|
Subscribe to E-mail Updates
|
|
E-Procurement System (EPS)
The E-Procurement System (EPS) is DOL’s Department-wide procurement system which provides all DOL agencies with the ability to submit requisitions electronically through an approval workflow. DOL’s procurement offices receive the requisitions electronically and award procurement actions. It provides a single repository for reporting on DOL procurement data. Section 208 of the E-Government Act of 2002 requires Federal government agencies to conduct a Privacy Impact Assessment (PIA) for all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information (PII).
Overview
EPS is DOL’s Department-wide procurement system which provides all DOL agencies with the ability to submit requisitions electronically through an approval workflow. DOL’s procurement offices receive the requisitions electronically and award procurement actions. It provides a single repository for reporting on DOL procurement data.
The core functionality of the web-based E-Procurement system can be divided into two primary areas: requisition processing and contract management. Requisition processing will automate the entire procurement cycle for micro and small purchases from initiation of the purchase request through closeout. The Requisition Module is provided through a customization of Commerce One’s Procurement product. Contract management functionality will support the full life cycle of a contract after receipt of the purchase request in the contracting office. This functionality encompasses solicitation development, contract award, Federal Procurement Data System (FPDS) reporting, contract administration processes, closeout and audit support. In addition to automating the procurement cycle, the system provides robust data reporting, administration capabilities, and FPDS reporting. The Contracting Module is provided through a commercial-off-the-shelf (COTS) product from Distributed Solutions Inc. called Automated Acquisition Management System (AAMS).
The use of EPS enables all DOL component agencies to streamline and standardize the procurement process through the development of agency-wide requirements and implementation of consistent processes and controls. Overall, implementing EPS aims to streamline procurement processes, reduce program office and administrative burden, ensure reliable and accurate procurement related financial information, lower purchasing costs, increase productivity, create a centralized procurement database and improve customer service.
Roll-out of the EPS began in July 2003 with a limited pilot implementation. Currently the system has 3100+ users, and full implementation throughout DOL was achieved in September 2005. All DOL agencies use the system to submit requisitions. The five DOL agencies with procurement authority (OASAM, Office of Inspector General (OIG), Bureau of Labor Statistics (BLS), Employee Training Administration (ETA), and Mine Safety and Health Administration (MSHA)) use the Contracting Module to award procurement actions based on the requisitions submitted from their client organizations.
Introduction
Federal agencies are required by law to ensure the protection of the personally identifiable information (PII) they collect, store, and transmit. With a thriving digital economy, agencies are collecting large amounts of personal information unlike ever before. Instances of past abuse, misuse, and egregious errors in federal agencies’ management of personal information, combined with growing public concern about the U.S. Government’s ability to protect their private information, have increased congressional scrutiny and expectations for compliance with federal privacy laws and regulations. Protection of the Government’s accumulation of this vast amount of personal information begins with the responsibility of federal employees at all levels and in all positions.
The Department of Labor (DOL) is responsible for ensuring proper protections of the information contained within its information systems, including PII. To that end, the Department developed a Privacy Impact Methodology to assess whether a system that contains PII meets legal privacy requirements. This methodology, based on the evaluation of applicable law and executive branch guidance as well as internal policy, was the foundation for determining question sets and remediation guidance for developing the PIA Questionnaire that is to be applied to the Department’s information technology (IT) systems. The Privacy Impact Methodology and the PIA Questionnaire, used to implement this methodology, are detailed within this document, which serves as an introduction to the IT PIA and DOL’s privacy mission and principles and offers guidance on how to use the methodology and questionnaire.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
PII is collected in the form of a SSN of certain contractors, and in the form of credit card numbers by DOL-issued credit cards used by DOL personnel to make micropurchase procurements.
- What are the sources of the PII in the information system?
- The Central Contracting Registry (CCR) is the source for government contracting information. EPS retrieves contractor information from CCR for local use within EPS. This includes information on contracting individuals who use their SSN as their tax identifier.
- Purchase cards entered into EPS include a credit card number.
What is the PII being collected, used, disseminated, or maintained?
- SSN presented as a Tax Identification Number (TIN) for an individual contractor.
- Credit card information. Note that this is information for a DOL-issued credit card – not a personally owned credit card.
- How is the PII collected?
- SSN is presented as a Tax Identification Number (TIN) for an individual contractor. This data is retrieved from CCR by EPS on a regular basis.
- Credit card information is entered into EPS manually when a new purchase card is issued to a user.
How will the information be checked for accuracy?
- As the central repository of contractor information, CCR is assumed to be the accurate baseline of the contractor SSN/EIN.
- There is no check for accuracy of credit card numbers.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
- Accounts setup to access proprietary CCR data require an Interconnection Security Agreement.
- Purchase card information is required to perform purchase card-based procurements and record them in EPS. All arrangements to record this DOL-supplied credit card information into EPS take place within DOL.
- Privacy risks for contractor SSN are interception and consequently identity theft. All contractor data is encrypted during transmission, including when the data is retrieved form CCR, as well as when the data is transmitted to FPDS for reporting purposes.
- Purchase card information is not disseminated outside of EPS. Credit card information is encrypted within the EPS database.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
- Describe all the uses of the PII
- EIN/SSN is used for creation and award of contracts by EPS.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
- No
- If the system uses commercial or publicly available data, please explain why and how it is used.
- N/A
Standard NIST SP 800-53 security (account, auditing, physical access) controls are in place to mitigate any risks.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
- How long is information retained in the system?
- Indefinitely. There currently is not a point where the PII is no longer associated with the individual.
- Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
- At this time no formal schedule has been developed for EPS. The system implements a permanent retention schedule until a formal schedule has been approved.
- PII is maintained indefinitely on the system, thus EPS data is subject to all threats and vulnerabilities documented in the EPS Risk Assessment for the lifetime of the system or until a formally approved retention schedule is implemented.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
- With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
- Contractor information is used by all procurement departments that use EPS in order to process contracts. This includes OASAM, MSHA, BLS, and ETA.
- Purchase card information is not displayed in full to users of EPS.
- How is the PII transmitted or disclosed?
- Sensitive contractor information is available to procurement officials using EPS.
- Access to sensitive contractor information should be addressed by the certification of procurement officials who would have access to this data.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
- Contractor data is shared with the Federal Procurement Data System (FPDS) to fulfill procurement reporting requirements
- Purchase card information is not shared.
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
- N/A
How is the information shared outside the Department and what security measures safeguard its transmission?
- Transmission of contractor data to FPDS is encrypted.
- Privacy Impact Analysis
- Privacy risk of EIN/SSN is that interception of a contractor’s (SSN) could result in identity theft. This is mitigated by encryption of the contractor data transmitted to FPDS.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
- Was notice provided to the individual prior to collection of PII?
- Collection of contractor information is from CCR. No notice is made to the contractor when this retrieval takes place. However a security agreement is required with CCR prior to retrieving this data.
- Do individuals have the opportunity and/or right to decline to provide information?
- Contractors may decline to provide the information when they register with CCR.
- Credit card number is required in order to reconcile invoices using EPS.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
- It is assumed contractors consent to use of their EIN/SSN when registering with CCR.
Access, Redress, and Correction
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
- What are the procedures that allow individuals to gain access to their information?
- Contractors can view their information in CCR.
- What are the procedures for correcting inaccurate or erroneous information?
- Contractors can update their information in CCR.
- Credit card information may be updated via agency administrators in EPS.
How are individuals notified of the procedures for correcting their information?
- Procedures for updating contractor information are via CCR.
- Users are not notified of how to correct purchase card information.
- If no formal redress is provided, what alternatives are available to the individual?
- User may call the ITC Help Desk to update purchase card information.
- Notice of PII is provided via the Central Contracting Registry. EPS users are at risk of identify theft due to the system maintaining PII for an indefinite period of time. This risk is mitigated via encryption mechanisms in EPS.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
- What procedures are in place to determine which users may access the system and are they documented?
- User account in EPS is not created unless a System Access Request (SAR) form is completed and approved.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
- All DOL computer users are required to take computer security and privacy training annually.
- What auditing measures and technical safeguards are in place to prevent misuse of data?
- Auditing is done on an annual basis
- The logical and physical access controls mitigate the risks.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
- What stage of development is the system in, and what project development life cycle was used?
- EPS is currently in the Operations and Maintenance phase.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
OASAM has completed the PIA for EPS which is currently in operation. OASAM has determined that the safeguards and controls for this moderate system adequately protect the information.
OASAM has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.
