Skip to page content
Office of the Chief Information Officer
DOL Home > CIO > ESA Privacy Impact Assessments

Back Wage Financial System (BWFS) 2009

Abstract

The Wage and Hour Division (WHD) is a Program Office of Employment Standards Administration (ESA), an agency of DOL. WHD operates The Back Wage Financial System (BWFS), which is a financial management system used by the WHD. The system is used to collect back wages due to employees from employers as a result of violations of laws enforced by the WHD and to disburse those wages to employees. This Privacy Impact Assessment is being conducted because BWFS contains Personal Identifiable Information (PII).

Back to Top   Back to Top

Overview

The BWFS is a financial management system used by the WHD to collect back wages from employers (under certain conditions), disburse those wages to employees, and, when the WHD is unable to locate employees after three years, transfer any remaining monies to the U.S. Treasury. Major functions of the system include accruing and assessing interest and penalties for delinquent debt, transferring debts to Treasury's Debt Management Service (DMS) for debt collection, producing tax documentation for gross cases, and producing period reports for financial reporting.

In addition to the US Treasury, the system provides data to the U.S. Secure Payment System regarding the issuing of checks and to the Internal Revenue Service (IRS) and the Social Security Administration (SSA) regarding tax withholding information about individuals and businesses.

The data used by BWFS is part of the overall Wage and Hour Investigative Support and Reporting Database (WHISARD), which consists of a DB2 database and several executables that access parts of the database. WHISARD itself contains several hundred tables; some are used only by BWFS.

The BWFS supports DOL Strategic Plan 2006-2011, Strategic Goal 3 - Safe and Secure Workplaces, Performance Goal 3C - Ensure Workers Receive the Wages Due Them. The collection and distribution of back wages through the BWFS deters future violations and furthers the WHD mission of increased compliance to the statutes that the WHD is mandated to enforce, particularly in low-wage industries.

Back to Top   Back to Top

Introduction

The WHD is responsible for administering and enforcing some of our nation's most comprehensive labor laws, including: the minimum wage, overtime, and child labor provisions of the Fair Labor Standards Act (FLSA); the Family and Medical Leave Act (FMLA); the Migrant and Seasonal Agricultural Worker Protection Act (MSPA); worker protections provided in several temporary visa programs; and the prevailing wage requirements of the Davis-Bacon and Related Acts (DBRA) and the Service Contract Act (SCA). BWFS supports WHD meeting its core business functions. This Privacy Impact Assessment will evaluate the effectiveness of the BWFS Application in protecting the privacy information during system operation. In addition, it will demonstrate the adequacy of the protection of the Personal Identifiable Information (PII) being collected within a system and the protection of integrity of the PII being collected by the WHISARD systems operation.

Back to Top   Back to Top

Characterization of the Information

The BWFS collects personally identifiable information (PII) on members of the public (U.S. citizens).

  • What are the sources of the PII in the information system?

    • BWFS consists of two components: the BWFS application and the Back Wage Follow-Up (BWFU) module hosted in the WHISARD application. The source of PII in the WHISARD system comes directly from individuals who are filling a wage and hour complaint.

  • What is the PII being collected, used, disseminated, or maintained?

    • The collection, dissemination, and maintenance of PII in WHISARD consist of the following:

    • Name
    • Phone numbers
    • Social Security numbers
    • Residential address
    • Business address
    • Mailing address
    • Business phone number
    • Residential address
  • How is the PII collected?

    • PII is collected directly from the individual when a WHD employee interviews a complainant about a possible violation to one of the laws that WHD enforces. PII can also be collected when an investigation discovers that the violation affects additional individuals other than the complainant or as a result of a direct investigation when there is no complainant.

  • How will the information be checked for accuracy?

    • The BWFS uses Form WH-60 to verify an employee's name, address, phone number, and Social Security number before the issuance of a check. A series of letters is issued to the employer before the debt is sent for collection. The final letter is sent by certified mail to the addressee to verify the accuracy of information. In addition, the Employer is requested to verify his/her Employer ID Number.

  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?

    • BWFS supports the following labor laws in the work place:

    • FLSA (Fair Labor Standards Act - Section 6&7 Minimum Wage and Overtime)
    • Child Labor
    • MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
    • FMLA (Family Medical Leave Act)
    • EPPA (Employee Polygraph Protection Act)
    • H-1A (Provisions of the Immigration Nursing Relief Act)
    • H-1B (Provisions of the Immigration Naturalization Act)
    • H-2A(Provisions of the Immigration Reform Control Act of 1990)
    • Homeworker (Provisions of the Fair Labor Standards Act)
    • CREW (Longshore) (Provisions of Immigration and Naturalization Act)
  • Privacy Impact Analysis

    • While PII is collected, only the minimum necessary to accomplish the mission is recorded and the affected employees and or employers are directly involved in the collection process.

Back to Top   Back to Top

Uses of the PII

  • Describe all the uses of the PII

    • Information being collected by BWFS is used to:

    • Disburse funds and withhold tax
    • collect back wages fund due to employees as a result of violations of laws enforced by the WHD
    • Disburse collected back wages to employees
  • What types of tools are used to analyze data and what type of data may be produced?

    • There are no customized or specialized tools that are used to analyze data on Wage and Hour cases.

  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

    • No, BWFS is not currently designed to derive new information or create previously unavailable data about individuals.

  • If the system uses commercial or publicly available data, please explain why and how it is used.

    • The system data is not available for commercial or public use.

  • Privacy Impact Analysis

    • The PII collected is used but only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected by BWFS.

Back to Top   Back to Top

Retention

  • How long is information retained in the system?

    • In accordance with WHD record retention schedule NN-160-43, records will be retained for a minimum of 12 years.

    This guidance is further enhanced by System of Records Notice (SORN) DOL/ESA-36 which states:

    • Electronic records are electronically archived; data tapes are retained for 25 years.
    • Printed information generated by this system and retained in a Wage-Hour office will be disposed of as follows:

    Printed information, concerning cases where violations were found, is disposed of 12 years after the date the case is closed. For cases where no violations were found, printed information is disposed of three years after the closing date.

  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

    • WHD record retention schedule NN-160-43 has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).

    It should be noted that new schedules have been submitted to NARA for approval.

  • Privacy Impact Analysis

    • Data is retained in strict accordance with the WHD record retention schedule NN-160-43 and SORN DOL/ESA-36. Safeguards are in place for the data stored in WHISARD as well as the archived data which is maintained off-site in a vendor-provided secure storage facility that meets or exceeds federal standards for physical access control.

Back to Top   Back to Top

Internal Sharing and Disclosure

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

    • BWFS does not share PII with any internal organization.

  • How is the PII transmitted or disclosed?

    • BWFS does not transmit or disclose PII with any internal organizations

  • Privacy Impact Analysis

    • There is no Privacy Impact with BWFS because it does not transmit, share or disclose PII to any internal organization.

Back to Top   Back to Top

External Sharing and Disclosure

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?

    • BWFS shares PII with external organizations as follows:

    • Debt Management System (DMS) - Used to refer debts over 180 days delinquent to Treasury
    • Secure Payment System (SPS) - Used to submit payment schedules to Treasury
    • Paper Check Conversion Over the Counter (PCC OTC) - Used to submit check information to Treasury for collection
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

    • Yes, sharing of PII outside of DOL complies with SORN DOL/OCFO-2. The WHD has developed a SORN for WHFAS that is published by the SOL. BWFS is covered under the existing SORN for DOLAR$.

  • How is the information shared outside the Department and what security measures safeguard its transmission?

    • WHD shares information directly with the Department of the Treasury via a vendor-provided product that uses a proprietary protocol and an encryption method compliant with Federal Information Processing Standards (FIPS) 140-2.

    WHD also shares information directly with the Department of the Treasury via their Secure Payment System (SPS) which is secured using a FIPS 140-2 validated Secure Sockets Layer (SSL) implementation.

  • Privacy Impact Analysis

    • PII is shared with the Department of the Treasury and only for the purposes of disbursing back wages to employees. Two different methods are used to accomplish these communications and both are protected by FIPS 140-2 validated encryption solutions. No other information is shared electronically from CMP-2001. Memorandums of Understanding (MOUs) and Interconnection Service Agreements (ISAs) are in place between ESA and the Treasury to govern the electronic transfer data.

Back to Top   Back to Top

Notice

  • Was notice provided to the individual prior to collection of PII?

    • Not always. In some cases, PII is collected directly from the individual submitting a complaint. In other cases, PII may be collected as a result of a direct investigation that affects one or more individuals. Notice of the collection of PII on individuals is provided by the publication of SORN DOL/ESA 42 in the Federal Register.

  • Do individuals have the opportunity and/or right to decline to provide information?

    • Not always. Information is collected as a result of an investigation. In some cases, this information is collected directly from the individual who at that time has the opportunity to decline to provide information. In other cases, information may be collected from a third party such as the employer and in such cases; the individuals do not have the opportunity to decline to provide information.

  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

    • No. Information is collected as a result of an investigation. It is used only for disbursement of back wages depending on the outcome of the investigation. Due to the nature of the work, individuals are not provided an option for consenting to this use of the information.

  • Privacy Impact Analysis

    • PII is collected as a result of an investigation. In some cases, this information is provided directly by the individual to whom it pertains but in all cases, individuals do not have the right to consent to its use.

Back to Top   Back to Top

Access, Redress, and Correction

  • What are the procedures that allow individuals to gain access to their information?

    • There are no procedures to allow individuals to gain access to their information. The BWFS application is an integral part of the WHISARD system which is accessed by WHD employees or contractors. There is no public or Web access to the WHISARD application.

  • What are the procedures for correcting inaccurate or erroneous information?

    • WHD provides the completed forms WH-60 or WH-58 to the individuals affected by the investigation requesting them to verify and update as necessary. The forms are then returned to WHD for processing.

  • How are individuals notified of the procedures for correcting their information?

    • Prior to the disbursement of back wages, individuals are contacted directly by WHD and provided with the completed form WH-60 or WH-58 for the purpose of verifying personal information and making any necessary corrections.

  • If no formal redress is provided, what alternatives are available to the individual?

    • The publication of SORN DOL/ESA 36 addresses the procedure for correcting or updating information that is gathered. Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment. Information about district and regional offices for Wage Hour can be found by going to http://www.dol.gov/whd/ on the internet or by contacting the disclosure officer at the following address:

    Administrator, Wage and Hour Division,
    Room S-3502, Frances Perkins Building
    200 Constitution Avenue, NW, Washington, DC 20210

  • Privacy Impact Analysis

    • The form WH-60 or WH-58 is provided to the individuals involved in the investigation in an effort to ensure that their information is complete and accurate. In addition, the publication of SORN DOL/ESA 36 addresses the procedure for further correction and updating of the information that is gathered.

Back to Top   Back to Top

TECHNICAL ACCESS AND SECURITY

  • What procedures are in place to determine which users may access the system and are they documented?

    • Procedures are in place that must be followed before allowing users access to the system. The process is designed to comply with the principles of least privilege and separation of duties as follows.

    All DOL employees and contractors must undergo at a minimum a standard DOL background check. Users of the system must first complete the process for requesting and obtaining a DOL network account. Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges. All requests for system access must be approved by the user's supervisor and the System Owner (SO) or SO representative. Separation of duties in enforced by requiring actions by both ESA/DITMS account managers and WHD account administrators to complete the process before user access to the system is granted.

  • Will Department contractors have access to the system?

    • Yes, WHD contractors will have access to the system if required based on their assigned duties.

  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

    • WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.

  • What auditing measures and technical safeguards are in place to prevent misuse of data?

    • Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

    WHD users must first login to the DOL/ESA network and only then would it be possible to login to CMP. A separate ID and password is required for the user to now login to CPM-2001. Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are reviewed monthly by management in an effort to detect any unusual or unauthorized activity.

    WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities.

    The ESA General Support System (GSS) has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.

  • Privacy Impact Analysis

    • The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII. These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected

Back to Top   Back to Top

TECHNOLOGY

  • What stage of development is the system in, and what project development life cycle was used?

    • All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM BWFS is in the Operations and Maintenance Phase (Phase IV).

  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

    • The BWFS utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.

Back to Top   Back to Top

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • Wage and Hour Division (WHD) has completed the PIA for Back Wage Financial System (BWFS) which is currently in operation. WHD has determined that the safeguards and controls for this moderate system adequately protect the information.
  • Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.