PRIVACY IMPACT ASSESSMENT QUESTIONNAIRE
Bureau of Labor Statistics (BLS) – LABSTAT FY2011
Overview
LABSTAT is the central repository of data for the Bureau of Labor Statistics and is considered the agency’s database of record. The data collected and made available to the public via the agency website is gathered from various surveys. Some of the most popular being the Consumer Price Index, National Employment Hours and Earnings, and Labor Force Statistics. Users access the database and web pages from various points through the World Wide Web (WWW) and File Transfer Protocol (FTP). The system supports the DOL Strategic Goal 5, and Outcome 1--“Provide sound and impartial information on labor market activity, working conditions, and price changes in the economy for decision making, including support for the formulation of economic and social policy affecting virtually all Americans.”
Department of Labor, BLS, Division of Enterprise Web Systems, within the Office of Technology and Survey Processing (OTSP/DEWS), provides primary Automated Information System (AIS) support for LABSTAT which is located at 2 Massachusetts Ave. NE, Rm. 5110, Washington D.C. 20212
A PIA is being necessitated for the reason that information subscribers provide their name and email address (and optionally phone number) for receiving automated news releases.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
System collects name, email address and optionally a phone number when members of the public choose to receive automated emails of BLS news releases.
- What are the sources of the PII in the information system?
Public subscription to receive automated emails of BLS news releases requires registration of email and name.
- What is the PII being collected, used, disseminated, or maintained?
Email address and name are the only information collected as part of the public user subscribing to receive automated emails of BLS news releases. As of January report, 11% of users have provided phone numbers which is no longer being gathered, but is still being maintained in the system.
- How is the PII collected?
Subscribing to receive automated emails of BLS news releases requires registration of email and name.
- How will the information be checked for accuracy?
The information is not checked for accuracy. The current practice is that subscribers notify LABSTAT of any such changes via email and we make the changes. Bounced emails get removed from the system based on implemented rules.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
29 U.S.C. § 2, Collection, Collation, and Reports of Labor Statistics
- Privacy Impact Analysis
LABSTAT has approximately 62,500 email subscribers. The information on email subscribers is stored in a database behind the BLS public firewall. The database is not directly accessible. Subscribers may request to see their subscriptions only via an email form to the system available at http://www.bls.gov/bls/list.htm. No further action needs to be taken to ensure PII security.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
- Describe all the uses of the PII
The information collected is part of the news release subscription process used strictly to email news releases to those who have opted to receive them.
- What types of tools are used to analyze data and what type of data may be produced?
LABSTAT does not use mine the PII data held in the database. We use the standard reports and graphs that provide subscriber counts and overall subscriptions data for patterns of increasing use and popularity of certain subscriptions. No dashboard or external tools are used to extract and report on the data. Reports contain aggregated information not PII data.
- Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No.
- If the system uses commercial or publicly available data, please explain why and how it is used.
Not applicable.
- Privacy Impact Analysis
No further action needs to be taken to ensure PII security.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
- How long is information retained in the system?
LABSTAT maintains subscriber’s information until a) subscriber requests to be removed from the list and b) system removes the entry when subscription email bounces back after unsuccessful attempts based on system implemented rules.
- Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
Yes.
- What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
Please see answer above.
- How is it determined that PII is no longer required?
Please see answer above.
- Privacy Impact Analysis
There are no risks associated with having name, email address and, optionally, phone number stored in the systems being retained as long as the associated email is a valid entry. Once the email becomes invalid, the system will purge the information according to system rules.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
- With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
PII is not shared outside the agency except for aggregated metrics (e.g., number of subscribers).
- How is the PII transmitted or disclosed?
- Not applicable -- PII is neither disclosed nor transmitted
- Privacy Impact Analysis
- Not applicable and hence no further action needs to be taken to ensure PII security.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
No PII is shared with any external organization.
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Not applicable.
- How is the information shared outside the Department and what security measures safeguard its transmission?
Not applicable.
- Privacy Impact Analysis
Not applicable and hence no further action needs to be taken to ensure PII security.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
- Was notice provided to the individual prior to collection of PII?
Yes, privacy notice linked on News Release subscription page. - Do individuals have the opportunity and/or right to decline to provide information?
Yes - Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. The posted privacy policy stipulates that BLS is authorized to request this information under 5 United States Code (USC) section 301. Furnishing the information on this form is voluntary; however, BLS may not be able to register you for the subscription service if you fail to do so. Any disclosure of the information on this form is in accordance with the routine uses found in the Privacy Act System of Records Notice (SORN) DOL/BLS-19.
- Privacy Impact Analysis
LABSTAT (and BLS) provide both privacy notice and privacy and security statement via links from the News Release subscription page. No further action needs to be taken to ensure PII security.
Access, Redress, and Correction
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
- What are the procedures that allow individuals to gain access to their information?
Currently, the only information that subscribers can view is their subscription. The system will send an email with this information if users select the feature ‘Send me a list of my subscriptions’.
- What are the procedures for correcting inaccurate or erroneous information?
There is no process to determine whether the name or email address is correct or inaccurate. The system only uses the email address. A subscriber can request our system administrators to update the information. Once an email becomes invalid, the system will purge the information according to system rules.
- How are individuals notified of the procedures for correcting their information?
Individuals are notified that the system had trouble reaching their email address. This takes care of temporary glitches with email systems. There is no other mechanism of notification, if the notification email bounces back.
- If no formal redress is provided, what alternatives are available to the individual?
Individuals seeking to change their information such as email address contact the website helpdesk.
- Privacy Impact Analysis
LABSTAT (and BLS) provide both privacy notice and privacy and security statement via links from the News Release subscription page. No further action needs to be taken to ensure PII security.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
- What procedures are in place to determine which users may access the system and are they documented?
Only persons with significant security responsibilities (System Administrators) have access to PII stored by the system.
- Will Department contractors have access to the system?
Yes, contractors that have successfully passed background investigations.
- Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
All BLS persons with the ability to access the PII, including contractors, are required to complete annual mandatory Security and Confidentiality training. These persons are also required to complete additional security training in their capacity as persons with significant security responsibilities.
- What auditing measures and technical safeguards are in place to prevent misuse of data?
Systems logs are reviewed periodically to ensure only authorized persons access information.
- Privacy Impact Analysis
PII is available to System Administrators. Review of system logs (that which audit the auditors) can be used to mitigate this risk.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
- What stage of development is the system in, and what project development life cycle was used?
System is in maintenance phase. Standard Software development methodology was employed in introducing the system for use.
- Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
No
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
Bureau of Labor Statistics (BLS) has completed the PIA for LABSTAT which is currently in operation. BLS has determined that the safeguards and controls for this Moderate system adequately protect the information.
BLS has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.
