Privacy Act of 1974; System of Records, 34116-34120 [2021-13643]

Agencies

• DEPARTMENT OF TRANSPORTATION

[Federal Register Volume 86, Number 121 (Monday, June 28, 2021)]
[Notices]
[Pages 34116-34120]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-13643]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION


Privacy Act of 1974; System of Records

AGENCY: Federal Motor Carrier Safety Administration (FMCSA), Department 
of Transportation (DOT).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Department of 
Transportation (DOT) proposes a new system of records titled ``Entry-
Level Driver Training Provider Registry'' (TPR). This system of records 
will allow DOT to collect and maintain registered training provider 
information and entry-level driver training certification information. 
The information in the system will be used to establish training 
provider accounts, act as a central repository for entry level-driver 
training (ELDT) certification information and transmit that information 
to State Driver Licensing Agencies (SDLAs).

DATES: Comments on the system will be accepted on or before 30 days 
from the date of publication of this notice. The system will be 
effective 30 days after publication of this notice. Routine uses will 
be effective at that time.

ADDRESSES: You may submit comments, identified by docket number OST-
2021-0037 by one of the following methods:
    Federal e-Rulemaking Portal: https://www.regulations.gov.
    Mail: Karyn Gorman, Acting Departmental Chief Privacy Officer, 
Department of Transportation, Washington, DC 20590.
    All submissions received must include the agency name and docket 
number OST-2021-0037. All comments received will be posted without 
change to https://www.regulations.gov and may include any personal 
information provided.''
    Docket: For access to the docket to read background documents or 
comments received, to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For general and privacy questions, 
please contact: Karyn Gorman, Acting Departmental Chief Privacy 
Officer, Department of Transportation, S-81, Washington, DC 20590, 
Email: [email protected], Tel. (202) 366-3140.

SUPPLEMENTARY INFORMATION:

Background

    In accordance with the Privacy Act of 1974, the Department of 
Transportation is proposing a new system of records titled ``Department 
of Transportation (DOT)/Federal Motor Carrier Safety Administration 
(FMCSA)--012, Entry-Level Driver Training Provider Registry'' (TPR). 
This system will collect information related to registered training 
providers and entry level-driver training (ELDT) certification 
information pertaining to individual applicants for commercial driver's 
licenses (CDLs) or certain endorsements. The Moving Ahead for Progress 
in the 21st Century Act (MAP-21) requires DOT to regulate ELDT (Pub. L. 
112-141, section 32304, 126 Stat. 405, 791 (July 6, 2012)). MAP-21 
modified 49 U.C 31305 by adding paragraph (c), which required FMCSA to 
issue ELDT regulations addressing the knowledge and skills that an 
individual must acquire before obtaining a CDL or specified endorsement 
for the first time. MAP-21 also required training providers to 
demonstrate, by providing certification information, that the 
individual meets the ELDT requirements. Section 32304(a) allows the 
Secretary to establish the process by which a training provider must 
provide certification information. These ELDT regulations are currently 
located in 49 CFR part 380. The TPR is the tool that training providers 
and SDLAs will use to meet the ELDT requirements.
    Training providers, as defined in 49 CFR 380.605, wishing to 
provide ELDT must be listed on the TPR. Training providers include, but 
are not limited to, training schools, educational institutions, rural 
electric cooperatives, motor carriers, State/local governments, school 
districts, joint labor management programs, owner-operators, and 
individuals. To be listed on the TPR, a training provider must certify 
that it meets the applicable eligibility requirements listed in 49 CFR 
380.703(a), including completion of FMCSA's registration process. 
Registration is accomplished by accessing FMCSA's TPR website and 
electronically transmitting a completed Training Provider Registration 
Form (TPRF) affirming, under penalties of perjury, that the provider 
will teach the FMCSA-prescribed curriculum that is appropriate for the 
CDL class or endorsement. When a provider meets the applicable 
requirements, FMCSA will issue the provider a unique TPR number and, as 
applicable, add the provider's information to the TPR website. The 
information maintained in the system of records on training providers, 
some of whom are individuals, includes, but is not limited to, the 
training entity's legal name, location, phone number, website address, 
and the type of ELDT offered. Except as noted below, this information 
will be located on the publicly available portion of the TPR website, 
which will allow driver-trainees to locate and contact registered 
training providers. In addition, FMCSA may use the training providers' 
contact information to communicate with them regarding their 
registration information on the TPR, or to initiate an audit or 
investigation of the training provider pursuant to 49 CFR 380.703(a)(6) 
and 380.719(a)(5). FMCSA acknowledges that some training providers, 
including those who provide ELDT only for their own employees or 
prospective employees, may wish to keep their contact information 
private and therefore not have it publicly displayed on the TPR 
website. Accordingly, training providers who do not intend to make 
their services available to all driver-trainee applicants can elect not 
to include their contact information in the public listing that appears 
on the TPR website; however, these training providers will be publicly 
identified by name, city, and State. This option will be made available 
at the time of initial registration and can be changed anytime the 
provider so chooses.

[[Page 34117]]

    The system of records will also serve as a central repository of 
driver-trainee ELDT certification information.
    Each ELDT training provider is responsible for collecting certain 
information from its driver trainees, to include the driver-trainee's 
name, permit or driver license number, State of licensure, license 
class and/or endorsements, the type of training completed (e.g., Class 
A or B theory and behind-the-wheel (BTW) training), total number of BTW 
clock hours (if applicable), and date of completion. Upon a driver's 
completion of the ELDT training administered by a provider listed on 
the TPR, providers must, by midnight of the second business day 
following completion, electronically transmit training certification 
information through the TPR website. 49 CFR 380.717. The purpose of 
maintaining these records in the TPR system is two-fold: First, it 
allows users (SDLAs or third-party skills test examiners authorized by 
the SDLA) to query the TPR and verify electronically that the applicant 
completed applicable training prior to conducting the skills test, as 
required in 49 CFR 383.73(b)(11), or administering the knowledge test 
to an applicant for the hazardous materials (H) endorsement, as 
required in 49 CFR 383.73(e)(9). (This use of ELDT information by SDLAs 
is a routine use, discussed further below.) Second, FMCSA intends to 
use the ELDT certification information to analyze the safety impact of 
ELDT and to monitor the efficacy, competence, and performance of 
training providers. If the audits or investigations conducted by FMCSA, 
or its authorized representatives, identifies material deficiencies 
pertaining to the training provider's program, operations, or 
eligibility, FMCSA may consider the removal of the training provider 
from the TPR pursuant to 49 CFR 380.721.
    The Department is proposing three routine uses for this system of 
records tied directly to the purpose of the system. The first routine 
use would allow the provision of the training provider's legal name, 
location, phone number, website address, and the type of ELDT offered, 
to members of the public to allow entry-level drivers the necessary 
information to locate a provider in his or her locality. The second 
proposed routine use would allow the transmission of a driver's ELDT 
certification information in response to mandatory queries made by 
SDLAs (and third-party skills testers authorized by the SDLA) prior to 
conducting the applicable skills test. This routine use will allow CDL 
skills examiners to verify the driver's eligibility to take the 
required test(s) as outlined in the ELDT regulations. The third 
proposed routine use would allow the transmission of a driver's ELDT 
certification information in response to mandatory queries made by 
SDLAs prior to conducting the knowledge test for the H endorsement. 
This routine use will allow SDLAs to verify the driver's eligibility to 
take the test.
    FMCSA has also included DOT General Routine Uses, to the extent 
they are compatible with the purposes of this System. As recognized by 
the Office of Management and Budget (OMB) in its Privacy Act 
Implementation Guidance and Responsibilities (65 FR 19746 (July 9, 
1975)), the routine uses include proper and necessary uses of 
information in the system, even if such uses occur infrequently. FMCSA 
has included in this notice routine uses for disclosures to law 
enforcement when the record, on its face, indicates a violation of law, 
to DOJ for litigation purposes, or when necessary in investigating or 
responding to a breach of this system or other agencies' systems. DOT 
may disclose to Federal, State, local, or foreign agency information 
relevant to law enforcement, litigation, and proceedings before any 
court or adjudicative or administrative body. OMB has long recognized 
that these types of routine uses are ``proper and necessary'' uses of 
information and qualify as compatible with agency systems (65 FR 19476, 
April 11, 2000). In addition, OMB Memorandum M-17-12, directed agencies 
to include routine uses that will permit sharing of information when 
needed to investigate, respond to, and mitigate a breach of a Federal 
information system. DOT also has included routine uses that permit 
sharing with the National Archives and Records Administration when 
necessary for an inspection, to any federal government agency engaged 
in audit or oversight related to this system, or when DOT determines 
that the disclosure will detect, prevent, or mitigate terrorism 
activity. These types of disclosures are necessary and proper uses of 
information in this system because they further DOT's obligation to 
fulfil its records management and program management responsibilities 
by facilitating accountability to agencies charged with oversight in 
these areas, and DOT's obligation under Intelligence Reform and 
Terrorism Prevention Act of 2004, Public Law 108-456, and Executive 
Order 13388 (Oct. 25, 2005) to share information necessary and relevant 
to detect, prevent, disrupt, preempt, or mitigate the effects of 
terrorist activities against the territory, people, and interests of 
the United States.

Privacy Act

    The Privacy Act (5 U.S.C. 552a) governs the means by which the 
federal government agencies collect, maintain, use, and disseminate 
individuals' records. The Privacy Act applies to information that is 
maintained in a ``system of records.'' A ``system of records'' is a 
group of any records under the control of an agency from which 
information is retrieved by the name of an individual or by some 
identifying number, symbol, or other identifying particular assigned to 
the individual. The Privacy Act extends rights and protections to 
individuals who are U.S. citizens and lawful permanent residents. 
Additionally, the Judicial Redress Act (JRA) provides a covered person 
with a statutory right to make requests for access and amendment to 
covered records, as defined by the JRA, along with judicial review for 
denials of such requests. In addition, the JRA prohibits disclosures of 
covered records, except as otherwise permitted by the Privacy Act.
    Below is the description of the Training Provider Registry System 
of Records. In accordance with 5 U.S.C. 552a(r), DOT has provided a 
report of this system of records to the OMB and to Congress.

SYSTEM NAME AND NUMBER:
    DOT/FMCSA 012--Entry-Level Driver Training Provider Registry (TPR).

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained in a FedRAMP-certified third-party cloud 
environment. The contracts are maintained by DOT at 1200 New Jersey 
Avenue SE, Washington, DC 20590.

SYSTEM MANAGER(S):
    System Manager, Commercial Driver License Division, Office of 
Safety Programs, FMCSA, U.S. Department of Transportation, 1200 New 
Jersey Avenue SE, Washington, DC 20590.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Moving Ahead for Progress in the 21st Century Act (MAP-21) (Pub. L. 
112-141, section 32304, 126 Stat. 405, 791 (July 6, 2012)).

PURPOSE(S) OF THE SYSTEM:
    The purpose of the system is to (1) collect and maintain 
information on training providers listed on the TPR; (2) collect and 
maintain certification

[[Page 34118]]

information on drivers who have completed entry-level training; and (3) 
allow access to entry-level driver training certification information 
by SDLAs and third-party examiners for the purposes of ensuring entry-
level drivers have completed required training prior to seeking a CDL 
or endorsement.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals within this system include: Entry-level 
drivers and training providers operating as individuals (i.e., not 
affiliated with a motor carrier or independent commercial driver 
training school).

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records in the system include:

    Training Provider Information:

 Training provider legal name
 Training provider mailing address
 Training provider location of training and required records
 Training provider telephone number
 Training provider email address
 Unique training provider identification number

    ELDT Certification Information:

 Entry-level driver legal name
 Entry-level driver's license/commercial learner's permit/
commercial driver's license (as applicable)
 State of licensure
 Commercial driver's license class and/or endorsement and type 
of training (theory and/or BTW) the driver-trainee completed
 Total number of clock hours the driver-trainee spent to 
complete the BTW training, as applicable
 Name of the training provider and its unique TPR 
identification number
 Date(s) of training completion

RECORD SOURCE CATEGORIES:
    Training providers submit both records about themselves and of 
driver-trainees who complete required entry-level driver training.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside DOT as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
System Specific Routine Uses
    1. To the public, the training provider's legal name, location, 
phone number, website address, and the type of ELDT offered to allow 
entry-level drivers the necessary information to locate a provider in 
his or her locality.
    2. To SDLAs, including third-party skills test examiners authorized 
by the State, the driver's training record, for verification that an 
applicant seeking a Class A or Class B CDL, and/or a P or S 
endorsement, has completed the required ELDT before administering 
requisite skills test(s) to the individual.
    3. To SDLAs, the driver's training record, for verification that an 
applicant seeking a H endorsement has completed the required ELDT 
before administering the knowledge test for that endorsement.
Department General Routine Users
    1. In the event that a system of records maintained by DOT to carry 
out its functions indicates a violation or potential violation of law, 
whether civil, criminal or regulatory in nature, and whether arising by 
general statute or particular program pursuant thereto, the relevant 
records in the system of records may be referred, as a routine use, to 
the appropriate agency, whether Federal, State, local or foreign, 
charged with the responsibility of investigating or prosecuting such 
violation or charged with enforcing or implementing the statute, or 
rule, regulation, or order issued pursuant thereto.
    2a. Routine Use for Disclosure for Use in Litigation. It shall be a 
routine use of the records in this system of records to disclose them 
to the Department of Justice or other federal agency conducting 
litigation when--(a) DOT, or any agency thereof, or (b) Any employee of 
DOT or any agency thereof, in his/her official capacity, or (c) Any 
employee of DOT or any agency thereof, in his/her individual capacity 
where the Department of Justice has agreed to represent the employee, 
or (d) The United States or any agency thereof, where DOT determines 
that litigation is likely to affect the United States, is a party to 
litigation or has an interest in such litigation, and the use of such 
records by the Department of Justice or other federal agency conducting 
the litigation is deemed by DOT to be relevant and necessary in the 
litigation, provided, however, that in each case, DOT determines that 
disclosure of the records in the litigation is a use of the information 
contained in the records that is compatible with the purpose for which 
the records were collected.
    2b. Routine Use for Agency Disclosure in Other Proceedings. It 
shall be a routine use of records in this system to disclose them in 
proceedings before any court or adjudicative or administrative body 
before which DOT or any agency thereof, appears, when--(a) DOT, or any 
agency thereof, or (b) Any employee of DOT or any agency thereof in 
his/her official capacity, or (c) Any employee of DOT or any agency 
thereof in his/her individual capacity where DOT has agreed to 
represent the employee, or (d) The United States or any agency thereof, 
where DOT determines that the proceeding is likely to affect the United 
States, is a party to the proceeding or has an interest in such 
proceeding, and DOT determines that use of such records is relevant and 
necessary in the proceeding, provided, however, that in each case, DOT 
determines that disclosure of the records in the proceeding is a use of 
the information contained in the records that is compatible with the 
purpose for which the records were collected.
    3. Disclosure may be made to a Congressional office from the record 
of an individual in response to an inquiry from the Congressional 
office made at the request of that individual. In such cases, however, 
the Congressional office does not have greater rights to records than 
the individual. Thus, the disclosure may be withheld from delivery to 
the individual where the file contains investigative or actual 
information or other materials which are being used, or are expected to 
be used, to support prosecution or fines against the individual for 
violations of a statute, or of regulations of the Department based on 
statutory authority. No such limitations apply to records requested for 
Congressional oversight or legislative purposes; release is authorized 
under 49 CFR 10.35(9).
    4. One or more records from a system of records may be disclosed 
routinely to the National Archives and Records Administration (NARA) in 
records management inspections being conducted under the authority of 
44 U.S.C. 2904 and 2906.
    5. DOT may make available to another agency or instrumentality of 
any government jurisdiction, including State and local governments, 
listings of names from any system of records in DOT for use in law 
enforcement activities, either civil or criminal, or to expose 
fraudulent claims, regardless of the stated purpose for the collection 
of the information in the system of records. These enforcement 
activities are generally referred to as matching programs because two 
lists of names are checked for match using automated assistance. This 
routine use is advisory in nature and does not offer unrestricted 
access to systems of records for such law enforcement and related 
antifraud activities. Each request will be

[[Page 34119]]

considered on the basis of its purpose, merits, cost effectiveness and 
alternatives using Instructions on reporting computer matching programs 
to the Office of Management and Budget, OMB, Congress, and the public, 
published by the Director, OMB, dated September 20, 1989.
    6. DOT may disclose records from this system, as a routine use, to 
appropriate agencies, entities, and persons when (1) DOT suspects or 
has confirmed that the security or confidentiality of information in 
the system of records has been compromised; (2) DOT has determined that 
as a result of the suspected or confirmed compromise there is a risk of 
harm to economic or property interests, identity theft or fraud, or 
harm to the security or integrity of this system or other systems or 
programs (whether maintained by DOT or another agency or entity) that 
rely upon the compromised information; and (3) the disclosure made to 
such agencies, entities, and persons is reasonably necessary to assist 
in connection with DOT's efforts to respond to the suspected or 
confirmed compromise and prevent, minimize, or remedy such harm.
    7. DOT may disclose records from this system, as a routine use, to 
the Office of Government Information Services for the purpose of (a) 
resolving disputes between FOIA requesters and federal agencies and (b) 
reviewing agencies' policies, procedures, and compliance in order to 
recommend policy changes to Congress and the President.
    8. DOT may disclose records from the system, as a routine use, to 
contractors and their agents, experts, consultants, and others 
performing or working on a contract, service, cooperative agreement, or 
other assignment for DOT, when necessary to accomplish an agency 
function related to this system of records.
    9. DOT may disclose records from this system, as a routine use, to 
an agency, organization, or individual for the purpose of performing 
audit or oversight operations related to this system of records, but 
only such records as are necessary and relevant to the audit or 
oversight activity. This routine use does not apply to intra-agency 
sharing authorized under Section (b)(1) of the Privacy Act.
    10. DOT may disclose from this system, as a routine use, records 
consisting of, or relating to, terrorism information (6 U.S.C. 
485(a)(5)), homeland security information (6 U.S.C. 482(f)(1)), or Law 
enforcement information (Guideline 2 Report attached to White House 
Memorandum, ``Information Sharing Environment'', November 22, 2006) to 
a Federal, State, local, tribal, territorial, foreign government and/or 
multinational agency, either in response to its request or upon the 
initiative of the Component, for purposes of sharing such information 
as is necessary and relevant for the agencies to detect, prevent, 
disrupt, preempt, and mitigate the effects of terrorist activities 
against the territory, people, and interests of the United States of 
America, as contemplated by the Intelligence Reform and Terrorism 
Prevention Act of 2004 (Pub. L. 108-458) and Executive Order 13388 
(October 25, 2005).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records in this system are stored electronically on a contractor-
maintained cloud storage service.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records of training providers may be retrieved by the following 
data elements: Training provider's name, location, city, state, type of 
CDL training offered, and training provider number. Records of driver-
trainees may be retrieved by the following data elements: CDL holder's 
name, license number, and commercial learner's permit number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    FMCSA proposes to maintain training records of individual drivers 
for 60 years or until notified that the driver is deceased. This 
retention period is consistent with other CDL driver records maintained 
by SDLAs. FMCSA proposes to maintain training provider registration 
information for 60 years. This retention period is consistent with the 
proposed record scheduled for training records of individuals and 
allows FMCSA to maintain a complete and accurate history. The records 
schedule for the TPR records is currently being developed and will be 
submitted for approval by the National Archives and Records 
Administration (NARA). All records maintained in the system of records 
will not be disposed of and will be treated as permanent records until 
the schedule is approved by NARA.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records in this system are safeguarded in accordance with 
applicable rules and policies, including all applicable DOT automated 
systems security and access policies. Appropriate controls have been 
imposed to minimize the risk of compromising the information that is 
being stored and ensuring confidentiality of communications using tools 
such as encryption, authentication of sending parties, and 
compartmentalizing databases; and employing auditing software. TPR data 
is encrypted at rest and in transit. Access to records in this system 
is limited to those individuals who have a need to know the information 
for the performance of their official duties and who have appropriate 
clearances or permissions. All personnel with access to data are 
screened through background investigations commensurate with the level 
of access required to perform their duties.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to and notification of any record 
contained in this system of records, or seeking to contest its content, 
may submit a request to the System Manager in writing in writing to the 
address provided under ``System Manager and Address.'' Individuals may 
also search the public docket at www.regulations.gov by their name.
    When seeking records about yourself from this system of records or 
any other Departmental system of records your request must conform with 
the Privacy Act regulations set forth in 49 CFR part 10. You must sign 
your request, and your signature must either be notarized or submitted 
under 28 U.S.C. 1746, a law that permits statements to be made under 
penalty of perjury as a substitute for notarization. While no specific 
form is required, you should provide the following:
     An explanation of why you believe the Department would 
have information on you;
     Identify which component(s) of the Department you believe 
may have the information about you;
     Specify when you believe the records would have been 
created;
     Provide any other information that will help the FOIA 
staff determine which DOT component agency may have responsive records; 
and
    If your request is seeking records pertaining to another living 
individual, you must include a statement from that individual 
certifying his/her agreement for you to access his/her records. Without 
this bulleted information, the Department may not be able to conduct an 
effective search, and your request may be denied due to lack of 
specificity or lack of compliance with applicable regulations.

[[Page 34120]]

CONTESTING RECORD PROCEDURES:
    FMCSA depends upon training providers to submit data as accurately 
as possible. If a driver finds inaccurate information pertaining to 
ELDT Certification Information in the TPR, or inaccurate information 
was transmitted to the SDLA, drivers must contact the training provider 
that conducted the training to request that corrections be submitted to 
the TRP as appropriate. Once the corrections have been made, the 
training provider should resubmit the Training Certification 
Information form to the TPR, noting the corrections made. Upon receipt 
of the updated certification, the TPR will automatically retain a 
record of the information. In the event the driver-trainee wishes to 
obtain the revised training certification information, they will need 
to contact the training provider that conducted the training.
    If a training provider discovers that information contained in the 
TPR is inaccurate, the training provider may make corrections by 
accessing their TPR account on the TPR and submitting an updated 
Training Provider Registration form (OMB Control number 2126-0028).
    Individuals seeking to contest the content of any record pertaining 
to him or her in this system may also contact the System Manager 
following the Privacy Act procedures in 49 CFR part 10, subpart E, 
Correction of Records. Written requests for correction must conform 
with the Privacy Act regulations set forth in 49 CFR part 10. You must 
sign your request, and your signature must either be notarized or 
submitted under 28 U.S.C. 1746, a law that permits statements to be 
made under penalty of perjury as a substitute for notarization. While 
no specific form is required, you may obtain forms for this purpose 
from the FMCSA Freedom of Information Act Officer https://www.fmcsa.dot.gov/foia/[email protected].

NOTIFICATION PROCEDURES:
    Individuals seeking to contest the content of any record pertaining 
to him or her in the system may contact the System Manager following 
the procedures described in ``Record Access Procedures'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

    Issued in Washington, DC.
Karyn Gorman,
Acting Departmental Chief Privacy Officer.
[FR Doc. 2021-13643 Filed 6-25-21; 8:45 am]
BILLING CODE 4910-9X-P