internet site, as an alternative to requiring them to submit a Freedom of Information Act (FOIA) request or Privacy Act request to FMCSA for the data.Start Printed Page 10555

Operator-applicants and motor carriers must pay a fee to access data in PSP, but use of PSP is optional. Motor carriers may continue to request the information from FMCSA under FOIA, and operator-applicants may continue to receive their own safety performance data free of charge by submitting a Privacy Act request to FMCSA.

The PSP system will be administered by a FMCSA contractor, National Information Consortium Technologies, LLC (NIC). The PSP contractor will not be authorized to provide data to any persons other than motor carriers, for pre-employment screening purposes, and operator-applicants, as required in section 31150 (b)(3). A data request from any other person (e.g., a law firm) will be treated as a FOIA request by FMCSA. FMCSA will perform audits of the PSP contractor to ensure performance, privacy and security objectives are being met. The PSP system will only allow operator-applicants to access their own data, and will only allow motor carriers to access an individual operator-applicant's data if the motor carrier certifies the data is for pre-employment screening and that it has obtained the operator-applicant's written consent. The system of records is more thoroughly detailed below and in the Privacy Impact Assessment (PIA) that can be found on the DOT Privacy Web site at http://www.dot.gov/​privacy.

DATES:

Effective April 7, 2010. Written comments should be submitted on or before the effective date. FMCSA may publish an amended SORN in light of any comments received.

ADDRESSES:

Send comments to Pam Gosier-Cox, FMCSA Privacy Officer, FMCSA Office of Information Technology, MC-RI, U.S. Department of Transportation, 1200 New Jersey Avenue, SE., Washington, DC 20590 or pam.gosier.cox@dot.gov.

FOR FURTHER INFORMATION CONTACT:

For privacy issues please contact: Pam Gosier-Cox, FMCSA Privacy Officer, FMCSA Office of Information Technology, MC-RI, U.S. Department of Transportation, 1200 New Jersey Avenue, SE., Washington, DC 20590 or pam.gosier.cox@dot.gov.

SUPPLEMENTARY INFORMATION:

I. The PSP Program

Section 31150 of title 49, U.S. Code (USC), titled “Safety performance history screening” as added by section 4117(a) of the Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU), Public Law 109-59, 119 Stat. 1144, 1728-1729, August 10, 2005, requires FMCSA to provide persons conducting pre-employment screening services for the motor carrier industry electronic with access to the following reports contained in FMCSA's Motor Carrier Management Information System (MCMIS):

(1) Commercial motor vehicle accident reports.

(2) Inspection reports that contain no driver-related safety violations.

(3) Serious driver-related safety violation inspection reports.

FMCSA designed PSP to satisfy the requirements of 49 U.S.C. 31150 and to meet the following performance, privacy and security objectives:

• Provide driver-related MCMIS crash and inspection data electronically, via a secure Internet site, for a fee, and in a timely and professional manner;
• Allow operator-applicants to access their own data upon written or electronic request, and allow motor carriers to access an operator-applicant's data, for pre-employment screening purposes, with the operator-applicant's written or electronic consent;
• Maintain, handle, store, and distribute the data in PSP in accordance with 49 U.S.C. 31150 and applicable laws, regulations and policies; and
• Provide a redress procedure by which an operator-applicant can seek to correct inaccurate information in PSP, via the DataQs system currently maintained by FMCSA.

II. The Privacy Act

The Privacy Act (5 USC 552a) governs the means by which the United States Government collects, maintains, and uses personally identifiable information (PII) in a system of records. A “system of records” is a group of any records under the control of a Federal agency from which information about individuals is retrieved by name or other personal identifier.

The Privacy Act requires each agency to publish in the Federal Register a system of records notice (SORN) identifying and describing each system of records the agency maintains, including the purposes for which the agency uses PII in the system, the routine uses for which the agency discloses such information outside the agency, and how individuals to whom a Privacy Act record pertains can exercise their rights under the Privacy Act (e.g., to determine if the system contains information about them).

IV. Privacy Impact Assessment

FMCSA is publishing a Privacy Impact Assessment (PIA) to coincide with the publication of this SORN. In accordance with 5 USC 552a(r), a report on the establishment of this system of records has been sent to Congress and to the Office of Management and Budget.

System Number:

DOT/FMCSA 007

System Name:

Pre-Employment Screening Program (PSP).

Security Classification:

Unclassified, Sensitive.

System Location:

• NIC Primary Data Center

AT&T Data Center, Ashburn, VA 20147.

• NIC Secondary Data Center

AT&T Data Center, Allen, TX 75013.

Categories of Individuals Covered by the System of Records:

PSP will include personally identifiable information (PII) pertaining to CMV, as defined by 49 CFR 390.5, drivers (referred to herein as operator-applicants).

Categories of Records in PSP:

PSP will contain the following categories of records, in separate databases:

1. CMV crash and inspection records. Each month, FMCSA will provide the PSP contractor with a current MCMIS data extract containing the most recent five (5) years' crash data and the most recent three (3) years' inspection information. The MCMIS data extract in PSP will include the following PII data elements, all of which will be encrypted:

• CMV driver name (last, first, middle initial)
• CMV driver date of birth
• CMV driver license number
• CMV driver license state

2. Financial transaction records. The PSP system will contain records of payments processed by the contractor, NIC, to collect fees charged to motor carriers and operator-applicants for accessing crash and inspection data in PSP. The financial transaction records will include the following PII data elements, which will be encrypted (and, in some cases, truncated):

• Credit card holder name
• Credit card account number
• Account holder address

Card Verification Value Code (CVV) numbers will be temporarily captured by the system but will not be retained or stored in PSP.

3. Access transaction records. The PSP system will contain records of all access transactions processed over the PSP Web site. Access transaction records will include the following PII data elements, which will be encrypted:Start Printed Page 10556

• CMV driver name (last, first, middle initial)
• CMV driver date of birth
• CMV driver license number
• CMV driver license State
• CMV driver address.

Authority for Maintenance of the System:

49 U.S.C. 31150, as added by section 4117 of Public Law 109-59 [Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU)].

Purpose(s):

Authorized DOT/FMSCA staff and contractor personnel will use the following PII in PSP for the following purposes:

• To provide system support and maintenance for PSP.
• To make CMV crash and inspection records available to operator-applicants and motor carriers upon receipt of validated access requests and fee payments.
• To process credit card payments and collect fees for the requested access transactions.
• To create a historical record of PSP usage for accounting and compliance audit purposes.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Use:

The PSP system will share PII outside DOT as follows:

• Authorized motor carriers may access an individual's operator-applicant's crash and inspection data in PSP with the operator-applicant's written consent and payment of a fee.
• Validated operator-applicants may access their own crash and inspection data in PSP upon written request and payment of a fee.
• When an operator-applicant makes a request for his or her own data from PSP, the FMCSA contractor will request that the operator-applicant provide his or her full name, date of birth, driver license number, driver license state and current address to verify the identity of the operator-applicant and this information will be transmitted to the Validation Authority of the FMCSA contractor (e.g. Lexis-Nexis) to verify and validate the individual operator-applicant requesting access to his or her own inspection and crash data.
• Other possible routine uses of the information, applicable to all DOT Privacy Act systems of records, are published in the Federal Register at 65 FR 19476 (April 11, 2000), under “Prefatory Statement of General Routine Uses” (available at http://www.dot.gov/​privacy/​privacyactnoties/​).

Disclosure to Consumer Reporting Agencies:

None.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records:

Storage:

Records will be stored in secure database servers, and data will be backed up on a Storage Area Network (SAN) in encrypted/truncated form. Any paper records received or required for purposes of processing data requests will be stored in secure file folders at NIC's Primary Data Center.

Retrievability:

CMV crash and inspection records in the PSP database will be retrieved by using the operator-applicant's last name, license number, and license state. Additional operator-applicant information (e.g., date of birth, first name, and middle initial) will be used to confirm the accuracy of the search.

Accessibility (Including Safeguards):

All records in PSP will be protected from unauthorized access through appropriate administrative, physical and technical safeguards. Electronic files will be stored in a database secured by password security, encryption, firewalls, and secured operating systems, to which only authorized NIC or DOT/FMCSA personnel will have access, on a need-to-know basis. Paper files will be stored in file cabinets in a locked file room to which only authorized NIC and DOT/FMCSA personnel will have access, on a need-to-know basis. All access to the electronic system and paper files will be logged and monitored. NIC will be subject to routine audits of the PSP program by FMCSA to ensure compliance with the Privacy Act, applicable sections of the Fair Credit Reporting Act and other applicable Federal laws, regulations, or other requirements.

Access by external users (operator-applicants and motor carriers) will be restricted within the system based upon the user's role as an authorized motor carrier or validated operator-applicant. An authorized motor carrier and validated operator-applicant is an entity or person who has been provided a unique user identification and password by NIC and must use the unique identification and password to access data in PSP. External users will be able to query the CMV crash and inspection database only (the financial transaction database and access request database cannot be externally queried). NIC will provide users with an advisory statement that authorized motor carriers could be subject to criminal penalties and other sanctions under 18 U.S.C. 1001 for misuse of the PSP system.

In order for a motor carrier to receive an individual operator-applicant's crash and inspection data, the motor carrier must certify, for each request, under penalty of perjury, that the request is for pre-employment purposes only and that written consent of the operator-applicant has been obtained. Upon completion of certification, the NIC will send a notification to the motor carrier that the individual operator-applicant data is available on secure Web site. The motor carrier will access this individual's information by entering a unique identification and password. Motor carriers will be required to maintain each operator-applicant's signed, written consent form for five (5) years. Motor carriers are subject to random audits from NIC and/or FMCSA to ensure that written consent of operator-applicants was obtained.

The PSP system also allows validated operator-applicants to access their own crash and inspection data upon written or electronic request. Upon receipt of an operator-applicant's request, NIC will validate the identity of the requestor (operator-applicant) by using his or her full name, date of birth, driver license number, driver license state and current address against a validation authority.

All PII data elements will be encrypted in the PSP system, as more fully described under the heading “Categories of Records in PSP.”

Retention and Disposal:

1. CMV crash and inspection records: Pursuant to General Records Schedule (GRS) 20 (“Electronic Records,” February 2008, see http://www.archives.gov/​records-mgmt/​ardor/​grs20.html), governing extract files, each monthly MCMIS extract in PSP is deleted approximately three (3) months after being superseded by a current MCMIS extract, unless needed longer for administrative, legal, audit or other operational purposes.

2. Financial transaction records: Credit card information is encrypted/truncated and retained for 30 days.

3. Access transaction records: PSP transaction records are retained for a period of five years.

System Manager Contact Information:

PSP System Manager: Arlene D. Thompson; Office of Information Technology; Federal Motor Carrier Safety Administration; U.S. Department of Transportation; 1200 New Jersey Avenue, SE., W65-319; Washington, DC 20590.Start Printed Page 10557

MCMIS System Manager: Heshmat Ansari, PhD; Division Chief, IT Development Division; Office of Information Technology; Federal Motor Carrier Safety Administration; U.S. Department of Transportation; 1200 New Jersey Avenue, SE., W68-330; Washington, DC 20590.

Freedom of Information Act (FOIA) Office: Federal Motor Carrier Safety Administration Attn: FOIA Team MC-MMI; DIR Officer, 1200 New Jersey Avenue, SE., Washington, DC 20590.

Notification Procedure: Individual operator-applicants wishing to know if their inspection and crash records appear in this system may directly access the PSP system or make a request in writing to the PSP System Manager identified under “System Manager Contact Information.” Individual operator-applicants wishing to know if their transaction records and credit card information appear in this system may make a written request to the following address:

NIC Technologies, Inc., 1477 Chain Bridge Road, Suite 101, McLean, VA 22101.

Record Access Procedures:

Individual operator-applicants seeking access to information about them in this system may directly access the PSP system or apply to the PSP System Manager or the FMCSA FOIA Office identified under “System Manager Contact Information.”

Contesting Record Procedures:

Individuals seeking to contest the content of information about them in this system should apply to the System Manager for either PSP or MCMIS by following the same procedures as indicated under “Notification Procedure.” Individuals may also submit a data challenge to DataQs by logging into the DataQs Web site (https://dataqs.fmcsa.dot.gov/​login.asp).

Record Source Categories:

1. CMV crash and inspection records: All commercial driver crash and inspection data in PSP is received from a monthly MCMIS data extract. The MCMIS SORN identifies the source(s) of the information in MCMIS.

2. Financial transaction records: Credit card information pertaining to an individual card holder (i.e., operator-applicant) is obtained directly from the card holder, who is responsible for entering it accurately on the PSP Web site.

3. Access transaction records: An audit trail of those entities or persons that accessed the PSP (i.e. authorized motor carriers or validated operator-applicants) is automatically created when requests are initiated and when data is released by NIC.

These records are internal documents to be used by NIC and FMCSA for auditing, monitoring and compliance purposes.

Exemptions Claimed for the System:

None.