skip to page content
Office of the Chief Information Officer
Print This Page Print This Page  Decrease Text Size Increase Text Size Text Size  Email This Page E-mail This Page
DOL Home > CIO > OPA Privacy Impact Assessments

National Contact Center (NCC) 2009

Abstract

  • Department of Labor National Contact Center (DOL-NCC) system
  • The DOL-NCC IT System supports the DOL objective to provide nationwide toll-free telephone and e-mail assistance to the public with questions about job loss, business closures, pay and leave, workplace safety and health, pension and health benefits, workplace injuries, and more. The DOL-NCC IT System provides workflow, data capture, telecommunication functionality, and reporting to the DOL.
  • The PIA ensures the confidentiality, integrity, and availability of the information contained within the system. This assessment aims to determine what types of data are collected, stored, or shared and by its nature, whether that data will cause an invocation of the Privacy Act of 1974.
Back to Top   Back to Top

Overview

  • System Name: Department of Labor National Contact Center (DOL-NCC) system
  • Owner Agency: Office of Public Affairs Division of Enterprise Communications (OPA DEC)
  • The DOL-NCC IT System supports one Major Application and all DOL-NCC operational applications associated with the three specific contact center sites in Virginia (VA), Kentucky (KY), and Texas (TX).
  • The DOL-NCC IT System supports the DOL objective to provide nationwide toll-free telephone and e-mail assistance to the public with questions about job loss, business closures, pay and leave, workplace safety and health, pension and health benefits, workplace injuries, and more. The DOL-NCC IT System provides workflow, data capture, telecommunication functionality, and reporting to the DOL.
  • The Information Owner (DOL) is responsible for direction and approval of all program specific operations and has provided the System Owner with applicable information regarding information sensitivity, operational risks, and required security controls. The DOL-NCC IT System supports contracted services not associated with any DOL Network. The DOL-NCC IT System supports contracted employees on sites operated by the System Owner .
Back to Top   Back to Top

Introduction

The purpose of this document is to summarize the findings of the United States Department of Labor National Contact Center (DOL-NCC) Privacy Impact Assessment (PIA). The PIA ensures the confidentiality, integrity, and availability of the information contained within the system. This assessment aims to determine what types of data are collected, stored, or shared and by its nature, whether that data will cause an invocation of the Privacy Act of 1974. This document also assesses the risks for system vulnerability.

Back to Top   Back to Top

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

  • Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

    • The system will contain PII on members of the public, who contact the DOL-NCC with inquiries regarding workplace issues.

  • What are the sources of the PII in the information system?

    • Members of the public including media representatives and government officials will provide their information (name, phone number, address, or e-mail address) if they wish to order a publication or have someone contact them with additional information.

  • What is the PII being collected, used, disseminated, or maintained?

    • Customer's Name
    Business or Personal Phone Number
    Business or Personal Address
    Business or Personal E-mail Address

  • How is the PII collected?

    • PII is collected over the phone by Customer Service Representatives (CSRs) and saved to data repository. Customers are also able to e-mail requests to the NCC via the Department of Labor Web site. If the customer's inquiry requires additional information, the CSR will request it via e-mail.

  • How will the information be checked for accuracy?

    • The CSR checks the information for accuracy by repeating the information back to the customer and asking the customer to verify that it is accurate.

  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?

    • Information requested is the minimum information necessary to provide resolution to the caller at their request, and was agreed upon with DOL.

  • Privacy Impact Analysis

    • All PIA collected data is purged every 180 days from the data repository.

    Unauthorized Data Access (Confidentiality):
    The data repository, which houses the collected information, is secured and access is tightly controlled. Only authorized system administrators and engineers have access to the data repository. The system housing the data repository is neither able to establish nor respond to any connections to/from external entities. All access attempts to the data repository are logged and monitored.

    Data Integrity:
    Restrictive account permissions control access to the data repository. CSR accounts are not granted administrative access to the systems and software components which comprise the data repository. In addition, all data-entry actions are tracked. To ensure the integrity of data, software is utilized to track and monitor all changes for data accessed and entered into the repository.

Back to Top   Back to Top

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII
    • Misdirected DOL related e-mail requests are not handled by the System Owner. Instead, these requests are redirected to the appropriate agency.
    • Misdirected non-DOL related e-mail request are not handled by the System Owner. Instead, these requests are forwarded to USA Services.
    • The System Owner does not record or retain any PII data related to misdirected communications.
    • If DOL-NCC staff are unable to address the individual's issue, the PII is forwarded to the designated DOL personnel or the DOL-NCC Contracting Officer Technical Representative (COTR).
  • What types of tools are used to analyze data and what type of data may be produced?

    • A commercial off the-shelf (COTS) reporting application is used to generate automated reports, which are analyzed by a reports analyst, content research analyst, or DOL-NCC program management. Queries can also be performed within the customer relationship management (CRM) software component.

  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

    • No, PII is purged from the repository every 180 days. Each contact is treated as a new contact. New records are created for each contact

  • If the system uses commercial or publicly available data, please explain why and how it is used.

    • The information provided to the callers is also available on DOL's Web site. It is approved by the client according to the content lifecycle and then added into the CRM software component. This information is managed by content research analysts and follows the content lifecycle.

  • Privacy Impact Analysis

    • As part of the DOL-NCC training curriculum, each customer service representative receives instruction on how to handle PII. Once PII has been entered into the repository, it is not readily available to the CSR. CRM access restrictions limit access to PII based upon job function.

Back to Top   Back to Top

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?

    • Information is retained for 180 Days prior to being purged from the data repository.

  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

    • N/A

  • Privacy Impact Analysis

    • Data is stored within the repository for 180 days. The data is of a low sensitivity. Risk is mitigated by minimizing, controlling, and auditing access to the repository.

Back to Top   Back to Top

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

    • PII is shared with DOL agencies for the purpose of resolving a customer inquiry.

  • How is the PII transmitted or disclosed?

    • PII is disclosed to an approved subject matter expert (SME). The information is transmitted electronically.

  • Privacy Impact Analysis

    • SMEs are provided by the Department of Labor. Information is only shared with those approved and authorized by the client.

Back to Top   Back to Top

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?

    • None

  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

    • Not Applicable

  • How is the information shared outside the Department and what security measures safeguard its transmission?

    • Not Applicable

  • Privacy Impact Analysis

    • Not Applicable

Back to Top   Back to Top

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?

    • PII is only collected when the customer chooses to share it for further resolution of their issue. Notice is provided by the CSR when the information is collected from the customer.

  • Do individuals have the opportunity and/or right to decline to provide information?

    • Yes

  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

    • If callers want to receive a call back or have literature sent to them, their name, address, telephone number and/or e-mail address are required. However, the caller will need to provide this PII as none is collected without the caller providing it.

  • Privacy Impact Analysis

    • The CSR informs the customer that their information will be forwarded to the appropriate Department of Labor official for resolution. If the individual refuses, information is not transmitted. No personally identifiable information is collected without the individual's consent.

Back to Top   Back to Top

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?

    • At the customer's discretion, a service request number would be provided to them. This will allow them to reference their original inquiry.

  • What are the procedures for correcting inaccurate or erroneous information?

    • The call would be escalated to a supervisor who would create a record with the updated information. Original information is not typically modified since it would likely have been acted on (i.e. called out on or mailed literature) before it was collected.

  • How are individuals notified of the procedures for correcting their information?

    • The individual would have to contact the Department of Labor with the request to update their information.

  • If no formal redress is provided, what alternatives are available to the individual?

    • If an individual insisted the information removed from the system, he/she would need to contact a supervisor and request that it be removed.

  • Privacy Impact Analysis

    • Very limited PII is collected and no information is collected without the individual's knowledge and consent. All PII is verified with the individual before it is entered into the data repository. The following information (Name, Address, Telephone Number and/or E-mail Address) is stored within the secured data repository (for 180 days).

Back to Top   Back to Top

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?

    • DOL-NCC CSRs, content research analysts (CRAs), Supervisors, and program managers are granted access to the CRM software and data repository. The granularity of this access is based upon job function and requirements.

  • Will Department contractors have access to the system?

    • No

  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

    • Department of Labor Information System Security Awareness (ISSA) Training
    DOL Mandated Training (CDs)
    Monthly Computer Security Awareness Training via

  • What auditing measures and technical safeguards are in place to prevent misuse of data?

    • To ensure the integrity of data, all repository and CRM access actions are tracked and logged. Various network security controls are in place to ensure that access to the data repository is authorized and only permitted from trusted sources. External access to/from the data repository is not permitted.

  • Privacy Impact Analysis

    • No PII is collected without the individual's knowledge and consent. All PII must be provided by the individual. The collected information (Name, Address, Telephone Number and/or E-mail Address) is housed in a secured data repository. All information is purged after 180 days.

Back to Top   Back to Top

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?

    • Operation and Maintenance stage
    Not Applicable. DOL-NCC is an outsource system to service provider.

  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

    • Not Applicable.

Back to Top   Back to Top

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • DOL-NCC has completed the PIA for the CRM software component which is currently in operation. DOL-NCC has determined that the in-place safeguards and controls adequately protect the information.
  • OPA DEC has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.