Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

BLS — Consumer Price Index (CPI) FY 2014

Overview

  • The system name and the name of the DOL component(s) which own(s) the system.
  • The purpose/function of the program, system, or technology and how it relates to the component's and DOL mission
  • A description of a typical transaction conducted on the system.
  • Any information sharing conducted by the program or system.
  • A general description of the modules and subsystems, where relevant, and their functions.
  • Where appropriate, a citation to the legal authority to operate the program or system.
  • A description of why the PIA is being conducted.

This system is named the Consumer Price Index (CPI) and is owned by the Bureau of Labor Statistics, Office of Prices and Living Conditions, Division of Consumer Prices and Price Indexes.

The system produces the Consumer Price Index and is in support of DOL Outcome Goal 5.1 and the BLS Operating Plan.

The information contained in the CPI system is primarily composed of prices for goods and service, identifying information on these goods and services, the names of businesses and individuals who provide this information and price indexes which are estimated and published from the underlying data on these goods and services.

Examples of typical transactions might be the transmission of information collected by a field economist to a central database; a commodity analyst accessing price data for review and the execution of a computer program to calculate an estimate of inflation for a particular good or service.

No data sharing takes place.

There are eight subsystems:

Subsystem

Function

20201 C&S Mainframe

Data Collection, Estimation

20202 TPOPS

Sampling

20203 Index Estimation/Publication

Estimation; Publication

20204 Housing

Data Collection, Estimation, Sampling

20205 C&S Micro

Data Collection

20206 Cost Weights

Estimation

20207 CADC

Data Collection

20208 Sales Tax

Data Collection

Section 2 of Title 29, Chapter 1, Subchapter 1, United States Code Annotated directs the Bureau of Labor Statistics (BLS), under the direction of the Secretary of Labor, to collect, collate, and report full and complete statistics of the conditions of labor and the products and distribution of the products of the same. The Consumer Price Index (CPI) is the only index compiled by the U.S. Government that is designed to measure changes in the purchasing power of the urban consumer's dollar. The collection of prices directly from retail establishments is essential for the timely and accurate calculation of the commodities and services component of the CPI. Respondents include retail establishments throughout the country. If the information were not collected, the consequences to both the Federal and private sectors would be far- reaching and would have serious repercussions on Federal government policy and institutions.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

Members of the public. More specifically, individuals associated with housing units selected to be in the survey.

What are the sources of the PII in the information system?

Information is provided by the individuals.

What is the PII being collected, used, disseminated, or maintained?

The PII being collected is name, address and telephone number(s). It is used only to the extent that the individual continues to agree to cooperate with our survey.

How is the PII collected?

By direct contact with an individual by a CPI field economist who enters information directly onto a tablet computer.

How will the information be checked for accuracy?

Since the individual is supplying the PII, and the focus of the survey is the housing unit itself, the PII is not checked for accuracy.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

Letters of Introduction are sent to potential respondents describing the Consumer Price Index Program and the reasons for these individuals being contacted. Included in this letter is a notion that while important, cooperation in this data collection is voluntary.

Privacy Impact Analysis

The PII data collected is name, address and telephone number(s) for about 46,500 individuals. The data is collected from those individuals who voluntarily agree to cooperate with our survey and the PII is only used to maintain contact with those individuals.

The privacy risk is low and would be comprised of revealing where an individual lived and a phone number. The main risk of exposure would come when a field economist loses the computer on which the data was collected. The risk is mitigated by the fact that the hardware storage device on computers used to collect the data is encrypted.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII is only used to maintain contact with those individuals who agree to cooperate with our survey.

What types of tools are used to analyze data and what type of data may be produced?

PII data is not used or analyzed. Information from the individuals on the rents they pay is used and analyzed. Data on rental inflation is produced.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No.

If the system uses commercial or publicly available data, please explain why and how it is used.

Not applicable.

Privacy Impact Analysis

Access to the PII data is limited with those who have a need to know and is encrypted as described above.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

The CPI follows the proper retention schedules which call for data to be retained for 30 years.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

Yes.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

The CPI follows the proper retention schedules which call for data to be retained for 30 years.

How is it determined that PII is no longer required?

The CPI follows the proper retention schedules which call for data to be retained for 30 years.

Privacy Impact Analysis

The CPI system follows established guidelines for data retention.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

There is no sharing of PII information.

How is the PII transmitted or disclosed?

PII data is electronically transmitted between a field economist computer and a central server in the BLS National Office using a smartcard-protected SecureRAS or VPN connection. PII data is not disclosed.

Privacy Impact Analysis

No risks exist due to sharing.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

No data is shared with external organizations.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not Applicable.

How is the information shared outside the Department and what security measures safeguard its transmission?

Not Applicable.

Privacy Impact Analysis

Not Applicable.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes. Letters of Introduction are sent to potential respondents describing the Consumer Price Index Program and the reasons for these individuals being contacted. Included in this letter is a notion that while important, cooperation in this data collection is voluntary.

Additional information is provided at the point of contact following the standards of SO-1291 Confidential Burden Statement, which includes the fact that cooperation is voluntary; that all information collected is confidential; that it is being collected for strictly statistical purposes; and that the interview should take about 15 minutes.

Do individuals have the opportunity and/or right to decline to provide information?

Yes.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

There is only one use and that is, as stated above, to maintain contact with the individual for continued cooperation with our survey. If at any time an individual wants to discontinue cooperation, they can notify the field economist.

Privacy Impact Analysis

There are no risks with individuals being unaware of collection.

Access, Redress and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

The information was collected directly from the individual. It is not changed or altered in any way. Individuals do not have access to the collected information stored in the CPI system.

What are the procedures for correcting inaccurate or erroneous information?

If incorrect data was captured upon first contact, subsequent contacts provide the opportunity to correct the information.

How are individuals notified of the procedures for correcting their information?

During the interview process, individuals may update their information.

If no formal redress is provided, what alternatives are available to the individual?

Not Applicable.

Privacy Impact Analysis

Individuals have the opportunity to notify the CPI field economist if their contact information has changed.

Tecnical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

BLS IT security procedures instruct on the process of requesting access, creating access accounts, and account management. In addition, there are training prerequisites for security awareness and use of the system's applications.

Will Department contractors have access to the system?

Yes.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Annually, Information System Security Awareness Training is provided by DOL. Annually, Confidentiality and Security Training is provided by BLS.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Computers containing the data use two-factor authentication. Transmission of the data is performed by applications and requires a smartcard. The data storage device on the data collection computers is encrypted to prevent access by unauthorized persons. Active Directory is used to establish and control user permissions to data repositories.

Privacy Impact Analysis

The employed security controls mentioned above for accessing and transmitting the data mitigate the risks of unauthorized access to the data.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

The CPI system is in the Maintenance stage. The CPI project development life cycle is based on the Rational Unified Process (RUP) and conforms to the DOLSDLCM.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

The project employs Tablet PC computers which are used to conduct mobile data collection activities, to include the electronic transmission of PII data between the computers and the Washington Office infrastructure. The employed security controls on the mobile computers include two-factor authentication using Entrust/PKI with Smartcards, and disk encryption using Checkpoint Endpoint Security. The employed data transmission security controls include SecureRAS and VPN.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

BLS has completed the PIA for the Consumer Price Index system which is currently in operation. BLS has determined that the safeguards and controls for this moderate system adequately protect the information.

BLS has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.