Following a recent PA Turnpike Commission (PTC) board meeting, Rock the Capital posed follow-up questions to the PTC board. The general focus of our questioning included vendor performance, procurement procedures, and personal data, with a focus on data security and privacy.
Our questions, and the answers from the PTC board regarding data security and more, follow in their entirety.
1. How does the PTC deal with poor vendor performance? Is there anything in place that would allow you to ban or disbar poor vendors?
The Commission scrutinizes vendor performance through a consultant evaluation process. During the evaluation, the Commission will discuss the performance issue with the vendor and give the vendor an opportunity to respond to the concerns, improve performance, cure discussed deficiencies and/or explain how the issues will be addressed. If a vendor performs poorly on a certain task or function, the Commission can limit or restrict the vendor’s work.
If there is a significant performance issue, the Commission can stop working with the vendor in accordance with applicable provisions of the Procurement Code or invoke applicable provisions under the contract. In addition, the Commission can move to suspend or debar the vendor from bidding on future procurements in accordance with the Procurement Code.
The Commission also evaluates the prime consultant for engineering contracts at the completion of final design and at the completion of construction.
Further, in accordance with the Procurement Code, the Commission’s professional services procurement process allows the Commission to consider past performance in the evaluation and rating of firms to ensure that the firm is a responsible offer or eligible for award of future Commission contracts.
2. Is there a plan for a vendor performance manual and what is the timeline for the deliverable?
The Commission has effective measures in place and a proven track record to address vendor performance. Our three-tier review and selection process — which has been vetted and lauded by the PA Auditor General and an independent Advisory Committee — continues to prevent poor-performing vendors from being deemed responsible bidders or offerors for the particular procurement.
Regarding contractors in the low bid environment, the Commission can move to suspend or debar the contractor for the reasons enumerated in the Procurement Code.
3. Does the commission need to authorize emergency procurements?
During emergencies, our procurement process can be expedited, however, all procurements still must be authorized in accordance with Commission procurement policies. Specifically, if the emergency procurement is in excess of $50,000, it must be approved by our CEO. A contracting officer can approve emergency purchases under $50,000. The Commissioners are kept apprised of all procurements approved by the contracting officer and/or the CEO.
4. The Pennsylvania Turnpike must receive and process tons of personal data on a regular basis, how do you ensure the users that the information is secure?
To the contrary, the Commission processes very little personal data. More importantly, the Commission has a robust security framework to protect our data. Additionally, the Commission performs regular security patching and internal and external vulnerability scans. Periodic security assessment and penetration testing is also performed by qualified third-party vendors.
5. What metrics of data collection are prohibited for privacy precautions and which ones are used on the turnpike?
If by “data collection” you are referring to electronic toll collection related to E-ZPass accounts, the Commission collects the necessary account holder information such as the customer’s name and address, vehicle and travel information. This information is provided by customers in order to open E-ZPass accounts and is required in order to determine the appropriate toll charges for customers’ travel. All information collected for E-ZPass customers as well as the information used for billing purposes for non-E-ZPass customers is maintained in a secure environment which meets the necessary requirements for the Payment Card Industry (PCI) for a Level 1 Merchant. Due to Pennsylvania’s privacy statute, the Commission’s E-ZPass Customer Service Center is required to verify the identity of all customers before providing any account information.
6. For technology contracts that are subscription based how are the year to year costs of the contracts assessed after the initial installment of the software? (Installation cost versus year to year maintenance cost)
The Commission generally issues purchase orders for multiple years of annual subscriptions, with terms that permit the agreements to be canceled at any time. The multi-year quotes from the vendor allows the Commission to lock in the annual subscription costs. Each time the subscription is renewed, a service price quote is obtained. The Commission can choose to renew the subscription or cancel it at any point.
7. Are subscriptions put through the same internal review process on a year to year renewal basis or is it simply an initial review that is not re-evaluated until the end of the subscription time period?
The Commission evaluates its subscriptions annually. Prior to renewing a subscription, a service price quote is obtained, and a decision is made whether to renew or cancel the subscription.
8. Are the guidelines for personal data and information collection made public, so that customers know what is being collected?
We encourage you to review the Commission’s E-ZPass privacy policy on our website. The privacy policy describes the types of customer data collected by our Electronic Toll Collection systems. All personal data obtained by the Commission is used solely for the purpose of toll collection including E-ZPass transaction processing, issuance of toll invoices or violation notices, toll collection enforcement laws as outlined in our E-ZPass agreement and required in PA’s electronic toll collection statute. Moreover, the electronic toll collection data is not made available in civil litigation or in response to Right-to-Know Law requests.
9. What are the limitations on what personal data can be shared internally and is there a period from which the data is then erased from storage when it is no longer relevant?
Very little personal data is shared internally as the data is securely maintained by a third-party vendor in accordance with its Contract with the Commission and Pennsylvania’s electronic toll collection statute. The Commission also has a Data Classification Standard and a Records Retention Policy, which are published on our website. The Data Classification Standard ensures that data is identified, classified, labeled, and properly handled and protected in accordance with its importance and potential impact to the Commission. The Records Retention Policy ensures that the Commission maintains those records that are needed for legal compliance and that support current Commission operations.
10. Are subscription reviews made public? Are there year to year updates of performance?
Subscription reviews are not made public and are protected from disclosure by the Right-to-Know law. As discussed above, the Commission determines if a Software-as-a-Service application is still the best option and decides whether to renew or cancel it.
11. Can a subscription be canceled in contracted years for violation of negotiated terms?
Yes, subscriptions can be cancelled for violation of terms and conditions. In most cases, the Commission can choose not to renew a subscription at any point.
12. If a subscription is canceled can the reasons and the performance of the certain vendor be made public?
The Commission does not track such information. However, we do post our purchase orders and contracts on the Commission’s website.
13. Is the PTC required to have a secure, off site data storage facility?
Based on the data that the Commission processes, we are not required to use off-site data storage. We do, however, store and maintain backup copies of data off-site for disaster recovery purposes. Additionally, the third-party vendor that operates our E-ZPass Customer Service Center also maintains a disaster recovery site.