Privacy Impact Assessment
Information Collected and Purpose
Permits Online (PONL) is a secure Commercial Off-The-Shelf (COTS) product providing a web-based system with the capability to submit, route, and/or process original and amended permit/registration applications. The permit process enables TTB to authorize applicants to operate alcohol and tobacco related businesses under the FAA Act and Internal Revenue Code. This functionality is provided for external use by Regulated Industry Member representatives and internally by TTB's National Revenue Center (NRC). The online application and electronic submission of TTB's original permit application saves both the applicant and TTB significant time and money and also protects the public in support of homeland security.
Information Use and Sharing
PONL stores names, date of birth, social security numbers, photographic identification, driver's license information, mailing addresses, phone numbers, financial account information, legal documents, e-mail addresses, and foreign activity information for those individuals who have provided the aforementioned information on the PONL application. PONL provides applicants with a publicly facing website enabling them to view the information in the application and to check the status of the application while it is pending. Each application is specifically linked to the individual who submits it and only designated and approved TTB officials have direct access to personally identifiable information (PII) stored within PONL. With regard to the roles assigned within the application, all individuals receive access rights based on their status.
For an individual's PII to be stored in PONL, the individual must have willingly and intentionally filled out and submitted an application. The application is subject to the Privacy Act and a Privacy Act SORN that addresses all required categories of information has been published in the Federal Register.
TTB will take appropriate security measures to safeguard PII and other sensitive data stored on PONL. TTB will apply Department of the Treasury security standards, including but not limited to, routine scans and monitoring, back-up activities, and background security checks for all TTB employees and contractors. Accordingly, access to PONL PII will be limited to specific job function and access will be controlled based on least privilege.
The following access safeguards will also be implemented:
- Passwords expire after a set period;
- Accounts are locked after a set period of inactivity;
- Minimum length of passwords is eight characters;
- Passwords are combination of letters, numbers, and symbols; and
- Accounts are locked after a set number of incorrect attempts.