EXECUTIVE SUMMARY REPORT
INTRODUCTION TO THE PIA
Purpose
By law, federal agencies are required to ensure the protection of
personally identifiable information (PII). To that end, the Department of Labor
(DOL) has developed a Privacy Impact Methodology and Assessment (PIA) to assess
whether a system that contains PII meets legal privacy requirements.
The DOL is responsible for ensuring the confidentiality, integrity, and
availability of the information contained within its information systems. DOL
must at times collect, use, analyze, and store PII from its employees and
customers. DOL remains vigilant in protecting all its information technology
resources, especially those systems containing PII. Ideally, the PIA should be
performed during the development phase of a system life cycle. However, a PIA
should also be conducted at any time when the system is significantly modified,
or the sensitivity of the data contained within the system is changed.
A PIA evaluates privacy vulnerabilities and risks, and their
implications on information systems. The process described in this document is
designed to provide agencies with guidance in assessing privacy throughout the
early stages of system development, as well as assessing privacy risks of
existing, operational systems. PIAs provide numerous benefits. Among these
benefits are enhancing policy decision making and system design, anticipating
the public's possible privacy concerns, and generating confidence that privacy
objectives are addressed in the development and implementation of single-agency
or integrated information systems.
Scope
A Privacy Impact Assessment will be conducted on each system and
application cited on the DOL Sensitive System List and reported on the
Department's Exhibit 53 or via capital asset plans and business cases (Exhibit
300s). This PIA was conducted specifically for the Secretary's Information
Management System (SIMS).
Approach
In order to determine whether a system that contains PII meets legal
privacy requirements, the DOL characterized the system; identified the
information contained in the system; evaluated information-sharing practices;
and assessed the systems controls for administrative, technical, and physical
safeguards. The technique used to gather the above information was through a
series of questions posed of the developers.
Results
Due to personal information that is collected on SIMS, the following
laws and regulations are invoked: the Privacy Act of 1974 and OMB M-99-18. A
Contingency Plan and a System Security Plan for SIMS are currently being
written. Privacy policy statements and rules of conduct are being developed for
the website. In addition, there is no process at this time to retain and
destroy files. All documentation, including the Contingency Plan and System
Security Plan are due on March 26, 2004. The privacy policy statement, rules of
conduct, review processes for information accuracy and retention and
destruction of files are all scheduled to be completed by March 26, 2004.
Summary
To conclude, this document and the IT PIA Questionnaire contained herein
represent the Privacy Impact Assessment. This PIA is based on the evaluation of
the above applicable laws and executive branch guidance, as well as internal
policy. The PIA provides a framework by which agencies can ensure that they
have complied with all relevant privacy policies, regulations, and guidance,
both internal and external to DOL.
|
