Skip to page content
Office of the Chief Information Officer
DOL Home > CIO > OPA Privacy Impact Assessments

Privacy Impact Assessment Questionnaire

DOL – National Contact Center (DOL-NCC) – FY2011

1.1 Overview

  • System Name: Department of Labor National Contact Center (DOL-NCC) system

  • Owner Agency: Office of Public Affairs Division of Enterprise Communications (OPA DEC)

  • The DOL-NCC IT System supports one Major Application and all DOL-NCC operational applications associated with the three specific contact center sites in Virginia (VA), Kentucky (KY), and Texas (TX).

  • The DOL-NCC IT System supports the DOL objective to provide nationwide toll-free telephone and email assistance to the public with questions about job loss, business closures, pay and leave, workplace safety and health, pension and health benefits, workplace injuries, and more. The DOL-NCC IT System provides workflow, data capture, telecommunication functionality, and reporting to the DOL.

  • Modules in the system support call and email handling and the recording of such transactions for quality control purposes.

  • The Information Owner (DOL) is responsible for direction and approval of all program specific operations and has provided Computer Science Corporation (CSC) with applicable information regarding information sensitivity, operational risks, and required security controls. The DOL-NCC IT System supports contracted services not associated with any DOL Network. The DOL-NCC IT System supports contracted employees on CSC operated sites.

  • The PIA ensures the confidentiality, integrity, and availability of the information contained within the system. This assessment aims to determine what types of data are collected, stored, or shared and by its nature, whether that data will cause an invocation of the Privacy Act of 1974.
Back to Top   Back to Top

1.2 Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
The system contains PII from Federal employees, Contractor staff, and members of the public, who contact the DOL-NCC with inquiries regarding workplace issues.

  • What are the sources of the PII in the information system?
    The DOL-NCC system collects caller's contact information (name, e-mail address and phone number) in the event that a DOL-NCC Customer Service Representative (CSR) is unable to readily provide the information that the caller is seeking and needs to contact him/her after additional research is performed. In addition, contact information is shared with DOL Subject Matter Experts when a contact must be escalated.
  • What is the PII being collected, used, disseminated, or maintained?
    • First and/or last name
    • Business and/or Personal Phone Number
    • Business, Mailing, and/or Residential Address
    • Business and/or Personal E-mail Address

  • How is the PII collected?
    PII is collected over the phone by Customer Service Representatives (CSRs) and saved to a data repository (Siebel). Customers are also able to email requests to the NCC via the DOL (www.DOL.gov) website. If the customer's inquiry requires additional information, the CSR will contact them via email.
  • How will the information be checked for accuracy?
    PII is collected over the phone by Customer Service Representatives (CSRs) and saved to data repository (Siebel). When PII-related information is collected from a customer, the information is verbally repeated back to the customer, for verification that the collected information is considered to be accurate.

    Customers are also able to email requests to the NCC via the DOL (www.DOL.gov) website. The only validation for accuracy in regards to an incoming email message is the source email address. There is an inherent risk that customers could provide inaccurate contact information within the context of an email message.
  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?
    Information requested is the minimum information necessary to provide resolution to the caller at their request, and was agreed upon with DOL.
  • Privacy Impact Analysis
    Collected PII is purged every 30 days from the data repository. The only exception is OSHA-related information requiring supportive documentation of fatalities and injuries - which are retained indefinitely.

    Unauthorized Data Access (Confidentiality):
    The data repository, which houses the collected information, is secured and access is tightly controlled. Only authorized system administrators and engineers have access to the data repository. The system housing the data repository is neither able to establish nor respond to any connections to/from external entities. All access attempts to the data repository are logged and monitored.

    Data Integrity:
    Restrictive account permissions control access to the data repository. CSR accounts are not granted administrative access to the systems and software components which comprise the data repository. In addition, all data-entry actions are tracked. To ensure the integrity of data, software is utilized to track and monitor all changes for data accessed and entered into the repository.
Back to Top   Back to Top

1.3 Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII
    PII is collected to allow designated DOL Subject Matter Experts follow-up with individuals contacting the DOL-NCC.

    PII is collected to provide an initial point of contact for notices to OSHA and MSHA for regulatory requirements.

    PII is collected to allow requested materials (brochures, posters, etc.) to be sent to individuals / businesses requesting the materials
  • What types of tools are used to analyze data and what type of data may be produced?
    A commercial off the-shelf (COTS) reporting application is used to generate automated reports, which are analyzed by a reports analyst, content research analyst, or DOL-NCC program management. Queries can also be performed within the customer relationship management (CRM) software component.
  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
    No. PII is purged from the repository every 30 days with the exception of OSHA-related information requiring supportive documentation of fatalities and injuries for an indefinite time period due to regulations. Each contact is treated as a new contact. New records are created for each contact
  • If the system uses commercial or publicly available data, please explain why and how it is used.
    The information provided to the callers is also available on DOL's website. It is approved by the client according to the content lifecycle and then added into the CRM software component. This information is managed by content research analysts and follows the content (approval) lifecycle.
  • Privacy Impact Analysis
    As part of the DOL-NCC training curriculum, each CSR receives instruction on how to handle PII data. Once PII has been entered into the repository, it is not readily available to the CSR. CRM access restrictions limit access (export capabilities) to PII based upon job function.
Back to Top   Back to Top

1.4 Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?
    Information is retained for 30 Days prior to being purged from the data repository with the exception of OSHA-related information requiring supportive documentation of fatalities and injuries which is retained indefinitely due to regulations.
  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
    N/A
  • What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
    Information requested is the minimum information necessary to provide resolution to the caller at their request, and was agreed upon with DOL. Members of the public will provide their information (name, phone number, address, or email address), if they wish to order a publication or have someone contact them with additional information. No personally identifiable information is collected without the individual's consent.

  • How is it determined that PII is no longer required?
    DOL-NCC purges PII every 30 days with the exception of OSHA-related information, which is retained indefinitely due to regulations. This retention period was defined based on best business processes and practices. PII is required for fulfilling requests from customers until requests are resolved.

  • Privacy Impact Analysis
    Data is stored within the repository for 30 days with the exception of OSHA-related information, which is retained indefinitely due to regulations. The data is of a low sensitivity. Risk is mitigated by minimizing, controlling, and auditing access to the repository.
Back to Top   Back to Top

1.5 Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
    PII is shared within DOL agencies for the purpose of resolving a customer inquiry.

  • How is the PII transmitted or disclosed?
    PII is transmitted and disclosed electronically via email or telephone to authorized personnel. In addition, two designated DOL SMEs have read only access to our Siebel knowledgebase which would allow them to view PII over a secure (VPN) tunnel to the Siebel COTS application web interface.
  • Privacy Impact Analysis

    • PII is only shared within DOL agencies for the purpose of resolving a customer inquiry. PII is only shared with DOL SMEs by a limited number of CSC personnel who are in the Content or Program groups. PII that is shared is limited to the minimum information needed to allow the DOL SME to contact the customer to resolve their issue. This would typically include the caller's name, phone number and their issue.

    Transfer of PII over the telephone is verified by the phone number dialed and the relationships developed between the CSC personnel and the DOL SMEs. Information shared via email requires a user to enter their user name and password to obtain the information. Although misdirected email is a possibility, this is reduced by the use of predefined distribution lists. Two DOL SMEs who have access to our Siebel knowledgebase must connect via a secure VPN

    All CSC and DOL personnel who have access to PII information take yearly DOL training and sign a DOL non-disclosure statement "Rules of Conduct and the Consequences for Failure to Follow Rules Concerning the Safeguarding of Personal Identifiable Information".
Back to Top   Back to Top

1.6 External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    None
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
    Not Applicable
  • How is the information shared outside the Department and what security measures safeguard its transmission?
    Not Applicable
  • Privacy Impact Analysis
    Not Applicable
Back to Top   Back to Top

1.7 Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?
    PII is only collected when the customer chooses to share it for further resolution of their issue Notice is provided by the CSR when the information is collected from the customer.
  • Do individuals have the opportunity and/or right to decline to provide information?
    Yes
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
    A caller's contact information (name, e-mail address and phone number) is obtained in the event that a DOL-NCC Customer Service Representative (CSR) is unable to readily provide the information that the caller is seeks. The CSR will perform additional research and contact the caller once they information the caller requires.

    Mailing address data is collected by the NCC System in order to send callers (per their request) additional information (i.e. forms, publications, referrals etc.).
  • Privacy Impact Analysis
    The CSR informs the customer that their information will be forwarded to the appropriate Department of Labor official for resolution. If the individual refuses, information is not collected. No PII is collected without the individual's consent.
Back to Top   Back to Top

1.8 Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?
    At the caller's discretion, a service request number would be provided to them. This will allow them to reference their original inquiry.
  • What are the procedures for correcting inaccurate or erroneous information?
    The call would be escalated to a supervisor who would create a record in the Siebel database with the updated information. Original information is not typically modified since it would likely have been acted on (i.e. called out on or mailed literature) before it was collected.
  • How are individuals notified of the procedures for correcting their information?
    Not Applicable
  • If no formal redress is provided, what alternatives are available to the individual?
    Not Applicable
  • Privacy Impact Analysis
    Very limited PII is collected and no information is collected without the individual's knowledge and consent. All PII is verified with the individual before it is entered into the data repository. The following information (Name, Address, Telephone Number and/or Email Address) is stored within the secured data repository for 30 days with the exception of OSHA-related information, which is stored indefinitely.
Back to Top   Back to Top

1.9 Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?
    DOL-NCC CSRs, content research analysts (CRAs), Supervisors, and program managers are granted access to the CRM software and data repository. The granularity of this access is based upon job function and requirements as specified in the DOL-NCC Siebel Responsibility Definitions policy document.

  • Will Department contractors have access to the system?
    Yes - only via IPSEC VPN client (AES-256 bit encryption). This currently is only accessible to one Department contractor (resident within a DOL owned and operated facility).
  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
    • All new DOL-NCC employees receive an initial eight day training program that includes instruction on the correct uses of Siebel and security. Included in this initial training is DOL's Annual Department of Labor Information System Security Awareness (ISSA) Training and Annual DOL PII Training.
    • All DOL-NCC employees complete an annual review of the DOL ISSA and PII training.
    • All CSC employees complete a separate, corporate-mandated, annual Computer Security training.
  • What auditing measures and technical safeguards are in place to prevent misuse of data?
    To ensure the integrity of data, all repository and CRM access actions are tracked and logged. Various network security controls are in place to ensure that access to the data repository is authorized and only permitted from trusted sources. External access to/from the data repository is not permitted.
  • Privacy Impact Analysis
    No PII is collected without the individual's knowledge and consent. All PII must be provided by the individual. The collected information (Name, Address, Telephone Number and/or Email Address) is housed in a secured data repository. All information is purged after 30 days with the exception of OSHA-related information, which is retained indefinitely.
Back to Top   Back to Top

10.1 Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?
    Operation and Maintenance stage of development and Monitoring and Controlling project development life cycle.
  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?