Privacy Notice

Metropolitan Transportation Commission
511 Privacy Policy

The effective date of this Privacy Policy is November 16, 2011
Last updated July 24, 2012





Overview

The Metropolitan Transportation Commission (MTC) is committed to ensuring 511 user privacy and security. Specifically: (1) MTC will not provide personally identifiable information (“PII”) from 511 users to any third party without express customer consent, except as described in the Privacy Policy; (2) PII from 511 users will never be provided to advertisers for their use; and (3) MTC will maintain a secure environment for customer personal information.

This Privacy Policy is intended to provide an understanding of how MTC handles PII collected by the 511 program. Among other things, this policy explains the types of information collected from 511 users; the third parties with whom MTC may share this information; and the process by which 511 users are notified about material changes to this Policy.

MTC contracts with Science Applications International Corporation (“SAIC”), Parsons Brinckerhoff, Inc., and Civic Resource Group to operate and maintain 511. Collectively, these contractors are referred to in this 511 Privacy Policy as the “511 Contractors." MTC oversees the 511 Contractors. 511’s Terms of Use http://www.511.org/terms.asp notify users that by using the 511 system, the user is allowing MTC, the 511 Contractors and other third parties referenced herein, to process personal information according to the provisions set forth in 511’s Terms of Use and this Privacy Policy.

Definitions

The following definitions apply:

Personally Identifiable Information (PII): PII identifies or describes a person or can be directly linked to a specific individual. Examples of PII include but are not limited to, a person’s name, mailing address, business name, alternate contact information (if given), e-mail address, fax number, telephone number, and Travel Pattern Data.

Travel Pattern Data: Travel Pattern Data is information concerning a 511 user’s trip start and end points, travel day(s) and time(s) of day, as well as details of when MY 511 alerts are requested.

Aggregate Data or Aggregate Information: Aggregate Data or Aggregate Information is statistical information that is derived from collective data that relates to a group or category of persons from which PII has been removed. Aggregate Data reflects the characteristics of a large group of anonymous people. MTC may use Aggregate Data to generate 511 Driving Times and statistical reports for the purpose of managing the 511 program. MTC may also provide Aggregate Data to third parties.

Collection of Personally Identifiable Information

MTC collects PII for the 511 and Regional Rideshare programs, which may include a person’s name, business or workplace name, mailing address(es), e-mail address(es), telephone number(s), fax number(s), password, user name, and Travel Pattern Data.

How MTC uses Personally Identifiable Information

MTC uses the PII provided by customers to effectively and efficiently process enrollments, respond to questions, send customer-requested data via e-mails or text messages, and otherwise communicate with 511 users.

For the 511 RideMatch, SchoolPool and Bike Buddy services, MTC uses PII to provide database participants’ first and last names, e-mail addresses, employer or school names, telephone numbers and the approximate geographic locations of trip start and end points to other members within the respective client database. This information is mailed via United States Postal Service on paper “matchlists,” e-mailed, or provided online (during a registered user’s account session) in response to a user’s web- or phone-based request. Trip start and end points are provided as either the nearest cross streets or as points on a map showing the general location. Specific home or work addresses are not provided. PII is used only to facilitate carpool, vanpool or BikeBuddy matches and to provide information about products, services and campaigns that encourage the use of alternatives to driving alone. Additionally, database participants may receive e-mails or phone calls from 511 program administrators requesting participants to review and update their PII and/or to assist the formation of carpools, vanpools, or bike buddies.

Regarding MY 511, MTC uses PII to provide traveler information as customized by the MY 511 registrant. This may include, if set up by the registrant, automatic e-mailing or texting of driving times and transit departures at times of day or traffic-severity levels determined by the participant. Periodically, MTC may send e-mails to all MY 511 registrants providing general system information. If registrants have signed up for 511 news, MTC will periodically send e-mails that could include such things as 511 marketing of new features and invitations to participate in 511 surveys and/or focus groups.

PII is only utilized as described in this Privacy Policy.

Third Parties with Whom MTC May Share Personally Identifiable Information

MTC hires third party service providers (the 511 Contractors) for the purpose of operating the 511 Program. 511 Contractors are provided only with the PII they need to deliver the service. MTC requires 511 Contractors to maintain the confidentiality of the information and to use it only as necessary to carry out their duties under the 511 Program.

MTC also shares Rideshare PII (PII related to the RideMatch, SchoolPool and Bike Buddy programs) with other government-funded rideshare agencies, such as the Bay Area Air Quality Management District, 511 Contra Costa, the Peninsula Traffic Congestion Relief Alliance, the San Francisco Department of the Environment, Solano/Napa Commuter Information, the Transportation Agency of Monterey County, the Association of Monterey Bay Area Governments, the Council of San Benito County Governments, and the Santa Cruz County Regional Transportation Commission for ridesharing purposes only.

MTC may also share Rideshare PII with select employers. These select employers have been granted access to the Rideshare Matching database because they wish to take a more active role in facilitating carpools and/or vanpools among their employees. As such, employers with access to the Rideshare Matching database only have access to PII for their employees.

In addition, comments and inquiries, which usually contain some PII such as name and e-mail address, may be shared with third parties for review, comment and/or action in order to appropriately respond to the specific concern. For example, comments and inquiries received by 511 that are related to services provided by other public agencies (e.g., transit agencies) are forwarded to those agencies for their response. Likewise, a 511 Contractor may need to share the comment with a subcontractor, if necessary, to troubleshoot technical issues.

Besides these entities, PII will not be disclosed to any other third party without express customer consent, except as required to comply with laws or legal processes served on MTC.

Retention of Personally Identifiable Information

MTC, through the 511 Contractors, shall only store the PII of a 511 user that is necessary to provide the requested service. All Rideshare PII shall be discarded no more than seven years from the date a 511 registered user removes him/herself from the system, or is automatically (based on inactivity) or manually (at the registered user’s request or other reason) removed from the system. All MY 511 PII is deleted from 511 databases no more than seven years from a user’s removal of his/her account from MY 511 or upon Contractor’s removal of an account at the registered user’s request. PII incorporated in customer comments shall be deleted no more than seven years after the comment has been addressed.

Security of 511 Personally Identifiable Information

MTC is committed to the security of participants’ PII. MTC, together with the 511 Contractors, stores the PII provided by 511 users on computer servers that are located in secure, controlled facilities. Servers are designed with software, hardware and physical security measures in place to prevent unauthorized access.

Access to PII is controlled through the following administrative, technical, and physical security measures. By contract, third parties with whom MTC shares PII are also required to implement adequate security measures to maintain the confidentiality of such information.

Administrative:

  • Access to PII is limited only to certain employees for limited, approved purposes based on their specific work responsibilities. Employees' use of 511 Rideshare customer databases is limited via authentication and authorization mechanisms.
  • Privacy and security training is required for employees with access to PII, upon hire. In addition, regular periodic refresher training is required for those employees.

Technical:

  • 511 network perimeters are protected with firewalls.
  • 511 systems are implemented to ensure PII is segregated from Aggregate Information.
  • PII is stored in limited-access databases that require proper authentication and authorization for access. MY 511 user passwords are encrypted.
  • Electronic connections containing PII between both the MY 511 and the 511 RideMatching System web applications and a users’ browser are fully encrypted using SSL (secure sockets layer) technology. User sign-up of 511 Application Program Interfaces (“APIs”) is not encrypted.
  • Program administrators can not access user passwords; user passwords are one-way encrypted.

Physical:

  • Physical access to MTC and 511 Contractors’ servers is restricted to authorized technical personnel.
  • Data center access to approved technical personnel is restricted via photo / passcode authentication, and other security protocols.

In addition to MTC’s policies and procedures implementing PII security, the 511 user must also do such things as safeguard passwords, PINs, and other authentication information that may be used to access a 511 account. 511 users should not disclose authentication information to any third party and should notify MTC of any unauthorized use of their passwords. MTC cannot secure PII that is released by 511 users or PII that customers request MTC to release. In addition, there is a risk that unauthorized third parties may engage in illegal activity by such things as hacking into MTC’s security system or the 511 Contractors’ security systems or by intercepting transmissions of personal information over the Internet.

Please note that the 511 Contractors will never ask 511 users to provide or confirm any information in connection with 511 including PII, unless the customer is a subscriber to 511 services. If a 511 user ever has any doubt about the authenticity of an e-mail regarding 511, the user should either (1) open a new web browser, log into the 511 user’s account, and then perform the requested activity or (2) contact 511, by sending a message via the 511.org suggestion form (http://www.511.org/about-511-suggestions.asp) to verify the purpose and authenticity of the message.

Account access and controls

Creating an account with 511 is in the customer’s discretion. The required account information consists of PII such as name, business or workplace name, mailing address(es), e-mail address, telephone number, user name, password, and trip start and end points. MTC may request other optional information, such as alternate contact information, but, in such instances, clearly indicates that such information is optional.

Customers can review and update personal account information at any time. PII can be reviewed and edited online as discussed below under “Updating Personally Identifiable Information.” 511 users can close their MY 511 or Ridematch account at any time on line. In such case, all MY 511 account information will be deleted no more than seven years after the customer closes his/her account. All Rideshare account information will be deleted no later than seven years after the date a 511 registered user removes him/herself from the system, or is automatically (based on inactivity) or manually (at the registered user’s request or other reason) removed from the system.

Uses of FasTrak® Toll Tag Data

The Metropolitan Transportation Commission (MTC) / 511.org operates a traffic data collection system based on FasTrak® toll tags to provide better information about the transportation network to Bay Area travelers, transportation managers, and transportation planners through the 511 Driving TimesSM service. Encryption software is used to mask each toll tag identification number to ensure that toll tag information is treated anonymously in the traffic data collection process. Only after encryption are the tag IDs stored. The encrypted tag IDs will be retained for no longer than twenty-four hours and then discarded. No historical database of the encrypted IDs will be maintained beyond that time period. No FasTrak® customer PII is shared by MTC, or its third-party contractors, with MTC for 511 Driving TimesSM. Further, a customer has the option not to have his or her transponder read by the data collection system by placing the transponder in the mylar bag provided with the transponder. For more information on the 511 Driving TimesSM service, please refer to www.511.org.

Aggregate Data

MTC may also combine the PII provided by 511 users in a non-identifiable format with other information to create Aggregate Data that may be disclosed to third parties. Aggregate Data is used by MTC to improve the 511 program and for marketing 511. Aggregate Data does not contain any information that could be used to contact or identify individual 511 users or their accounts. For example, MTC may inform third parties regarding the number of 511 accounts within a particular zip code. MTC requires third parties with whom Aggregate Data is shared to agree that they will not attempt to make information personally identifiable, such as by combining it with other databases.

Cookies

The 511 websites (www.511.org) store “cookies” (small data elements) on users’ computers. The 511 website uses cookies to facilitate customer website use (e.g. remember login names and passwords until the session ends). The 511 website does not require users to enable cookies in order to use the 511 website, nor does it store “third party” cookies on users’ computers.

511 website users should review the privacy policies of websites they may visit or link to from www.511.org to understand how these external sites utilize cookies and how the information is collected by these cookies.

MTC does not knowingly engage in business with any company or vendor that uses Spyware or Malware. MTC does not market detailed information collected from web sessions that can be directly tied to personal information. Further, MTC does not provide 511 users with downloadable software that collects or utilizes any PII.

511 Transit App

The 511 Transit App was developed by Mentz Datenverarbeitung GmbH (“Mentz”), a subcontractor to SAIC. When a 511 user downloads or accesses the 511 Transit App, the user may enable his or her Global Positioning System location information (“location information”) to be used by the 511 Transit App, which will allow the user’s location to be automatically registered when he or she requests transit information. This feature can be disabled or enabled on the user’s mobile device. Neither MTC, Mentz, nor the 511 Contractors collect location information about the user. However, location information may be collected by the mobile device’s platform provider and/or the user’s data carrier. Before a 511 user downloads or accesses the 511 Transit App, he or she should review the terms of use and privacy policy of the user’s platform provider and data carrier to determine how they collect, use, and/or retain location information, or any other PII. MTC is not responsible for the terms of use or privacy policies of the platform providers or data carriers, or the use of PII, including location information, by such entities.

WARNING: MTC is not responsible for other mobile applications that make use of 511 services (“Other Apps”). Before a 511 user downloads or accesses Other Apps, he or she should review the terms of use and privacy policies of the Other Apps to determine how they collect, use, and/or retain PII. MTC is not responsible for the terms of use or privacy policies of Other Apps, or the use of PII, including location information, by such Other Apps.

Externally-Linked Websites

The 511 website contains links to third-party websites operated by entities that are affiliated with 511. These web links may be referenced within content, or placed beside the names or logos of the other entities. MTC does not disclose PII to these third-party websites.

WARNING: Once you enter external websites (whether through a service or content link), MTC is not responsible for the privacy practices of those other websites. Please review all privacy policies of external websites you may link to through our website, before providing any information to such other websites.

Updating Personally Identifiable Information

PII can be reviewed and edited online. The 511 website uses functions that have the ability to collect and store self-reported data. These functions enable 511 users to revise, update or review previously submitted information by going back to the applicable function, logging-in and making the desired changes.

Complaints or problems regarding updating personal information should be submitted via the Comment Form. The 511 Contractors will either resolve the issue or forward the complaint to an appropriate MTC staff member for response or resolution. MTC strives to answer all queries within five business days, but it may not always be feasible to do so.

If an adequate resolution is not received, please contact MTC's Privacy Officer at:

Metropolitan Transportation Commission
Attn: Privacy Officer
101 8th Street, Oakland, CA 94607
Or e-mail: privacyofficer@mtc.ca.gov
Or call: 510-817-5700

Changes to this Privacy Policy

Material Changes – If MTC makes material changes to the 511 Privacy Policy, MTC will notify 511 customers by means of posting a conspicuous notice on the 511 website that material changes have been made.

Immaterial Changes - MTC may also make non-substantive changes to the Privacy Policy, such as those that do not affect the permissible uses or disclosures of PII. In these instances, MTC may not post a special notice on the 511 website.

If MTC decides to make any change to the 511 Privacy Policy, material or immaterial, MTC will post the revised policy on the 511 website, along with the date of any amendment.

MTC reserves the right to modify this Privacy Policy at any time, so the policy needs to be reviewed frequently by 511 users.

When MTC revises the Privacy Policy, the "last updated" date at the top of the Privacy Policy will reflect the date of the last change. We encourage 511 users to review this Privacy Policy periodically to stay informed about how MTC protects the security of PII collected for the 511 Program. Continued use of the 511 Program constitutes the customer’s agreement to this Privacy Policy and any updates.

E-mails Sent to MTC

This Privacy Policy does not apply to the content of e-mails transmitted directly to MTC. Please do not send PII in an email directly to MTC, if you want to keep content or data private.

Contact information

MTC welcomes your comments on the 511 Privacy Policy. For questions about this statement, please contact the MTC Privacy Officer at the address, e-mail or phone number listed above.

History of Changes to Privacy Policy

November 2, 2007    Privacy Policy Established

November 16, 2011    Revisions to Privacy Policy

June 7, 2012    Revisions to address 511 Transit App

July 24, 2012    Revisions to address other Mobile Applications that use 511 services and to update name of 511 Contractor.

©2014 Metropolitan Transportation Commission