Safety & Health Information Management System -- Hosting Version 4

EXECUTIVE SUMMARY REPORT

INTRODUCTION TO THE PIA

Purpose

By law, federal agencies are required to ensure the protection of personally identifiable information (PII). To that end, the Department of Labor (DOL) has developed a Privacy Impact Methodology and Assessment (PIA) to assess whether a system that contains PII meets legal privacy requirements.

The DOL is responsible for ensuring the confidentiality, integrity, and availability of the information contained within its information systems. DOL must at times collect, use, analyze, and store PII from its employees and customers. DOL remains vigilant in protecting all its information technology resources, especially those systems containing PII. Ideally, the PIA should be performed during the development phase of a system life cycle. However, a PIA should also be conducted at any time when the system is significantly modified, or the sensitivity of the data contained within the system is changed.

A PIA evaluates privacy vulnerabilities and risks, and their implications on information systems. The process described in this document is designed to provide agencies with guidance in assessing privacy throughout the early stages of system development, as well as assessing privacy risks of existing, operational systems. PIAs provide numerous benefits. Among these benefits are enhancing policy decision making and system design, anticipating the public's possible privacy concerns, and generating confidence that privacy objectives are addressed in the development and implementation of single-agency or integrated information systems.

Scope

A Privacy Impact Assessment will be conducted on each system and application cited on the DOL Sensitive System List and reported on the Department's Exhibit 53 or via capital asset plans and business cases (Exhibit 300s). This PIA was conducted specifically for the E-Procurement System (EPS).

Approach

In order to determine whether a system that contains PII meets legal privacy requirements, the DOL characterized the system; identified the information contained in the system; evaluated information-sharing practices; and assessed the systems controls for administrative, technical, and physical safeguards. The technique used to gather the above information was through a series of questions posed of the developers.

Results

Due to personal information that is collected on SHIMS, the following laws and internal policies are invoked: the Privacy Act of 1974, the HIPAA Privacy Rule 67 FR 14775, DLMS 9 Information Technology (IT) Chapter 400, and OMB M-99-18. The findings of this PIA indicate that although passwords are used to access the system, password controls are not currently in place. The mitigation strategy to use these password controls is expected by March 26, 2004.

Summary

To conclude, this document and the IT PIA Questionnaire contained herein represent the Privacy Impact Assessment. This PIA is based on the evaluation of the above applicable laws and executive branch guidance, as well as internal policy. The PIA provides a framework by which agencies can ensure that they have complied with all relevant privacy policies, regulations, and guidance, both internal and external to DOL.