Skip to page content
Office of the Chief Information Officer
DOL Home > CIO > ESA Privacy Impact Assessments

Civil Money Penalty 2001 (CMP-2001) 2009

Abstract

The Wage and Hour Division (WHD) is a Program Office of Employment Standards Administration (ESA), an agency of the U.S Department of Labor (DOL). The Civil Money Penalty 2001 (CMP-2001) is an automated data processing system developed for ESA to standardize Civil Money Penalty (CMP) processes throughout the country, consolidate debt collection activities in the Regional Offices (RO), implement procedures for charging interest and penalties, negotiate Agreements, and issue Final Orders. This Privacy Impact Assessment is being conducted because CMP-2001 contains personally identifiable information (PII).

Back to Top   Back to Top

Overview

The WHD, CMP-2001 application is used to facilitate the collection of civil money penalties that are levied against employers who violate laws enforced by WHD. The CMP-2001 application automatically accepts CMP cases from the Wage and Hour Investigative Support and Reporting Database (WHISARD) application and provides DOL staff in the RO with the capability of researching case information, logging checks into and out of the RO, processing payments, processing deposits, managing debts to the U.S. Treasury, disbursing overpayments back to the employer, printing letters, generating reports, and setting up and calculating installment plans.

The data used by CMP-2001 is a part of the overall WHISARD database, which consists of a DB2 database and several different executables that access parts of the database. The WHISARD database, itself, contains several hundred tables with some specifically used only by CMP2001.

The CMP-2001 supports the DOL Strategic Plan 2006-2011, Strategic Goal 3 - Safe and Secure Workplaces, Performance Goal 3C - Ensure Workers Receive the Wages Due Them. The collection of civil money penalties through CMP-2001 deters future violations and furthers the WHD mission of increased compliance, particularly in low-wage industries, of the statutes the WHD is mandated to enforce.

Back to Top   Back to Top

Introduction

The WHD within the Department of Labor (DOL) Employment Standards Administration (ESA) is responsible for administering and enforcing some of our nation's most comprehensive labor laws, including: the minimum wage, overtime, and child labor provisions of the Fair Labor Standards Act (FLSA); the Family and Medical Leave Act (FMLA); the Migrant and Seasonal Agricultural Worker Protection Act (MSPA); worker protections provided in several temporary visa programs; and the prevailing wage requirements of the Davis-Bacon Act (DBA) and the Service Contract Act (SCA). CMP-2001 supports WHD in meeting its core business functions. This Privacy Impact Assessment will evaluate the effectiveness of the CMP-2001 Application in protecting the privacy information during system operation. In addition, it will demonstrate the adequacy of the protection of the confidentiality and integrity of the Personally Identifiable Information (PII) being collected by the WHISARD systems operation.

Back to Top   Back to Top

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

CMP-2001 collects Personally Identifiable Information (PII) on members of the public (U.S. Citizens) and foreign citizens.

  • What are the sources of the PII in the information system?

    • The PII is collected directly from individuals who are the target of a Wage Hour investigation for the possible violation of certain labor laws in the workplace and who have been assessed penalties for violations under one or more of eleven different labor law categories.

  • What is the PII being collected, used, disseminated, or maintained?

    • The following information is collected, used, disseminated or maintained by the CMP-2001:

    • Name
    • Phone Numbers
    • Employer Identification Number (EIN) or Social Security Number, but only when an EIN does not exist
    • Business address
    • Mailing Address
    • Business Phone
    • Business e-mail address
    • Residential address
  • How is the PII collected?

    • PII is collected during the course of an investigation into the possible violation of certain labor laws in the workplace which WHD enforces and is collected directly from an employer who is the target of such an investigation. The PII is normally provided on paper based source documents provided as evidence during the investigation.

  • How will the information be checked for accuracy?

    • PII is collected directly from the employer who is the target of the investigation and thereby is assumed to be correct. However, if circumstances exist where accuracy of the information is in question, verification is performed using tax records and public records.

  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?

    • The CMP 2001 system supports the following labor laws in the work place:

    1. FLSA (Fair Labor Standards Act - Section 6&7 Minimum Wage and Overtime)
    2. Child Labor
    3. MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
    4. FMLA (Family Medical Leave Act)
    5. EPPA (Employee Polygraph Protection Act)
    6. H-1A (Provisions of the Immigration Nursing Relief Act)
    7. H-1B (Provisions of the Immigration Naturalization Act)
    8. H-2A(Provisions of the Immigration Reform Control Act of 1990)
    9. Homeworker (Provisions of the Fair Labor Standards Act)
    10. CREW (Longshore) (Provisions of Immigration and Naturalization Act)
  • Privacy Impact Analysis

    • While PII is collected, only the minimum necessary to accomplish the mission is recorded and the affected employees and or employers are directly involved in the collection process.

Back to Top   Back to Top

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII

    • CMP-2001 is designed to collect and track civil money penalties that are levied against employers who violate certain labor laws in the workplace. PII is collected by CMP-2001 only when the EIN does not exist and when collected, it is used only for the purpose of transferring debts to the U.S. Treasury for collection and disbursing overpayments received from employers.

  • What types of tools are used to analyze data and what type of data may be produced?

    • There are no customized or specialized tools that are used to analyze data on Wage and Hour cases.

  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

    • No, CMP-2001 is not designed to derive new information or create previously unavailable data about individuals.

  • If the system uses commercial or publicly available data, please explain why and how it is used.

    • This system does not use commercial or publicly available data.

  • Privacy Impact Analysis

    • The PII collected is used only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected by CMP 2001.

Back to Top   Back to Top

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?

    • In accordance with WHD record retention schedule NN-160-43, records will be retained for a minimum of 12 years.

    This guidance is further enhanced by System of Records Notice (SORN) DOL/ESA-36 which states:

    1. Electronic records are electronically archived; data tapes are retained for 25 years.
    2. Printed information generated by this system and retained in a Wage-Hour office will be disposed of as follows:

    Printed information, concerning cases where violations were found, is disposed of 12 years after the date the case is closed. For cases where no violation were found, printed information is disposed of three years after the closing date.

  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

    • WHD record retention schedule NN-160-43 has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).

    It should be noted that new schedules have been submitted to NARA for approval.

  • Privacy Impact Analysis

    • Data is retained in strict accordance with the WHD record retention schedule NN-160-43 and SORN DOL/ESA-36. Safeguards are in place for the data stored in the WHISARD database as well as the archived data which is maintained off-site in a vendor provided secure storage facility that meets or exceeds federal standards for physical access control.

Back to Top   Back to Top

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

    • PII is not shared with any internal organization.

  • How is the PII transmitted or disclosed?

    • The CMP-2001 system does not transmit or disclose PII with any internal organizations.

  • Privacy Impact Analysis

    • There is no Privacy Impact with the CMP system because it does not transmit, share or disclose PII to any internal organization

Back to Top   Back to Top

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    • U.S Treasury Debt Management System receives information on referred debts due the Government.
    • U.S. Treasury Secure Payment System (SPS) is used to submit requests for the issuance of checks due to overpayment of penalties.
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

    • Yes, sharing of PII outside of DOL complies with SORN DOL/OCFO-2. The WHD has developed a SORN for WHFAS that is published by the SOL. CMP-2001 is covered under the existing SORN for DOLAR$.

  • How is the information shared outside the Department and what security measures safeguard its transmission?

    • WHD shares information directly with the Department of the Treasury via a vendor-provided product that uses a proprietary protocol and an encryption method compliant with the Federal Information Processing Standard (FIPS) 140-2.

    WHD also shares information directly with the Department of the Treasury via their Secure Payment System (SPS) which is secured using a FIPS 140-2 validated Secure Sockets Layer (SSL) implementation.

  • Privacy Impact Analysis

    • PII is shared with the Department of the Treasury and only for the purposes of collecting debts owed the government and issuing checks due to overpayments. Two different methods are used to accomplish these communications and both are protected by FIPS 140-2 validated encryption solutions. No other information is shared electronically from CMP-2001. Memorandums of Understanding (MOU) and Interconnection Service Agreements (ISA) are in place between ESA and the Treasury that governs the electronic transfer data.

Back to Top   Back to Top

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?

    • Yes. CMP collects information only on employers and is provided directly to the WHD investigator by the employer who is the subject of the investigation. Notice to individuals is not provided since CMP does not collect PII on individuals.

  • Do individuals have the opportunity and/or right to decline to provide information?

    • Yes. The employer has both the opportunity and right at any time to decline to provide information. This does not apply to individuals since CMP does not collect PII on individuals.

  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

    • No. Information is collected as a result of an investigation. It is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information.

  • Privacy Impact Analysis

    • Due to the fact that the PII being collected is done so with the full knowledge and cooperation of the owners of that information, risk to privacy is greatly reduced.

Back to Top   Back to Top

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?

    • There are no procedures to allow employers to gain access to their information. The CMP-2001 application is an internal system that is accessed only by WHD employees or contractors for the purpose of conducting investigations and to assess Civil Money Penalties. Access to the public is not allowed.

  • What are the procedures for correcting inaccurate or erroneous information?

    • Information is received directly from the employer who is the target of the investigation. For this reason, it is assumed that the information is correct and accurate.

  • How are individuals notified of the procedures for correcting their information?

    • Information is collected during the conduct of an investigation. It is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information.

  • If no formal redress is provided, what alternatives are available to the individual?

    • The publication of SORN DOL/ESA 36 addresses the procedure for correcting or updating information that is gathered. Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment. Information about district and regional offices for Wage Hour can be found by going to http://www.dol.gov/whd/ on the internet or by contacting the disclosure officer at the following address:

    Administrator, Wage and Hour Division,
    Room S-3502, Frances Perkins Building
    200 Constitution Avenue, NW, Washington, DC 20210

  • Privacy Impact Analysis

    • PII collected during the conduct of an investigation is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Because it is an investigation into their potential violation of certain labor laws, employers are not provided access to their information nor do they have a right to consent. CMP does not collect PII on individuals.

Back to Top   Back to Top

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?

    • Procedures are in place that must be followed before allowing users access to the system. The process is designed to comply with the principles of least privilege and separation of duties as follows.

    All DOL employees and contractors must undergo at a minimum a standard DOL background check. Users of the system must first complete the process for requesting and obtaining a DOL network account. Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges. All requests for system access must be approved by the user's supervisor and the System Owner (SO) or SO representative. Separation of duties in enforced by requiring actions by both ESA/DITMS account managers and WHD account administrators to complete the process before user access to the system is granted.

  • Will Department contractors have access to the system?

    • Yes, WHD contractors will have access to the system if required based on their assigned duties.

  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

    • WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.

  • What auditing measures and technical safeguards are in place to prevent misuse of data?

    • Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

    WHD users must first login to the DOL/ESA network and only then would it be possible to login to CMP. A separate ID and password are required for the user to now login to CPM-2001. Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are reviewed monthly by management in an effort to detect any unusual or unauthorized activity.

    WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities.

    ESA GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall

  • Privacy Impact Analysis

    • The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII. These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected.

Back to Top   Back to Top

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?

    • All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM the system is in the Operations and Maintenance Phase (Phase IV).

  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

    • The CMP-2001 utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.

Back to Top   Back to Top

Determination

  • As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

    • Wage and Hour Division (WHD) has completed the PIA for Civil Money Penalty 2001 (CMP-2001) which is currently in operation. WHD has determined that the safeguards and controls for this moderate system adequately protect the information.

    Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.