ESA-Office of Federal Contract Compliance Programs (OFCCP) Information System (OFIS)

Employment Standards Administration (ESA) Office of Federal Contract Compliance Programs Information System (OFIS) 2009

Abstract

The OFCCP Information System, also known as OFIS, is the Office of Federal Contract Compliance Programs (OFCCP) Major Application (MA). OFIS was developed between FY 1997 through FY 1999 and has been operational since FY 2000.

The OFIS is an automated tool used to collect data, track, plan, & report on Compliance Evaluations & Complaint Investigations that the OFCCP conducts to ensure the EEO Laws that the program administers are enforced. The OFIS is composed of the Case Management System (CMS) which is the Data Collection module, the Executive Information System (EIS) which is the Report Generation module, and the OFIS Administration Module (OFADM).

The Privacy Impact Assessment (PIA) is being conducted due to the fact that Personally Identifiable Information (PII) is collected as part of conducting Complaint Investigations received from employees annually.

Overview

The Office of Federal Contract Compliance Programs (OFCCP) is part of the U.S. Department of Labor's Employment Standards Administration. It has a national network of six Regional Offices, each with District and Area Offices in major metropolitan centers. OFCCP administers and enforces laws pertaining to Federal Government contractors complying with federal Equal Employment Opportunity (EEO) laws and mandates.

The OFCCP promotes Federal contractor compliance with equal employment opportunity (EEO) and affirmative action laws during the performance, and is subject to Federal contract provisions. Through the mandated authorities, the OFCCP enforces non-discrimination and equal opportunity standards for all individuals, including women, minorities, Vietnam era veterans and persons with disabilities.

The OFCCP monitors compliance with these equal employment opportunity and affirmative action requirements primarily through compliance evaluations, during which, a compliance officer examines the contractor's affirmative action program and investigate virtually all aspects of employment. OFCCP also investigates complaints filed by individuals alleging discrimination on the basis of race, color, sex, religion, national origin, disability or veteran's status.

To help contractors understand their contractual obligations for EEO and affirmative action, OFCCP provides technical assistance. Staff from district offices offers guidance to contractors on how to develop affirmative action programs and what to expect during a compliance evaluation. Compliance assistance is provided through company seminars, training programs held in conjunction with industry liaison groups, and one-on-one consultations.

There are two typical transactions that are conducted and recorded within the OFIS.

The first is the Compliance Evaluation Case Record. This type of Case Record is comprised of information associated with the events that occur during evaluation process of a Federal Contractor Facility.

The second is the Complaint Investigation Case Record. This type of Case Record is comprised of information associated with the events that occur during investigation process of an individual(s) who may file a "Compliant of Discrimination in Employment" related to a company which holds a Federal contract.

The OFIS does not maintain any "Interconnections" to other information system (either internally or externally) for the purpose of sharing information electronically.

The OFIS is composed of three modules: (1) the Case Management System (CMS); (2) the Executive Information System (EIS); (3) the OFIS Administration Module (ADM). The primary functions of these modules are:

The CMS is the primary data collection component of the OFIS. It provides our User Community with essential progress tracking tools and an automated method of recording compliance evaluation and complaint investigation milestones.
The EIS is the primary report generation component of the OFIS. It provides the User Community with Data Visualization and Standard Report Generation tools that access data reported through the CMS.
The ADM is the User Administration component of the OFIS. It provides the ability to create, modify, and remove (delete) user access privileges, as requested by OFCCP Management, for all designated members of the OFIS User Community.

Introduction

The OFCCP is a Program Office of the U.S. Department of Labor's Employment Standards Administration that promotes Federal contractors compliance with equal employment opportunity (EEO) and affirmative action laws during the performance, and is subject to Federal contract provisions. Through the authorities mentioned below, the OFCCP enforces non-discrimination and equal opportunity standards for all individuals, including women, minorities, Vietnam era veterans and persons with disabilities:

AMERICANS WITH DISABILITIES ACT OF 1990
EXECUTIVE ORDER (EO) 11246
SECTION 503 OF THE REHABILITATION ACT OF 1973, as amended
38 USC 4212 — THE VIETNAM ERA VETERANS' READJUSTMENT ASSISTANCE ACT OF 1974
NOTICE OF EMPLOYEE RIGHTS CONCERNING PAYMENT OF UNION DUES — EO 13201
MONITORING CONTRACT COMPLIANCE
COMPLIANCE ASSISTANCE

OFCCP supports its core business through the operation and administration of the OFIS major application. This Privacy Impact Assessment will evaluate the effectiveness of the OFIS Application in protecting the privacy information during system operation.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

This information system does not collect PII on DOL employees, Federal employees, foreign citizens or minor children. PII is collected, on a voluntary basis from the public (through the Complaint Investigation process) and also on representatives of the Federal Contractor Community (the Compliance Evaluation process).

What are the sources of the PII in the information system?

The sources of the PII for the Compliance Evaluation process are information collected through the receipt of the Affirmative Action Plan (AAP), which is submitted by the Federal Contractor Facility. This submission is mandated by OFCCP Regulation/Policy. Information is also collected from the Point of Contact (POC) identified as a part of the Compliance Evaluation process conducted on the Federal Contractor Facility.

The sources of PII for the Complaint Investigation process are the information, which is voluntarily submitted by the public, when initiating a Complaint of Discrimination Under Federal Contracts to the OFCCP. This information is collected either electronically, through the use of OFCCP Form CC-4 or manually using the same form.

What is the PII being collected, used, disseminated, or maintained?

The PII that is collected as a part of Compliance Evaluation process are the following:

First Name, Middle Initial and Last Name of the primary Point of Contact (POC) for the Contractor Facility being evaluated.
The POC's official title, if known.
The POC's business telephone number.
The POC's business telephone number extension, if applicable.
The POC's E-Mail Address.

The PII that is collected as a part of Complaint Investigation process are the following:

First Name, Middle Initial and Last Name of the Complainant who files the complaint.
The Street Address, City, State and Zip Code of the Complainant who files the complaint.
First Name, Middle Initial and Last Name of the primary Point of Contact (POC) for the Contractor Facility being investigated.
The POC's official title, if known, for the Contractor Facility being investigated.
The POC's business telephone number for the Contractor Facility being investigated.
The POC's business telephone number extension, if applicable.
The POC's E-Mail Address for the Contractor Facility being investigated.

How is the PII collected?

PII for the Compliance Evaluation is collected from the POC identified as a part of the Compliance Evaluation process conducted on the Federal Contractor Facility.

PII for the Complaint Investigation is collected either electronically, through the use of OFCCP Form CC-4 or manually using the same form.

How will the information be checked for accuracy?

The data collected is checked for accuracy and verified by the OFCCP Compliance Officer User Community and the OFCCP Regional and District Office Management.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

The legal authority, arrangement, and or agreements that define and provide for the collection of this information from the OFCCP Federal Contractor Community is provided in the Code of Federal Regulations (CFR), Title 41 (Public Contracts and Property Management), Chapter 60 (Office of Federal Contract Compliance Programs, Equal Employment Opportunity, Department of Labor). This and other OFCCP Laws and Regulation information is available for review from our Internet Web Site at OFCCP Laws and Regulations.

Privacy Impact Analysis

The risks that are identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The primary OFCCP User Community that has direct access to this information is the Compliance Officer Community. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

Inappropriate Use of the PII Collected
Failure to Secure any Hardcopy Documents on which the PII Appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

Establish and Provide Secure Access to the OFCCP Information System (OFIS)
Establish and Provide Secure Access to all OFCCP Office Locations
Establish and Provide Secure Storage of Hardcopy Documents in OFCCP Office Locations
Conduct Training (Annually) on OFCCP Employees' Responsibilities for Protection all Information Received (electronic and non-electronic) from Federal Contract Facilities
Provide for the Proper Disposal (Shredding and/or Burning) of all Hardcopy Documents prior to Disposal and/or for the Destruction of all Electronic Portable Media (CDs, USB Drives, Memory Cards, etc.) Received or Used during the Investigative Processes conducted in the OFCCP. This includes the acquisition and use of Shredding Devices at all OFCCP Office Locations.

Uses of the PII

Describe all the uses of the PII

The PII that has been identified is intended for the direct use of the Compliance Officer(s) who may be assigned the responsibility of conducting either the Compliance Evaluation or Complaint Investigation which may require the collection of the identified PII. While this PII is collected through the OFIS, it is not included as data on the majority of Report Generation tools accessible to End Users of this information System. With the Exception of the PII collected during the Complaint investigation process, this information does not appear on any of the pre-formatted reports that are available within the OFIS.

The PII for both Compliance Evaluations and Complaint Investigations conducted by the OFCCP is intended for the direct use of the Compliance Officer(s) designated with the investigative activity and to also inform the constituent of the progress of the evaluation/investigation. It also serves as a communication medium for information exchange during the investigative process conducted by the designated Compliance Officer(s).

What types of tools are used to analyze data and what type of data may be produced?

There are no analytical tools which are made available to our User Community for the purpose of performing analysis related to the identified PII. No qualitative or quantitative data is generated from the identified PII collected through the OFIS.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No qualitative or quantitative data is generated from the identified PII collected through the OFIS.

If the system uses commercial or publicly available data, please explain why and how it is used.

Not Applicable.

Privacy Impact Analysis

This explanation is repeated throughout the document, but a separate analysis discussion for each section is required.

Inappropriate Use of the PII Collected
Failure to Secure any Hardcopy Documents on which the PII Appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

Establish and Provide Secure Access to the OFCCP Information System (OFIS)
Establish and Provide Secure Access to all OFCCP Office Locations
Establish and Provide Secure Storage of Hardcopy Documents in OFCCP Office Locations
Conduct Training (Annually) on OFCCP Employees' Responsibilities for Protection all Information Received (electronic and non-electronic) from Federal Contract Facilities
Provide for the Proper Disposal (Shredding and/or Burning) of all Hardcopy Documents prior to Disposal and/or for the Destruction of all Electronic Portable Media (CDs, USB Drives, Memory Cards, etc.) Received or Used during the Investigative Processes conducted in the OFCCP. This includes the acquisition and use of Shredding Devices at all OFCCP Office Locations.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

The following information is derived from the OFCCP Record Retention Plan which has been approved and is currently in use with the National Archives and Records Administration (NARA):

a. ELECTRONIC RECORD MEDIA

THE OFIS DATABASE (Master File). This mission-critical database contains information on compliance and complaint investigations conducted by the OFCCP. This information is for both historical investigations and ongoing investigations. There is also a disaster recovery procedure in place. The information in the OFIS Database must adhere to the established impact criteria described below:

Data Confidentiality: Medium to High

Data Integrity: Medium to High

Data Availability: Low

PRIVACY RESTRICTIONS: YES

ARRANGEMENT OF DATA. Data is available in the OFIS database for reporting purposes according to the following structure:

Nationwide Scope

Regional Office Scope

District Office Scope

Electronic Media Volume: 2 CDs

Annual Accumulation: Less than 1 Data Cartridge

PRIVACY RESTRICTIONS: YES

DISPOSITION: PERMANENT. Cutoff period — 5 calendar years. Transfer to the NARA every 5 calendar years in a format acceptable to NARA at time of transfer.

b. OUTPUT RECORDS (Paper Documents)

Case File Documents (Forms) - Computer generated forms provided by this system are used as part of the official case file.

PRIVACY RESTRICTIONS: YES

DISPOSITION: TEMPORARY. Cut off file at end of calendar year. Hold in office and destroy when seven calendar years old.

Hard Copy Reports - Management reports generated by this system are provided when requested. These Reports are then retained by the requesting office (National, Regional, or District).

DISPOSITION: TEMPORARY. Cut off file at end of calendar year and hold in office. Transfer three calendar years after cut off to FRC. Destroy when seven calendar years old.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

Yes.

Privacy Impact Analysis

Inappropriate Use of the PII Collected
Failure to Secure any Hardcopy Documents on which the PII Appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

Establish and Provide Secure Access to the OFCCP Information System (OFIS)
Establish and Provide Secure Access to all OFCCP Office Locations
Establish and Provide Secure Storage of Hardcopy Documents in OFCCP Office Locations
Conduct Training (Annually) on OFCCP Employees' Responsibilities for Protection all Information Received (electronic and non-electronic) from Federal Contract Facilities
Provide for the Proper Disposal (Shredding and/or Burning) of all Hardcopy Documents prior to Disposal and/or for the Destruction of all Electronic Portable Media (CDs, USB Drives, Memory Cards, etc.) Received or Used during the Investigative Processes conducted in the OFCCP. This includes the acquisition and use of Shredding Devices at all OFCCP Office Locations.
Data maintained by the system is retained in accordance with a schedule mandated by OFCCP and Federal records management
The data that is maintained has the appropriate safeguards to protect its integrity and to prohibit unauthorized disclosure while in retention.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The identified is collected through our Regional, District and Area Office locations. This data is shared with employees of the National Office, as required, and also with employees throughout our various field office locations. This information is available/transmitted internally via our major applications (OFIS). This information is accessible through various reports which are available through OFIS. The type(s) of PII that are primarily shared are Name and Address information collected as part of our complaint investigation process.

How is the PII transmitted or disclosed?

The identified PII is transmitted internally between the OFCCP Regional/District/Area Offices and the National Office through the OFIS. This information is transmitted electronically and is only disclosed to those employees on a "Need-To-Know" basis.

Privacy Impact Analysis

Inappropriate Use of the PII Collected
Failure to Secure any Hardcopy Documents on which the PII Appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

Establish and Provide Secure Access to the OFCCP Information System (OFIS)
Establish and Provide Secure Access to all OFCCP Office Locations
Establish and Provide Secure Storage of Hardcopy Documents in OFCCP Office Locations
Conduct Training (Annually) on OFCCP Employees' Responsibilities for Protection all Information Received (electronic and non-electronic) from Federal Contract Facilities
Provide for the Proper Disposal (Shredding and/or Burning) of all Hardcopy Documents prior to Disposal and/or for the Destruction of all Electronic Portable Media (CDs, USB Drives, Memory Cards, etc.) Received or Used during the Investigative Processes conducted in the OFCCP. This includes the acquisition and use of Shredding Devices at all OFCCP Office Locations.

OFIS data is shared with other internal organizations and there are no safeguards in place to ensure that the information is protected during transmission. However, there are controls to restrict access to and to limit permissions to users. In addition, privacy training is also provided to users of the system. Further, individuals are permitted the opportunity to decline to provide their information.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Is the sharing of PII outside the Department compatible wlith the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

How is the information shared outside the Department and what security measures safeguard its transmission?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Privacy Impact Analysis

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

The following information is provided to the public (and is included on the CC-4 Form) used to initiate complaint investigations received by the OFCCP.

Instructions: Before completing this form, please read all instructions, including the Privacy Act statement below. Use this form to file a complaint of discrimination in employment under any of the OFCCP programs. Note: Persons are not required to respond to this collection of information unless it displays a currently valid OMB control number.

Privacy Act Notice:

The authority for collecting this information is Executive Order 11246, as amended; Sec. 503 of the Rehabilitation Act of 1973, as amended; the Vietnam Era Veterans' Readjustment Assistance Act of 1974, as amended, 38 U.S.C. 4212; Title VII of the Civil Rights Act of 1964, as amended; and/or Title I of the American with Disabilities Act of 1990, as amended (ADA). This information is used to process complaints and conduct investigations of alleged violations of the above Order or Acts. We will provide a copy of this complaint to the employer against whom it is filed and, when matters alleged are covered by Title VII and/or ADA, to the U.S. Equal Employment Opportunity Commission (EEOC). The information collected may be verified with others who may have knowledge relevant to the complaint. It may be used in settlement negotiations with the employer or in the course of presenting evidence at a hearing, or may be disclosed to other agencies with jurisdiction over the complaint. Providing this information is voluntary; however, failure to provide the information will restrict the action that the Department of Labor can take on your behalf and, for matters covered by Title VII or the ADA, may affect your rights to sue under those laws.

Do individuals have the opportunity and/or right to decline to provide information?

Yes. There is no regulatory requirement which mandates the collection of the identified PII, either for compliance evaluations or complaint investigations conducted by the OFCCP.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

An individual has the right to consent to the collection of data (since this data collection is a voluntary component of the compliance evaluation and/or complaint investigation process, but there is no process/procedure currently in place within the OFCCP which defines a "Consent Requirement" for a particular use of the PII collected.

Privacy Impact Analysis

This Notice is provided to either the POC for the Federal Contractor and/or the Complainant during direct contact with the OFCCP Compliance Officer responsible for conducting the compliance evaluation/complaint investigation. Submission of the identified PII by representatives/parties as a part of either investigative process is voluntary and this information is communicated by the Compliance Officer assigned to the investigation and also is provided in writing prior to the collection of PII.

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

For the identified PII related to compliance evaluation case record, the requestor is to inquire to the Compliance Officer(s) assigned to conduct the compliance evaluation of the Federal Contractor Facility, regarding access to the identified PII collected during this process.

For the identified PII related to the complaint investigation case record, the Respondent is provided with a copy of the CC-4 Form during the initial meeting with the Compliance Officer(s) assigned to conduct the complaint investigation of the Federal Contractor Facility. The identified PII is entered in the OFIS from the information collected on the CC-4 Form.

What are the procedures for correcting inaccurate or erroneous information?

Upon identification/notification of the identified PII, whether associated with either a compliance evaluation or complaint investigation case record, the assigned Compliance Officer is responsible for correcting inaccuracies with the identified PII prior to the completion of the compliance evaluation or complaint investigation.

How are individuals notified of the procedures for correcting their information?

This process is currently provided to individuals verbally, by the Compliance Officer(s) assigned to conduct the evaluation/investigation under which the identified PII is collected.

If no formal redress is provided, what alternatives are available to the individual?

Please see above statement.

Privacy Impact Analysis

Currently, there is only one known privacy risk associated with individuals with respect to the redress processes described above. This risk is not directly related to the OFIS, but rather, to the "Ethical Standard" under which OFCCP Employees perform the mission of the Program. To mitigate this risk, the OFCCP continues to provide the appropriate training to all employees regarding their conduct while in the Federal service and their obligation to protect all information collected by the Federal government, as mandated.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

There are Access Control/Account Management procedures which are currently in place that describe the technical safeguards and security measures for ensuring access to the OFIS is managed and monitored.

Will Department contractors have access to the system?

IT Contractor Support personnel have access only to the Development and Testing portions of the OFIS. Due to IT Security mandates, access to the OFIS Production Environment is not provided to our IT Contractor Support personnel.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

All OFCCP Employees are encouraged to attend Privacy Act training annually. This training is mandatory for all OFCCP Management. In addition, all OFCCP IT Employees are encouraged to participate in the On-Line Training Course "Records Management for Everyone", which is provided by the NARA and available from their Internet Web Site. OFCCP Employees are also encouraged to attend other Records Management training courses provided by the NARA.

What auditing measures and technical safeguards are in place to prevent misuse of data?

There currently no auditing measures or technical safeguards employed within the OFCCP to prevent the misuse of the identified PII collected, other than the training and physical security measures mentioned above.

Privacy Impact Analysis

Inappropriate Use of the PII Collected
Failure to Secure any Hardcopy Documents on which the PII Appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

Establish and Provide Secure Access to the OFCCP Information System (OFIS)
Establish and Provide Secure Access to all OFCCP Office Locations
Establish and Provide Secure Storage of Hardcopy Documents in OFCCP Office Locations
Conduct Training (Annually) on OFCCP Employees' Responsibilities for Protection all Information Received (electronic and non-electronic) from Federal Contract Facilities
Provide for the Proper Disposal (Shredding and/or Burning) of all Hardcopy Documents prior to Disposal and/or for the Destruction of all Electronic Portable Media (CDs, USB Drives, Memory Cards, etc.) Received or Used during the Investigative Processes conducted in the OFCCP. This includes the acquisition and use of Shredding Devices at all OFCCP Office Locations.

While there are no auditing measures in place to protect the PII in the system, there are technical safeguards that restrict access to the system as previously mentioned. In addition, Users of the systems have been adequately trained in the use and administration of privacy information.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

The OFIS is currently operating in the "Steady State" phase of its System Development Life Cycle. This information system was development and is currently operated in compliance with the Department's SDLC methodology.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No. This Information System does not employ any technology which may raise privacy concerns.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

The Office of Federal Contract Compliance Programs (OFCCP} has completed the PIA for the OFCCP Information System (OFIS) which is currently in operation. The OFCCP has determined that the safeguards and controls for this moderate system adequately protect the information.

The Office of Federal Contract Compliance Programs (OFCCP} has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.