The National Highway Traffic Safety Administration (NHTSA), within the Department of Transportation (DOT), has been given the responsibility to carry out safety programs. NHTSA is responsible for reducing deaths, injuries, and economic losses resulting from motor vehicle crashes. One of the programs that helps NHTSA fulfill this mission is the National Driver Register (NDR), which assists States in identifying problem drivers.
The NDR system provides a central indicator of the location of information on individuals whose privilege to drive has been revoked, suspended, canceled, or denied or who have been convicted of serious traffic-related offenses. NHTSA maintains limited information in the NDR: names, dates of birth, driver license numbers, and sex of drivers on whom a State or the District of Columbia has driver records, but not the content of the driver record; all that an inquiry to the NDR does is indicate whether a State or the District of Columbia has a record on an individual matching the individual who is the subject of the inquiry, and, if so, which one(s). State driver licensing officials use NDR data when determining whether to issue a driver license. In addition, the NDR is queried by other authorized users (Federal and non-Federal employers or prospective employers of motor vehicle operators, Federal Aviation Administration (FAA) for airman medical certification, Federal Railroad Administration (FRA) and railroads for locomotive operators, Coast Guard for merchant mariners and servicemen, air carriers for pilot applicants, and National Transportation Safety Board (NTSB) and Federal Motor Carrier Safety Administration (FMCSA) in connection with accident investigations). Under the provisions of the Privacy Act, individuals are also entitled to request NDR file searches to determine if there are records pertaining to them on file. An individual’s request submitted directly to the NDR must be in writing and notarized. All 50 States and the District of Columbia participate in the NDR. The system is also referred to as the Problem Driver Pointer System.
Privacy management is an integral part of the NDR system. DOT/NHTSA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.
The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and NHTSA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing NHTSA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:
- Establish priority, authority, and responsibility. Appointing a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
- Assess the current privacy environment. This involves interviews with key individuals involved in the NDR system to ensure that privacy risks are identified and documented.
- Organize the resources necessary for the project’s goals. Internal DOT/NHTSA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
- Develop the policies, practices, and procedures. The resources identified in the paragraph above work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies are designed to protect privacy effectively while allowing DOT/NHTSA to achieve its mission.
- Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the NHTSA project.
- Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures is required.
- Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints are effectively addressed and corrections made if necessary.