Copyright © 2007-2014 CWT

Privacy Impact Assessment (PIA)

FedRooms2

9/10/2014

Page 2 / 15

Contents

Overview ................................................................................................................................................... 3

Objective ................................................................................................................................................... 3

Assumptions .............................................................................................................................................. 4

General System Information ...................................................................................................................... 4

System Evaluation ..................................................................................................................................... 6

Data in the System .................................................................................................................................... 7

Data Access .............................................................................................................................................. 8

Attributes of the Data ............................................................................................................................... 11

Maintenance of Administration Controls .................................................................................................. 13

Conclusion ............................................................................................................................................... 14

Page 3 / 15

Overview

The FedRooms® application was basically a brochure site until the spring of 2008 when the system was enhanced to allow the user to check availability and reserve hotel rooms. Up until this point there was little review of security compliance since there was no way for a traveler to enter information that could be classified as PII The FedRooms® system does not allow a traveler to authenticate themselves. Therefore, the traveler does not have a user profile that contains PII data. Instead, the traveler is free to shop for hotel properties that support military and government rates and to determine the best alternative to meet their travel needs. If the traveler chooses to make a hotel reservation the system prompts them for the data necessary to complete the reservation. When making a booking the system prompts the traveler for both PCI (credit card) and PII data and uses partner systems, such as GetThere, the OBE and Galileo GDS, to complete the traveler’s request. It is required to store both PCI and PII data to ensure the booking information is completed in which the traveler receives confirmation of the request and appropriate accounting functions can be performed to ensure back office operations can invoice accordingly. Note: Global Distribution System (GDS) and the GetThere OBE are considered out of scope by GSA for boundary determination.

Objective The objective of the PIA is to assist in identifying and addressing information privacy when planning, developing, implementing, and operating information systems that maintain information on individuals. The following is the Office of Management and Budget’s (OMB) definition of the PIA taken from guidance on implementing the privacy provisions of the E-Government Act of 2002 (see OMB memo of M-03-22 dated September 26, 2003). “Privacy Impact Assessment (PIA) – is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form

1

in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” Going through the PIA process helps to identify sensitive systems to ensure that appropriate information assurance measures are in place (such as: secured storage media, secured transmission, special handling instructions, and access controls). In its current state the FedRooms® system does not allow a traveler to authenticate themselves. Therefore, the traveler does not have a user profile that contains PII data. Instead, the traveler is free to shop for hotel properties that support military and government rates and to determine the best alternative to meet their travel needs. If the traveler chooses to make a hotel reservation the system prompts them for the data necessary to complete the reservation. When making a booking the system prompts the traveler for both PCI (credit card) and PII data and uses partner systems, such as the Gallieo GDS, to complete the traveler’s request. It is required to store both PCI and PII data to ensure the booking information is completed and the traveler receives confirmation of the

1 “Identifiable Form” - According to the OMB Memo M-03-22, this means information in an IT system or online collection:

(i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code,

telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with

other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date,

geographic indicator, and other descriptors).

Page 4 / 15

Assumptions

FedRooms® website and content does not store PII data. GSA approves the use of Cvent, which is a third party event and management planning which is not in

scope for this PIA. PII data elements identified are the minimum requirements captured and stored which are necessary

pieces of information required for Hotel Bookings and accounting business purposes.

FedRooms® does not require credential management for storing or processing user ID’s and passwords.

Harp is a CWT Hotel and Corporate negotiated contracts repository and the applications related to them and does not store traveler PII which is out of scope for this PIA.

GetThere, which is a downstream travel industry system, will not be included in the FedRooms authorization boundary, just as it was not included in the ETS authorization boundary

GDS, Lanyon are industry travel systems , not in scope determined by GSA

General System Information System Name: FedRooms® URL https://www.fedooms.com

Description: FedRooms® is a GSA program that provides hotel rooms for federal government travelers while on official business. It’s one of GSA’s government wide solutions that enable customers to manage their travel efficiently and effectively while accomplishing their missions. The FedRooms® Program is built on the concept of Government contracts with participating lodging properties to ensure that eligible federal travelers are guaranteed a room at an established price. FedRooms® is a way for eligible federal travelers to be assured of a room at a reasonable rate.FedRooms®.com is hosted by Carlson WagonLit Travel (CWT).

Reason for performing PIA: Significant modification to an existing system. Characterization of the Information Contains PII data* (*GetThere Only ) Risk associated with Data Privacy The privacy risks are low. The minimum amount of personally

identifiable information is collected to satisfy the purpose of this system Contact Information Person performing the PIA Jim Gridley, Sr Director, Security Military &Government Markets CWTSatoTravel jgridley@carlson.com System Owner Jay Hopia

Page 5 / 15

Product Owner Kindall Farwell IT Operations John Pelant Security Manager(s) Jim Gridley, Roy Smith II Regional Security Officer Internal System Components Internal system components and high level configuration are shown on the diagram below. Requests from the traveler’s browser to the FedRooms® application are transmitted via HTTPS. The FedRooms® application is a web based java application that runs in a J2EE web container on BEA Web Logic Server. The FedRooms® application makes use of three main web services designed by CWT development groups. A Hotel Search Service is utilized to interact with GetThere Online Booking Tool, our vendor partner’s master system of hotel property, amenity, and contract information. FedRooms®, through the GSA schedule, in partnership with Cvent, is now offering group and meeting market research services for government meeting planners.

Page 6 / 15

DMZ

SSNV02IG01239

Sun One Java System

Webs Server 7.0U8

Update 8

Solaris 10

SSNV02IG01238

Sun One Java System

Web Server 7.0U8

Update 8

Solaris 10

Internet FirewallsPaloAlto PA-5050

NFNV02XIHPP98NFNV02XIHPP99

FedRooms boundary

Primary data center – “Switch”

(Las Vegas, NV)

Internet Router

Juniper Networks MX40-TNRNV02XIE0001

Internet Router

Juniper Networks MX40-TNRNV02XIE0002

SWITCH

DMZ Load BalancersNetscaler 10.1NLNV02XINND05NLNV02XINND06

Server FarmHARP

( See Fedrooms Business

Process )

GetThere

https://wcorp.itn.net/cgi/xreg

Sabre GetThere

Data Center: Tulsa, OK

Dallas, TX

`

FedRooms Traveler

1. User requests https://

www.fedrooms.com

2. DNS lookup is done and resolves to

Netscaler Loadbalancer in the CWT DMZ

network.

3. Request is forwarded to iPlanet proxy/

web servers. Top “banner” static content

(html, css, js, images) is served from here.

4. Reference to the HTML Frame is

pointed to GetThere URL.

5. Client pulls directly from GetThere (for

the frame; banner is still served from

CWT)

1

2

3 3

4

5

FedRooms Topology

Virtual FirewallNFNV02XIHPP03

Server Name

Database - ?

Figure 1 - FedRooms Topology

System Evaluation To ensure that a thorough review is made of an IT system for information on individuals in identifiable form, a “preliminary PIA” has been performed. The review consists of these following sections:

Data in the System

Data Access

Attributes of the Data

Maintenance of Administrative Controls

Page 7 / 15

Data in the System

1. Describe the personal data information to be included in the system. The table below summarizes the PII data supplied by the traveler and how it is stored in the database for GetThere, identified below, but are not part of the FedRooms Accreditation boundaries.

PII Data Element Safeguards

Traveler Full Name Not Encrypted to GDS

Address Not Encrypted to GDS

Phone Number Not Encrypted to GDS

Credit Card – Type, Number, Expiration Encrypted to GDS

Email Not Encrypted to GDS

Note: Database tables are encrypted

1a. What stage of the life cycle is the system currently in? FedRooms® is currently implemented and in operational use. ATO granted March, 2012. 2.a. What are the sources of the information in the system? Government employees and uniformed personnel on official (PCS and TDY) business travel.

2.b. What GSA files and databases are used? None , The FedRooms® team provides hotel property to external parties which does not contain PII. 2.c. What Federal agencies are providing data for use in the system? No Federal agencies are providing data. 2.d. What State and local agencies are providing data for use in the system? None. 2.e. What other third party sources will the data be collected from? The suppliers required to provide the hotel data from Lanyon, a 3

rd Party RFP system, CWTSato converts hotel

information from HARP for GetThere and other external resources. The information is publically available by GSA as well. There is no PII data in this hotel property. 2.f. What information will be collected from the individual whose record is in the system? See question #1. Additional information may be entered at the traveler’s discretion for enhanced service, such as

hotel preferences, and frequent traveler or club membership numbers.

Page 8 / 15

3.a. How will the data collected from sources other than Federal agency records or the individual be

verified for accuracy?

It is the responsibility of the suppliers to ensure accuracy of data is appropriately validates within the GDS. GetThere is responsible to ensure appropriate fares are displayed in accordance with FedRooms® policies.

3.b. How will data be checked for completeness? The traveler or travel arranger is responsible to verify the accuracy of all employee-entered data. FedRooms® employs support personnel to assist travelers in cancelation of hotel bookings. In some cases, travelers must contact the hotel directly to make changes to the booked reservation. If the Hotel is booked within the GetThere tool, functionality to make reservation changes can be performed through the use of the application.

3.c. Is the data current? How do you know? Hotel reservation data is current since the on-line system is a real-time booking engine providing confirmation numbers at session’s end. 4. Are the data elements described in detail and documented? If yes, what is the name of the document?

The data elements required for making hotel reservations are described and documented in functional schema documentation for the online booking engine, maintained by GetThere.

Data Access 1a, Who will have access to the data in the system? FedRooms® does not require user authentication and does allow for users of the information system to retrieve existing hotel bookings. The tool is designed to allow travelers to make a hotel booking. The application is a supplemental tool outside of ETS, used to book negotiated hotels through the GSA FedRooms® program. Access to an individual’s hotel reservation data will be available to the traveler via confirmation notification. No traveler will have access to another traveler’s data. Access to all individuals’ hotel reservation data will be available to Accounting, Suppliers, IT support and operational personnel for maintenance and processing according to internal business operations. Individuals with access are restricted through internal controls and company personnel security background checks. The hotel reservation data will only be available to the servicing support personnel on a need-to-know basis to assist with modifications or cancelations to the bookings made by the individual travelers. The hotel providers will receive system output for reservation, booking and confirmation actions. Confidentiality of sensitive data at the operating system level is accomplished through ensuring that the file and directory permissions are properly configured. Information in the system may be disclosed if required as a routine use as follows:

Page 9 / 15

a. To a Federal, State, local or foreign agency responsible for investigating, prosecuting, enforcing, or

carrying out a statute, rule, regulation, or order, where agencies become aware of a violation or potential violation of civil or criminal law or regulation.

b. To another Federal agency or a court when the Federal government is party to a judicial proceeding. c. To a Member of Congress or staff on behalf and at the requests of the individual who is the subject of the

record. d. To a Federal agency employee, expert, consultant, or contractor in performing a Federal duty for

purposes of authorizing, arranging, and/or claiming reimbursement for official travel, including, but not limited to, traveler profile information.

e. To a credit card company for billing purposes, including collection of past due amounts. f. To a Federal agency, expert, consultant, or contractor for accumulating reporting data, conducting

surveys, and monitoring the system in the performance of a Federal duty to which the information is relevant.

g. To a Federal agency by the contractor in the form of itemized statements or invoices, and reports of all transactions, including refunds and adjustments to enable audits of charges to the Federal government.

h. To a Federal agency in response to its request, in connection with the hiring or retention of any employee; the issuance of a security clearance; the reporting of an investigation to the extent that the information is relevant and necessary to the requesting agency’s decision on the matter.

i. To an authorized appeal or grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator, or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee to whom the information pertains.

j. To the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), or the Government Accountability Office (GAO) when the information is required for program evaluation purposes.

k. To officials of labor organizations recognized under 5 U.S.C. chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions.

l. To a travel services provider for billing and refund purposes. m. To a carrier of an insurer for settlement of an employee claim for loss of or damage to personal property

incident to service under 31 U.S.C. Sec. 3721, or to a party involved in a tort claim against the Federal government resulting from an accident involving a traveler.

n. To a credit reporting agency or credit bureau, as allowed and authorized by law, for the purpose of adding to a credit history file when it has been determined that an individual’s account with a creditor with input to the system is delinquent.

o. Summary or statistical data from the system with no reference to an identifiable individual may be released publicly.

p. To the National Archives and Records Administration (NARA) for record management purposes. 1.b. Is any of the data subject to exclusion from disclosure under the Freedom of Information Act (FOIA)? If yes, explain the policy and rationale supporting this decision. Yes. The records will contain personally identifiable information (PII). Records containing personal information may be considered “personal records” rather than “agency records” with an agency. An agency will need to determine what the file was created for and the nature of the file. Freedom of Information Act, Exemption 6 Dept. of Justice guidance on exemptions: http://www.usdoj.gov/oip/foi-act.htm FOIA text: http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm,

Page 10 / 15

2. How is access to the data by a user determined? Are criteria, procedures, controls, and

responsibilities regarding access documented? Federal travelers will access the on-line system through HTTPS. (https: www/FedRooms®.com) FedRooms® does not require system safeguards .e.g. forced logout, system time-out, password expiration, and lockout after a specified number of failed login attempts. There is no user credentials required as the tool provides for a one-time hotel booking functionality. The user must provide the appropriate information required to book a hotel.

3. Will users have access to all data in the system or will the user's access be restricted?

Travelers will receive a confirmation of the reservation through email with no access to data stored in the system.

4. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

Procedural controls at the Agency level must be used to ensure that data is appropriately protected commensurate with its sensitivity. Application of these local policies and procedures will minimize that risk that users at a site can read, copy, alter, or steal printed or electronic information for which they are not authorized; and ensure that only authorized user’s pick-up, receive, or deliver input and output information and media. Warning banners will be displayed to all users to warn them that the system is For Official Use Only and that it contains information the Privacy Act of 1974 covers. These warning banners must be acknowledged by the user prior to the user being granted system access, and advise users of their obligations to protect the system and data it contains in accordance with Federal Policy. Warning individuals with appropriate access about the misuse of data will be accomplished through policy and by the distribution and acceptance of the Rules of Behavior to users. Credit card numbers that are stored for hotel reservations cannot be viewed. The numbers are masked (X’d) and encrypted.

5.a. Do other systems share data or have access to data in this system? If yes, explain. Yes, Back office accounting, Invoicing and Supplier statistic requirements are necessary for business fulfillment operations.

5.b. Who will be responsible for protecting the privacy rights of the clients and employees affected by the interface?

The CWT Security operations group is responsible for ensuring that the appropriate security controls are in place within the system to protect the rights of the clients and employees. The agency is responsible for assuring that the data is properly used.

6.a. Will other agencies share data or have access to data in this system (International, Federal, State,

Local, Other)?

An agency will neither share data nor have free access to another agency’s data using FedRooms®. 6.b. How will the data be used by the agency?

Page 11 / 15

FedRooms® is not required to provide data to agencies. Purpose of the tool is to provide an avenue to allow travelers to directly book negotiated hotel rooms.

6.c. Who is responsible for assuring proper use of the data?

The CWT Security operations group is responsible for ensuring that the appropriate security, Controls are in place within the system to to assure proper use of the data. The agency is responsible for assuring that the data is properly used.

6.d. How will the system ensure that agencies only get the information they are entitled to?

FedRooms® is not required to provide data to agencies. Purpose of the tool is to provide an avenue to allow travelers to directly book negotiated hotel rooms.

7. What is the life expectancy of the data?

The data will be used, processed and then stored in accordance with GSA contract requirements. FedRooms.com does not store or process data.

8. How will the data be disposed of when it is no longer needed?

Disposition is in accordance with GSA contract requirements.

Attributes of the Data 1. Is the use of the data both relevant and necessary to the purpose for which the system is being

designed?

Yes. The individual traveler’s data is needed to accurately reserve and reserve the hotel booking.

2.a. Will the system derive new data or create previously unavailable data about an individual through

aggregation from the information collected

No

2.b. Will the new data be placed in the individual's record (client or employee)?

Not Applicable 2.c. Can the system make determinations about individuals that would not be possible without the new data?

Not Applicable. This type of analysis is not done within the system

2.d. How will the new data be verified for relevance and accuracy?

Page 12 / 15

Not Applicable

3.a. If the data is being consolidated, what controls are in place to protect the data and prevent

unauthorized access? Explain.

Some consolidation may be done. Data may be consolidated for reporting. Reports generated of aggregate activity may be accessed only by personnel with “need to know” . Such reports do not contain information on or impact individual authorization or payment records, profiles, or reservations in the system.

3.b. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

Consolidation of the reservation and payment processes in the system does not negate any of the access controls. Total system access has the same limited access and security protections of each of its components

4. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain.

Data extracts required for internal business processing are generally run through reporting queries or scripting to provide the outputs. There are no reporting capabilities within the FedRooms® tool. Outputs generated are stored in secure – restricted file folder structures where access is protected and locked down.

5. What are the potential effects on the privacy rights of individuals of: a. Consolidation and linkage of files and systems; b. Derivation of data; c. Accelerated information processing and decision making; and d. Use of new technologies.

The potential effects on the privacy rights of employees include:

a. Flow of Personal information processing in back office systems

b. There is no derivation of data.

c. There is decision making based on the Federal Travel Regulations and agency business rules.

d. Personal information may be revealed due new technologies (e.g. faxing of receipts, mobile access).

How are the effects to be mitigated?

Page 13 / 15

CWT/GetThere enforce database encryption, masking and use file level encryption to minimize the risk of exposing personal information. Both organizations have been through Federal Government Certifications and Accreditations for ETS in support of end to end travel sponsored by GSA and have achieved authorization to operate ( ATO). Both organizations support PCI, Safe Harbor, and other pertinent security compliance programs to protect the confidentiality, integrity and availability of commercial and government clients data. Maintenance of Administration Controls 1.a. Explain how the system and its use will ensure equitable treatment of individuals.

FedRooms® provides an electronic means for Federal travelers to accomplish their travel needs ( Hotel booking only). All agency restrictions and controls apply to every user of the system.

1.b. If the system is operated in more than one site, how will consistent use of the system be maintained at all sites?

FedRooms® a web-based system. The system is operated in only one site with embedded links to the online booking engine and the marketing and event planning too. Users will be geographically separated, securely accessing the system via a web browser over the Internet.

1.c. Explain any possibility of disparate treatment of individuals or groups. Travelers who do not have access to the Internet must call the TMC or Hotel directly for

reservations.

2.a. What are the retention periods of data in this system? Current GSA contract does not provide data retention requirements for FedRooms® 2.b. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented? Current GSA contract does not provide data retention requirements for FedRooms®

2.c. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

FedRooms® allows for a onetime use for booking hotels. 3.a. Is the system using technologies in ways that Federal agencies have not previously employed (e.g.

Caller-ID)?

No. Similar technologies are deployed and in use by Federal agencies.

Page 14 / 15

3.b. How does the use of this technology affect individuals’ privacy?

FedRooms® has no independent impact on Federal traveler privacy. Some of the data entered into the system under contract to the Government already collect and maintain, and some are currently maintained by authorization and voucher payment systems of agencies through the ETS contract vehicle. 4.a. Will this system provide the capability to identify, locate, and monitor individuals? If yes,

explain.

No, there is no requirement to monitor individual’s information through the use of FedRooms®. Changes/Modification to the traveler’s reservation may be performed by the individual or contacting the support personnel.

4.b. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.

No, there is no requirement to monitor group’s information through the use of FedrRooms.

4.c. What controls will be used to prevent unauthorized monitoring? FedRooms® information is stored behind firewalls with no public access to support unauthorized monitoring activities. 5.a. Under which Privacy Act System of Records notice (SOR) does the system operate? Provide

number and name

Not Applicable

5.b. If the system is being modified, will the SOR require amendment or revision? Explain. Not Applicable

Conclusion

FedRooms® leverages the government buying power to offer safe, economical and compliant hotel lodging at per diem or better rates at hotels globally. The key goal of the PIA is to effectively communicate the privacy risks not addressed through other departmental mechanisms. The PIA is intended to contribute to senior management's ability to make fully informed policy, system design and procurement decisions.

Experience over time has demonstrated that the most effective way to protect personal information is to use a combination of tools and strategies which include complying with the Privacy Act and Privacy and Data Protection Policy, using privacy-enhancing technologies and architectures, conducting privacy impact assessments, and engaging in public education.

Potential Outcomes of a PIA:

Page 15 / 15

Use of anonymous information in lieu of personal information to achieve the same program objectives Cost avoidance by considering privacy at the outset thus avoiding exponential design costs associated

with retrofitting requirements at a later development stage Building of public trust and confidence that privacy has been built into the design of the program or

service. Where risk cannot be mitigated through technical or policy instruments, a PIA will provide decision-makers

with a full assessment of the risk. A decision to abandon a project at an early stage based on the significance of the privacy risks. A disciplined process that promotes open communications, common understanding and transparency.

FedRooms® stores and process a subset of the Passenger Name Record consisting of PII data in both the GetThere Online Booking Tool, and the CWT back office applications. Both organizations employ protective measures to ensure the data provided is protected in compliance with commercial and government regulations. The federal government has a long history of responding to public concern about the information it collects and how it is handled as expressed in legislation such as the Freedom of Information Act, the Privacy Act, and the Computer Matching Act. The most recent federal law meant to prescribe ethical standards relating to the collection, processing, and maintaining of identified data about respondents is the E-Government Act of 2002 (Public Law 107-347, 44 U.S.C., Ch 36).

The PIA ensures that no collection, storage, access, use, or dissemination of identifiable respondent information occurs that is not needed or permitted for the FedRooms® system.

XKim Mott

GSA Privacy Officer