Skip to page content
Office of the Chief Information Officer
DOL Home > CIO > OASAM Privacy Impact Assessments

Privacy Impact Assessment Questionnaire

The Secretary's Information Management System (SIMS) – FY2011

1.1 Abstract

The Secretary's Information Management System (SIMS) is a web-based system composed of one major application and one minor application: SIMS and SIMS FOIA (Freedom of Information Act), respectively. The baseline SIMS application is designed to support the Executive Secretariat and all supporting Correspondence Control Units (CCU) within the agencies of Department of Labor (DOL) by providing a management tool for controlling correspondence addressed to the DOL, and particularly the Secretary of Labor. SIMS is conducting a PIA because it tracks the names of members of the public

1.2 Overview

The Secretary's Information Management System (SIMS) is an OASAM system that has been in operation since July 2001. SIMS provides a singular correspondence system DOL-wide and allows electronic dialogue capabilities for clearance between the Executive Secretariat, peers, and intra-organizationally. SIMS supports the modification of the current business model and eliminates the paper process.

The information that is processed by SIMS includes Name of Requestor, their organization if applicable and the details of the correspondence. SIMS transactions track all correspondence with the EXECSEC and do not share any information with outside parties.

Back to Top   Back to Top

1.3 Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
The system tracks the names of members of the public.

  • What are the sources of the PII in the information system?Correspondence letters from the Public. The only PII that is tracked by the system is the user's name.
  • What is the PII being collected, used, disseminated, or maintained?
    The only PII that is tracked by the system is the user's name.
  • How is the PII collected?
    The PII is entered by a SIMS system user into a web form.
  • How will the information be checked for accuracy?
    Information is cross-checked with the SIMS Correspondence.
  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?
    N/A
  • Privacy Impact Analysis
    The amount of PII collected is minimal and is used for appropriately addressing members of the public upon responding to information requests. This poses little security risk to the department.
Back to Top   Back to Top

1.4 Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII
    The PII is used to compile a response and submit to the requestor.
  • What types of tools are used to analyze data and what type of data may be produced?
    The system has search functionality where a user's name could be used as a criteria for a query.
  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
    No.
  • If the system uses commercial or publicly available data, please explain why and how it is used.
    N/A
  • Privacy Impact Analysis
    The system implements TLS encryption on all communications and implements role based access controls to segregate duties.
Back to Top   Back to Top

1.5 Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?
    SIMS is an unscheduled IT investment, and the retention for all unscheduled records is PERMANENT until the system has been scheduled.
  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
    No.
  • Privacy Impact Analysis
    SIMS has begun the process of formally scheduling its records management with NARA. Proposed deletion/destruction of electronic/scanned images of records and files 180 days after transfer of paper records to the National Archives.
Back to Top   Back to Top

1.6 Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
    The response can be assigned by any number of organizations therefore the PII collected (last name, first name) would be available to any assigned organizations.
  • How is the PII transmitted or disclosed?
    Digitally within the system. SIMS communications are encrypted via TLS.
    Privacy Impact Analysis

    SIMS does not share information externally and implements TLS for all communications which mitigates the risk associated with data transfer.
Back to Top   Back to Top

1.7 External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    There are no external systems that connect to SIMS.
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
    There are no external systems that connect to SIMS.
  • How is the information shared outside the Department and what security measures safeguard its transmission?
    N/A
  • Privacy Impact Analysis
    SIMS does not share information external parties therefore there are no security risks associated with external sharing of information.
Back to Top   Back to Top

1.8 Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?
    No, however there is no way for SIMS to provide notice given that correspondence can come in the form of a handwritten letter, etc.
  • Do individuals have the opportunity and/or right to decline to provide information?
    SIMS is not a public facing system. System rights are granted to specific DOL employees. Those users enter the information from the correspondence. The information is voluntary.
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
    No, correspondence submitted to the EXECSEC is voluntary.
  • Privacy Impact Analysis
    Users have no knowledge that their information is tracked in SIMS. This is the nature of correspondence with the EXECSEC however in that correspondence can be submitted in a variety of non-digital ways and the member of the public may never interface with a computer.
Back to Top   Back to Top

1.9 Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?
    None – members of the public do not have direct access to system.
  • What are the procedures for correcting inaccurate or erroneous information?
    Any corrections are done per individuals request.
  • How are individuals notified of the procedures for correcting their information?
    If system user finds information that requires correction, notification may occur via phone or e-mail to the requestor of the information.
  • If no formal redress is provided, what alternatives are available to the individual?
    The individuals requesting information is contacted if additional information is needed by the Office of Secretary but there are no formal redress capability. If the requests are incorrect and no additional information can be obtained, the requests have to be re-initiated by the individual and the old (incorrect) request will be deleted.
  • Privacy Impact Analysis
    There are no additional risk in redress process as the public does not have direct access.
Back to Top   Back to Top

1.10 Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?
    Users can only be granted access to the system from the appropriate power users within the agency. Any specific processes for account access and management are handled by the respective business units.
  • Will Department contractors have access to the system?
    Yes.
  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
    Annual Computer Security Awareness Training is provided to all ECN/DCN users as documented within the Computer Security Handbook.
  • What auditing measures and technical safeguards are in place to prevent misuse of data?
    Auditing is not implemented on SIMS. SIMS leverages TLS for all internal communications. Role based access controls denote what information users have access to.
  • Privacy Impact Analysis
    Given that the information maintained is used only to track EXECSEC correspondence and provides reports for annual reporting. The logical and physical access controls as identified in the SIMS SSP mitigates the risks
Back to Top   Back to Top

1.11 Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?
    Operational – DOL SDLCM
  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
    No.
Back to Top   Back to Top

1.12 Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • OASAM has completed the PIA for SIMS which is currently in operation and has determined that the safeguards and controls for this moderate system, adequately protect the information referenced in SIMS System Security Pla