Data Security Requirements for Accessing Confidential Data; Agency Information Collection Activities: Comment Request

Issuing agencies

Abstract

The Bureau of Transportation Statistics (BTS) within the Department of Transportation (DOT) invites the general public and other Federal agencies to comment on an existing information collection. BTS collects information from the public to fulfill its data security requirements when providing access to restricted use microdata for the purpose of evidence building. BTS's data security agreements and other paperwork along with the corresponding security protocols allow BTS to maintain careful controls on confidentiality and privacy, as required by law. The purpose of this notice is to allow for 60 days of public comment on the renewal of the data security information collection, prior to submission of the information collection request (ICR) to the Office of Management and Budget (OMB).

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 47 (Wednesday, March 11, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 47 (Wednesday, March 11, 2026)]
[Notices]
[Pages 12045-12047]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-04735]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Bureau of Transportation Statistics

[Docket No. DOT-OST-2026-0727]


Data Security Requirements for Accessing Confidential Data; 
Agency Information Collection Activities: Comment Request

AGENCY: Bureau of Transportation Statistics (BTS), Office of the 
Assistant Secretary for Research and Technology (OST-R), DOT.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Bureau of Transportation Statistics (BTS) within the 
Department of Transportation (DOT) invites the general public and other 
Federal agencies to comment on an existing information collection. BTS 
collects information from the public to fulfill its data security 
requirements when providing access to restricted use microdata for the 
purpose of evidence building. BTS's data security agreements and other 
paperwork along with the corresponding security protocols allow BTS to 
maintain careful controls on confidentiality and privacy, as required 
by law. The purpose of this notice is to allow for 60 days of public 
comment on the renewal of the data security information collection, 
prior to submission of the information collection request (ICR) to the 
Office of Management and Budget (OMB).

DATES: Written comments on this notice must be received by May 11, 2026 
to be assured of consideration. Comments received after that date will 
be considered to the extent practicable. Send comments to the address 
below.

ADDRESSES: 1200 New Jersey Ave. SE, Room E34-308, Washington, DC 20590.
    Comments: Comments are invited on (a) whether the proposed 
collection of information is necessary for the proper performance of 
the functions of BTS, including whether the information will have 
practical utility; (b) the accuracy of BTS's estimate of the burden of 
the proposed collection of information; (c) ways to enhance the 
quality, use, and clarity of the information on respondents, including 
through the use of automated collection techniques or other forms of 
information technology; and (d) ways to minimize the burden of the 
collection of information on those who are to respond, including 
through the use of appropriate automated, electronic, mechanical, or 
other technological collection techniques or other forms of information 
technology.

FOR FURTHER INFORMATION CONTACT: Clara Reschovsky, BTS Confidentiality 
Officer, BTS, OST-R, Department of Transportation, 1200 New Jersey Ave. 
SE, Room E34-308, Washington, DC 20590, (202) 768-4994, Office hours 
are from 8:00 a.m. to 5:30 p.m., E.T., Monday through Friday, except 
Federal holidays.

SUPPLEMENTARY INFORMATION: The Foundations for Evidence-Based 
Policymaking Act of 2018 mandated that the Office of Management and 
Budget (OMB) establish a Standard Application Process (SAP) for 
requesting access to certain confidential data assets. While the 
adoption of the SAP is required for statistical agencies and units 
designated under the Confidential Information Protection and 
Statistical Efficiency Act (CIPSEA), it is recognized that other 
agencies and organizational units within the Executive branch may 
benefit from the adoption of the SAP to accept applications for access 
to confidential data assets. The SAP is to be a process through which 
agencies, the Congressional Budget Office, State, local, and Tribal 
governments, researchers, and other individuals, as appropriate, may 
apply to access confidential data assets held by a federal statistical 
agency or unit for the purposes of developing evidence. With the 
Interagency Council on Statistical Policy (ICSP) as advisors, the 
entities upon whom this requirement is levied are working with the SAP 
Project Management Office (PMO) and with OMB to implement the SAP. The 
SAP Portal is to be a single web-based common application for the 
public to request access to confidential data assets from federal 
statistical agencies and units. The National Center for Science and 
Engineering Statistics (NCSES), within the National Science Foundation 
(NSF), submitted a Federal Register Notice in June 2025 announcing the 
renewal plan to collect information through the SAP Portal (90 FR 
25380).
    Once an application for confidential data is approved through the 
SAP Portal, BTS will collect information to meet its data security 
requirements. This collection will occur outside of the SAP Portal.
    Title of Collection: Data Security Requirements for Accessing 
Confidential Data.
    OMB Control Number: 2138-0052.
    Expiration Date of Current Approval: May 31, 2026.
    Type of Request: Intent to seek approval to collect information 
from the public to fulfill BTS security requirements allowing 
individuals to access confidential data assets for the purposes of 
building evidence.
    Abstract: Title III of the Foundations for Evidence-Based 
Policymaking Act of 2018 (hereafter referred to as the Evidence Act) 
mandates that OMB establish a Standard Application Process (SAP) for 
requesting access to certain confidential data assets. Specifically, 
the Evidence Act requires OMB to establish a common application process 
through which agencies, the Congressional Budget Office, State, local, 
and Tribal governments, researchers, and other individuals, as 
appropriate, may apply for access to confidential data assets 
collected, accessed, or acquired by a statistical agency or unit. This 
new process will be implemented while maintaining stringent controls to 
protect confidentiality and privacy, as required by law.

[[Page 12046]]

    Data collected, accessed, or acquired by statistical agencies and 
units is vital for developing evidence on conditions, characteristics, 
and behaviors of the public and on the operations and outcomes of 
public programs and policies. This evidence can benefit the 
stakeholders in the programs, the broader public, as well as 
policymakers and program managers at the local, State, Tribal, and 
National levels. The many benefits of access to data for evidence 
building notwithstanding, BTS is required by law to maintain careful 
controls that allow it to minimize disclosure risk while protecting 
confidentiality and privacy. The fulfillment of BTS's data security 
requirements places a degree of burden on the public, which is outlined 
below.
    The SAP Portal is a web-based application for the public to request 
access to confidential data assets from federal statistical agencies 
and units. The objective of the SAP Portal is to increase public access 
to confidential data for the purposes of evidence building and reduce 
the burden of applying for confidential data. The paragraphs below 
outline the SAP Policy, the steps to complete an application through 
the SAP Portal, and the process for agencies to collect information 
fulfilling their data security requirements.

The SAP Policy

    At the recommendation of the ICSP, the SAP Policy established the 
SAP to be implemented by statistical agencies and units and 
incorporates directives from the Evidence Act. The policy is intended 
to provide guidance as to the application and review processes using 
the SAP Portal, setting forth clear standards that enable statistical 
agencies and units to implement a common application form and a uniform 
review process. The methods of collection outlined below are in 
accordance with the SAP Policy. The SAP Policy was submitted to the 
public for comment in January 2022 (87 FR 2459). The policy was issued 
by OMB in December of 2022 as M-23 (<a href="https://www.whitehouse.gov/wp-content/uploads/2022/12/M-23-04.pdf">https://www.whitehouse.gov/wp-content/uploads/2022/12/M-23-04.pdf</a>).
    For the purpose of the SAP Policy, the application process begins 
with an applicant discovering a confidential data asset for which a 
statistical agency or unit is accepting applications to access for the 
purpose of building evidence and ends with the agency or unit's 
determination on whether to grant access. In the case of an adverse 
determination, the application process ends with the conclusion of an 
appeals process if the applicant elects to appeal the determination.

The SAP Portal

    The SAP Portal is an application interface connecting applicants 
seeking data with a catalog of data assets owned by the federal 
statistical agencies and units. The SAP Portal is not a new data 
repository or warehouse; confidential data assets will continue to be 
stored in secure data access facilities owned and hosted by the federal 
statistical agencies and units. The Portal provides a streamlined 
application process across agencies, reducing redundancies in the 
application process. This single SAP Portal improves the process for 
applicants, tracking and communicating the application process 
throughout its lifecycle. This reduces redundancies and burden on 
applicants that request access to data from multiple agencies. The SAP 
Portal automates key tasks to save resources and time and will bring 
agencies into compliance with the Evidence Act statutory requirements.

Data Discovery

    Individuals begin the process of accessing restricted use data by 
discovering confidential data assets through the SAP data catalog, 
maintained by federal statistical agencies at <a href="http://www.researchdatagov.org">www.researchdatagov.org</a>. 
Potential applicants can search by agency, topic, or keyword to 
identify data of interest or relevance. Once they have identified data 
of interest, applicants can view metadata outlining the title, 
description or abstract, scope and coverage, and detailed methodology 
related to a specific data asset to determine its relevance to their 
research.
    While statistical agencies and units shall endeavor to include 
metadata in the SAP data catalog on all confidential data assets for 
which they accept applications, it may not be feasible to include 
metadata for some data assets (e.g., potential curated versions of 
administrative data). A statistical agency or unit may still accept an 
application through the SAP Portal even if the requested data asset is 
not listed in the SAP data catalog.

SAP Application Process

    Individuals who have identified and wish to access confidential 
data assets are able to apply for access through the SAP Portal. 
Applicants must create an account and follow all steps to complete the 
application. Applicants begin by entering their personal, contact, and 
institutional information, as well as the personal, contact, and 
institutional information of all individuals on their research team. 
Applicants proceed to provide summary information about their proposed 
project, to include project title, duration, funding, timeline, and 
other details including the data asset(s) they are requesting and any 
proposed linkages to data not listed in the SAP data catalog, including 
non-federal data sources. Applicants then proceed to enter detailed 
information regarding their proposed project, including a project 
abstract, research question(s), literature review, project scope, 
research methodology, project products, and anticipated output. 
Applicants must demonstrate a need for confidential data, outlining why 
their research question cannot be answered using publicly available 
information.

Submission for Review

    Upon submission of their application, applicants will receive a 
notification that their application has been received and is under 
review by the data owning agency or agencies (in the event where data 
assets are requested from multiple agencies).
    In accordance with the Evidence Act and the direction of the ICSP, 
agencies will approve or reject an application within a prompt 
timeframe. In some cases, agencies may determine that additional 
clarity, information, or modification is needed and request the 
applicant to ``revise and resubmit'' their application.
    Appeals Process: In the event of an adverse determination, the 
applicant is provided justification through the SAP Portal detailing 
the determination. The SAP Portal provides the applicant with the 
option to submit an appeal for reconsideration by the data-owning 
agency or agencies. Applicants can also file an appeal for 
noncompliance with the SAP Policy.
    Access to Restricted Use Data: In the event of a positive 
determination, applicants are notified that their proposal has been 
accepted and that application approval does not alone grant access to 
confidential data, and that applicants must comply with the data-owning 
agency's security requirements outside of the SAP Portal, which may 
include a background check. In the event of an adverse determination, 
the applicant is notified of the decision and their right to appeal the 
decision. The positive or final adverse determination concludes the 
SAP-Portal process. In the instance of a positive determination, the 
data-owning agency (or agencies) will contact the applicant to provide 
instructions on the agency's security requirements that must be 
completed to gain access to the confidential data. The completion and

[[Page 12047]]

submission of the agency's security requirements occurs outside of the 
SAP Portal and is therefore not included in the estimate of burden 
below.

Collection of Information for Data Security Requirements

    In the instance of a positive determination for an application 
requesting access to a BTS confidential data asset, BTS will contact 
the applicant(s) to initiate the process of collecting information to 
fulfill their security requirements. These include additional 
requirements necessary for BTS to place the applicant(s) in a trusted 
category that may include the applicant's successful completion of a 
background investigation, confidentiality training, nondisclosure, and 
data use agreements.
    Estimate of Burden: The amount of time to complete the agreements 
and other paperwork that comprise BTS's security requirements will vary 
based on the confidential data assets requested and the access 
modality. To obtain access to BTS confidential data assets, it is 
estimated that the average time to complete and submit BTS's data 
security agreements and other paperwork is 90 minutes. This estimate 
does not include the time needed to complete and submit an application 
within the SAP Portal. All efforts related to SAP Portal applications 
occur prior to and separate from BTS's effort to collect information 
related to data security requirements.
    The expected number of applications in the SAP Portal that receive 
a positive determination from BTS in a given year may vary. Overall, 
per year, BTS estimates it will collect data security information for 
five application submissions that received a positive determination 
within the SAP Portal. BTS estimates that the total burden for the 
collection of information for data security requirements over the 
course of the three-year OMB clearance will be about 22.5 hours and, as 
a result, an average annual burden of 7.5 hours.

    Issued in Washington, DC, on the 5th of March 2026.
Edward Strocko,
Acting Director, Bureau of Transportation Statistics, U.S. Department 
of Transportation.
[FR Doc. 2026-04735 Filed 3-10-26; 8:45 am]
BILLING CODE 4910-9X-P


</pre></body>
</html>