Statement regarding Privacy Impact Assessment (PIA) for Amtrak passenger data

Friday, April 8, 2022

TSA currently screens passengers traveling on domestic flights within the United States, as well as international inbound, outbound, and overflights. The screening excludes passengers who book travel via other transportation means, such as buses or rail, including Amtrak.  On December 1, 2021, TSA issued a Privacy Impact Assessment (PIA) for the “Amtrak Rail Passenger Threat Assessment.” The resulting assessment included a historical review of passenger data covering a limited period of time. TSA is currently analyzing the results of the data provided by Amtrak for any potential security benefits. 

The PIA establishes rigorous privacy protections that Amtrak must follow to provide TSA with rail passenger personally identifiable information (PII) collected over the course of several months. The PIA also makes clear that Amtrak will provide TSA only historical passenger manifests—meaning manifests of already-completed travel—for rail travel on routes in the Northeast corridor during a several-month period. TSA is not vetting Amtrak travelers before they travel.

TSA published the PIA pursuant to the E-Government Act of 2002 because this assessment entailed a new receipt of personally identifiable information (PII) on members of the public for watch list matching. The assessment was for research purposes only and the collection of data has ended. Analytic results shared with Amtrak by TSA contain no personably identifiable information. 

Under the Aviation and Transportation Security Act (ATSA), TSA is responsible for security in all modes of transportation, including rail operators such as Amtrak. See the TSA Modernization Act (sec. 1974) under which TSA may consider the impacts of a passenger vetting system to enhance passenger rail security by vetting passengers using terrorist watch lists maintained by the Federal Government.