DATA SECURITY

All information in Agency computer/information systems shall be protected in accordance with the Computer Security Act of 1987, as amended, the Department of Transportation Information Technology Security Program, and FAA Order 1370.82.

If any record(s) maintained by the Agency on any bargaining unit employee(s) becomes lost, stolen, and/or improperly dispersed, the Agency shall notify the Union at the national level and the affected employee(s) immediately. The Agency shall assist the Union and the employee(s) in resolving the problem.

In accordance with the Privacy Act, 5 USC 552a as amended, the Agency shall not require any bargaining unit employee to disclose his or her Social Security Number (SSN) unless such disclosure is specifically required by a federal regulation effective prior to January 1, 1975, or by federal statute.

a. When such disclosure is so required, the person from whom the disclosure is sought shall be informed:

(1) That submission of the SSN is mandatory. The federal statutory authority or pre-January 1, 1975, regulation under which submission of the SSN is required shall be identified.

(2) Of the uses that will be made of the SSN.

b. Whenever the submission of an SSN is voluntary, the Agency employee requesting an SSN from a bargaining unit employee shall inform such employee:

(1) That the submission of an SSN is not required by law and an employee's refusal to furnish an SSN will not result in the denial of any right, benefit, or privilege provided by law.

(2) That if the employee refuses to supply an SSN, a substitute number or other identifier will be assigned in those records where such an identifier is needed.

(3) That the SSN, if supplied, is used by the Agency to associate the current information relating to the employee with other information about the same employee the Agency may have in its files from previous transactions.

(4) That the SSN is solicited to assist in performing the Agency's functions under the Federal Aviation Act of 1958, as amended.

A privacy breach is defined as an incident of confirmed theft, loss, or unauthorized disclosure of personal identifying information (PII) that requires disclosure/notification to the individual(s) in accordance with OMB Memorandum 07-16.

The Union will identify a Point of Contact (POC) for data security/privacy issues at the national level. The Agency shall designate a POC from the office of Information Security and Privacy Services (AIS).

In the event that the Agency suffers a privacy breach, regardless of whether the data breached is within the control of the Agency, the Department of Transportation, the Department of Interior, or any other federal agency, the Agency shall provide the Union’s POC with notification of a breach as soon as the Agency learns of the breach. The Union POC will be provided with updates as information becomes available.

The Union POC will be included in discussions to determine the appropriate level of identity theft protection to be provided in response to a privacy breach.

The National Points of Contact shall meet at least once quarterly to discuss the Agency initiatives to maintain and protect employees PII and the data systems throughout the Agency that support that information. Topics that may be discussed include initiatives to remove PII from data systems, to eliminate the use of or reliance upon employee Social Security Numbers as a means for identification, to prevent privacy breaches to computer and data systems, and other initiatives designed to increase or promote the protection of PII. If the Parties’ designees agree to meet at another interval, they may do so through mutual agreement.

The Parties agree that the Union POC shall be on official time, if otherwise in a duty status, for all meetings described in Sections 7 and 8. If it is necessary to schedule meetings outside the regularly scheduled tour of duty of the Union POC, he/ she shall be allowed to change his/ her schedule, staffing and workload permitting, so that he/ she may participate during duty hours.

If the Agency determines that a face-to-face meeting is necessary, then the Agency will pay the appropriate transportation and lodging costs for the Union POC in accordance with the FAA Travel Policy (FAATP).

A copy of the Information Security and Privacy Awareness Training (SAT) shall be provided to the Union POC. Any changes to the training will be discussed with the POC. The Agency recognizes its obligation to provide notice and opportunity to bargain to the Union in accordance with the Article 7 of this Agreement and applicable law and agrees that such negotiations on the impact and implementation of changes to the training shall be conducted in accordance with the provisions of this Agreement and applicable law.

Provided staffing and workload permit, an employee, who has been identified as impacted by a privacy breach involving the Agency, will be allowed time while at work to assess and repair damage from identity theft. Use of a government computer to access the internet to contact banks, credit card companies, credit monitoring services, or other activities relating to the restoration of one’s identity is permitted as limited personal use under FAA Order 1370.79A.