Energy Case Management System (ECMS)

EXECUTIVE SUMMARY REPORT

INTRODUCTION TO THE PIA

The Department of Labor (DOL) in compliance with federal privacy laws, regulations, and directives is responsible for ensuring personally identifiable information (PII) that in-house agencies collect, store, and transmit is properly protected.

In accordance with DOL guidelines the Office of Workers' Compensation Programs (OWCP) Division of Energy Employees Occupational Illness Compensation (DEEOIC) in the Employment Standards Administration (ESA) conducted a PIA on the Energy Case Management System (ECMS). ECMS is a major application that provides an online case management system to support DEEOIC core business functions in administering the Energy Employees Occupational Illness Compensation Act (EEOICPA).

Purpose

A PIA was conducted to identify the essential components of ECMS and ensure security procedures and controls commensurate with protecting PII collected and stored on the system are appropriate. The attached PIA documents PII associated with DEEOIC's business processes, validates "Rules of Behavior" for managing the collection, use, disclosure, and destruction of PII, and provides management with a tool to make informed policy, operations, and system design decisions based on an understanding of privacy risk and options available for mitigating that risk.

PII that DEEOIC collects and stores on ECMS includes claimant's name, date of birth, social security number, home address, employee employment and medical histories, benefit entitlement and lump sum compensation payment status under EEOICPA, and when applicable data pertinent to survivorship and financial accounts. In some instances, information on claimant benefit offsets, debts, legal matters, and litigation issues may be stored on the system.

Scope

The scope of the attached PIA focuses on assessing the privacy of information DEEOIC collects and tracks on ECMS regarding claimant eligibility for lump sum compensation and medical benefits under the EEOICPA.

ECMS resides on a centralized server in the DOL/ESA computer room. Authorized DEEOIC staff in Washington, D.C. and district offices located in Cleveland, Ohio, Jacksonville, Florida, Denver, Colorado, and Seattle, Washington may enter, modify, delete, and/or query data on ECMS.

ECMS has no direct connectivity with other systems, and there is no public access to the system. Access to ECMS is restricted to authorized DEEOIC Federal and contract support staff only. PII stored on ECMS concerning claimant entitlement and benefit payment status is available, but restricted and controlled in accordance with various laws, regulations, and directives. Claimant information is available via electronic mail (e-mail), telephone, and in paper format to Congress, public interest groups, the media, and other interested parties such as claimant representatives. PII is shared/exchanged with health care providers, the Department of Treasury, Department of Energy, Department of Justice, the Social Security Administration, and the Department of Health & Human Resources in connection with claims adjudication, processing, and/or generation of EEOICPA benefit payments.

Disclosure of claimant information is available to other entities such as consumer reporting agencies, credit bureaus, state and local agencies, and safety and health programs in accordance with relevant laws. A comprehensive list of routine uses of records maintained in the system, categories of users, and purpose is included in the Privacy Act Systems of Records published in 67 Federal Register 16891, April 8, 2002.

PIA Approach

The Office of Worker's Compensation Programs (OWCP) consulted with the Office of Management, Administration, and Planning's Division of Information Technology Management and Services to gain an understanding of the business and legislative drivers for conducting PIAs. Based on OWCP's understanding that conducting PIAs is a shared management responsibility, DEEOIC performed a high-level review of the assessment questions to formulate a PIA team.

The DEEOIC Computer Security Officer conducted the attached PIA, consulting with DEEOIC's Branch of Policies, Regulations & Procedures and other program IT support staff as needed. The OWCP IT Support Coordinator was also consulted regarding interpretation of some of the questions. DEEOIC used the questionnaire the DOL Office of the Chief Information Officer provided for conducting the assessment.

Results

Based on the Privacy Impact Assessment Questionnaire, DEEOIC has not discovered any discrepancies.

Summary

DOL/ESA/OWCP/DEEOIC protects an individuals' right to privacy and supports the Privacy Act of 1974, Financial Privacy Act of 1978, and Health Insurance Portability and Accountability of Act of 1996, and laws governing Management of Federal Information Resources.

The OWCP will ensure continuity of core business processes in the event of a catastrophic event. The detailed Privacy Impact Assessment Questionnaire in Section 2 provides details to substantiate DEEOIC's findings.