Privacy Impact Assessment Questionnaire EBSA – EFAST – FY14
The system name and the name of the DOL component(s) which own(s) the system.
The Employee Retirement Income Security Act (ERISA) Filing Acceptance System (EFAST2) is owned by the DOL’s Employee Benefits Security Administration (EBSA) and developed and operated by a private contractor.
The purpose of the program, system, or technology and how it relates to the component’s and DOL mission.
Under Titles I and IV of ERISA, and the Internal Revenue Code, pension and other employee benefit plans are required to file annual returns/reports concerning the financial condition and operations of the plan. These requirements are generally satisfied by filing the Form 5500 Series through the EFAST2 system. The EFAST2 data is used by EBSA in its enforcement of Federal laws, regulations, and standards. The system also supports monitoring and enforcement of ERISA reporting requirements and processing of ERISA-prohibited transaction exemptions. The EFAST2 system provides the public, filers, third party vendors, Internal Revenue Service (IRS), Pension Benefit Guaranty Corporation (PBGC), and EBSA with self-service and customer services offerings.
A general description of the information in the system.
EFAST2 electronically receives, processes, stores, publicly discloses, distributes, and archives approximately 1 million Form 5500 Series filings submitted annually by employers. Form 5500 Series electronic filings include structured data associated with Forms and Schedules, and unstructured data associated with Portable Document Format (PDF) and text file attachments.
A description of a typical transaction conducted on the system.
Employers register for an EFAST2 account through the EFAST2 web portal. Once registered, plan administrators/sponsors complete, sign, submit, and verify receipt of the Form 5500 through the EFAST2 portal or EFAST2-certified third party software. Plan participants, stakeholders, and the public can search for submitted Form 5500 filings through the EFAST2 web portal.
Any information sharing conducted by the program or system.
EFAST2 data is furnished to two other Government agencies: the Internal Revenue Service (IRS) and the Pension Benefit Guaranty Corporation (PBGC).
Where appropriate, a citation to the legal authority to operate the program or system.
DOL EBSA’s final rule RIN 1210-AB04, available at http://www.dol.gov/ebsa/regs/fedreg/final/2006006331.htm , mandated electronic filing for all Form 5500 filings submitted under Title 1 of ERISA (Employee Retirement Income Security Act) beginning on January 1, 2010. EFAST2 is a web-based system that was designed to process the Form 5500 filings submitted over the Internet starting in 2010. The Pension Protection Act of 2006 requires DOL to electronically disclose basic and actuarial information contained in those filings on its website. EFAST2 provides that disclosure function through a web portal application.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
The Form 5500 requires the name and business contact information of employee benefit plan administrators, plan sponsors, and filing entities. Additionally, depending on the reporting requirements applicable to the type of return/report being filed, the manual signature of the plan administrator, plan sponsor, Direct Filing Entity (DFE), actuary, accountant and/or fiduciary may be collected. When the Schedule SB or MB is attached to a one-participant 5500-SF, it may contain financial information related to an individual. The application for an EFAST2 account collects names, business contact information, and secret information (the place or date of birth).
What are the sources of the PII in the information system?
Filings containing PII are provided by the filing preparer.
Applications for EFAST2 accounts contain PII and are completed by individuals requesting those credentials. Specifically, the application to receive electronic signature credentials is completed and submitted by the plan sponsor, administrator, or DFE. The application for filing transmitter credentials is provided by the person who or organization that wishes to submit large quantities of Form 5500 filings. The application for Form 5500 software developer credentials is provided by the organization that wishes to develop and certify Form 5500 preparatory or submission software. The application for IFILE authoring credentials is provided by individuals wishing to use the free, web-based application on the EFAST2 website to prepare Form 5500s or portions thereof.
What is the PII being collected, used, disseminated, or maintained?
PII being collected includes:
- First and/or last name
- Date of birth
- Place of birth
- Business address
- Business phone number (e.g., phone, fax, cell)
- Business e-mail address
- Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
- Amount of assets in pension/welfare plans
- Network logon credentials (e.g., username and password, public key certificate)
How is the PII collected?
Filings can be submitted to EFAST2 in two methods under the system: (1) filings can be submitted using web-portal based, interactive data entry capabilities; and (2) filings can be submitted electronically using web services via third-party, Government-certified software. Submitted filings are captured into EFAST2 data repositories.
How will the information be checked for accuracy?
Independent monitoring, quality control, and defined edit checking examine the data for accuracy.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The ERISA Act of 1974 and provisions of the Internal Revenue Code require certain employee benefit plans to submit information annually to the Federal government (EBSA, IRS, and PBGC). DOL, IRS, and PBGC created the EFAST and EFAST2 systems to streamline the Form 5500, and the methods by which the Forms are filed and processed. These Forms are reviewed and approved by OMB.
Privacy Impact Analysis
EFAST2 is in the Operations phase. As EFAST2 has progressed through its life cycle, risks to PII have been reassessed and updated in documentation as contract deliverables. An updated risk assessment is produced annually.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII.
What types of tools are used to analyze data and what type of data may be produced?
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
EFAST2 publicly discloses the filed Form 5500s through its web portal application with exceptions:
- Submissions in which sensitive information was inadvertently enclosed with the filing (e.g. Schedule 8955-SSA which should be filed with IRS and not EFAST2).
- One-participant plans filed on a Form 5500-SF.
- Filings identified as amendments and linked to their parent filing.
EFAST2 also provides the filing data to DOL, IRS, and PBGC for analysis and enforcement, as described below.
The DOL uses EFAST2 data to populate the ERISA Data System (EDS), a relational database of plan filing data and images. Departments within DOL query EDS data to fulfill research, compliance, auditing, enforcement, and filer-support responsibilities. The Office of Enforcement (OE) exports EDS data to the Enforcement Management System (EMS), OE’s client-server application, which is the official source of enforcement information for investigators.
The IRS uses EFAST2 data to populate the Employee Plans Master File (EPMF), housed at the IRS's main ERISA data repository at the IRS’ Martinsburg Computing Center. EPMF data are used primarily to generate penalty notices to filers of late or incomplete returns. EPMF data will be exported to the EPMF Corporate Files On-Line (CFOL) and the EPMF Taxpayer Information Filer Databases (TIF). The EPMF CFOL database provides access to Returns Inventory and Classification System (RICS) users, who select returns for examination and quality review, and create facsimiles of Form 5500 Series returns for Employee Plans (EP) Examiners. The EPMF TIF database provides access to Integrated Data Retrieval System (IDRS) users, who correct EPMF unpostables, perform notice review, and respond to filer inquires.
The PBGC uses EFAST2 data to populate three end-user processing systems, including the Pension Accounting System (PAS), the High-Tech Actuarial and Financial Management System (CHAMPS), and the Pension Insurance Modeling System (PIMS). PAS is used by PBGC to compare Form 5500 with Form 1 Premium Filings for compliance. PAS feeds data into CHAMPS, where plan records are converged with a consortium of data from several other sources, such as Bloomberg, which CHAMPS maintains. CHAMPS provides cross-comparisons of Form 5500 plan records and other data sources to monitor plans facing claims risk. In addition to PAS and CHAMPS, PBGC uses EFAST2 data to populate PIMS. PIMS is populated using data from Form 5500 Attachments (80% of PIMS data) and from the Schedule MB or SB (20% of PIMS data).
If the system uses commercial or publicly available data, please explain why and how it is used.
EFAST2 does not use additional commercial or publicly available data.
Privacy Impact Analysis
In compliance with the OMB, NIST, and the DOL CSH, security controls following NIST Special Publication 800-53 requirements and guidance are implemented as documented in the EFAST2 System Security Plan (SSP). The SSP is annually updated.
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
Filing status records will be retained in the tracking database from time of filing receipt for a minimum of five years after delivery to the Government of final status structured data records.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
How is it determined that PII is no longer required?
EBSA participates in DOL’s efforts to reduce the use of PII in its systems, and annually submits to the OCIO an EFAST PII Report.
What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
The EFAST system was replaced by EFAST2, which does not collect social security numbers from filers. EFAST operations ceased July 1, 2010 and EFAST2 is currently in operation.
Privacy Impact Analysis
All Form 5500 return/report information is accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output is given the same level of protection as required for the source material. The Contractor certifies that the data processed during the performance of this contract shall be completely purged from all data storage components of the Contractor’s computer facility, and the Contractor shall retain no output at the time the work under the contract is completed. If immediate purging of all data storage components is not possible, the Contractor certifies that any and all Form 5500 return/report data remaining in any storage component will be safeguarded to prevent unauthorized disclosure.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
Selected EFAST2 data is provided to DOL and used by the following EBSA offices: Office of Enforcement (OE) used for ERISA enforcement purposes; Office of the Chief Accountant (OCA) for compliance enforcement and filer assistance purposes; Office of Policy and Research (OPR) for research and reporting purposes; and the Office of Participant Assistance (OPA) for public disclosure and assistance purposes.
How is the PII transmitted or disclosed?
The DOL retrieves EFAST2 plan filing data and images through a secure file transfer and use it to populate the ERISA Data System (EDS), a relational database. Departments within DOL query EDS data, and the Office of Enforcement exports the EDS data to the Enforcement Management System (EMS), the major application that supports the enforcement of ERISA laws.
Privacy Impact Analysis
Since only publicly disclosable information is provided to EBSA internal users, there are no privacy risks aside from un-requested PII mistakenly placed by filers onto “open to public inspection” 5500 forms and free-form attachments.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?<
PII is shared with the following externals agencies to fulfill their statutory, regulatory, and reporting obligations:
- Internal Revenue Service (IRS) for processing the pension plan data submitted by filers.
- Pension Benefits Guaranty Corporation (PBGC), for maintaining pension benefits.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
The data shared is compatible with the original collection. The SORN for the legacy EFAST system is identified by
DOL/PWBA-16, Form 5500EZ Filings
Federal Register, Vol. 67, No. 67, Monday, April 8, 2002, Page 16936
Two new SORNs addressing the change in data collection from paper and electronic filing to Web browser-based collection are currently in development.
How is the information shared outside the Department and what security measures safeguard its transmission?
IRS Interface: The IRS uses EFAST2 data to populate the Employee Plans Master File (EPMF), housed at the IRS's main ERISA data repository at the IRS Martinsburg Computing Center. EPMF data are exported to the EPMF Corporate Files On-Line (CFOL) and the EPMF Taxpayer Information Filer Databases (TIF). The EPMF CFOL database provides access to Returns Inventory and Classification System (RICS) users and to Integrated Data Retrieval System (IDRS) users. An Interconnection Security Agreement (ISA) between IRS and DOL is in effect and is reviewed annually. The ISA specifies security measures safeguarding data transmission and security responsibilities of the agencies.
PBGC Interface: The PBGC uses EFAST2 data to populate three end-user processing systems, including the Pension Accounting System (PAS), the High-Tech Actuarial and Financial Management System (CHAMPS), and the Pension Insurance Modeling System (PIMS). An ISA between PBGC and DOL is in effect and is reviewed annually. The ISA specifies security measures safeguarding data transmission and security responsibilities of the agencies.
Privacy Impact Analysis
EBSA has developed the EFAST2 ISAs with its Federal agency partners. Details of the operational, management, and technical security measures to mitigate the risks assessed by these agencies was described and agreed to in the ISAs, which were provided to DOL as a part of the complete system authorization package.
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
Yes. On the http://www.efast.dol.gov website, EBSA provides information on the Form 5500 series, along with answers to frequently asked questions, explanations of the filing process, and links to the Forms with filing instructions. The EFAST2 website displays a Privacy and Security Statement within the user registration process. Users must actively click that they have read and accept the privacy statement before they can enter any PII.
Do individuals have the opportunity and/or right to decline to provide information?
No. The ERISA Act of 1974 and provisions of the Internal Revenue Code require certain employee benefit plans to submit information annually to the Federal government (EBSA, IRS, and PBGC). Recent regulatory changes have mandated electronic filing for all Form 5500 filings made under Title 1 of ERISA, beginning on January 1, 2009. EFAST2 is the Web-based system designed to process the Form 5500 filings to be submitted annually over the Internet starting in 2010.
If the information required on the Form 5500 Series is not provided electronically and in accordance with the instructions, the plan sponsor/administrator may receive a follow-on letter requesting the missing information. If the information is still not provided, it then becomes a filing compliance or enforcement issue and dealt with accordingly.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. Filers are bound by the ERISA Act of 1974 and provisions of the Internal Revenue Code.
Privacy Impact Analysis
To provide stateful storage of information, session cookies or other session mechanisms may be used and shall be managed by DOL policies. Persistent cookies or other client-side persistent storage mechanisms are not used. Session cookies may be used, provided that they do not threaten the privacy of individuals and do not track users over time and across different websites. Session information stored on an end user’s computer or transferred over the Internet are only in the form of unique, non-sequential identifiers. The actual state variables and metadata are not stored on the end user’s computer. All session data is stored on the web portal servers or infrastructure and internally referenced via this unique session identifier. Except for PDF readers, browser plug-ins or any applications or helpers that require a user to download and/or install them are specifically prohibited.
Access, Redress, and Correction
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
Filers can display their filing information through their filing software, print, and review it prior to submission to the Government. After filings are submitted to the Government, filers can search for, view, print, and verify their submitted filing information through the EFAST2 web portal application.
Registered EFAST2 users may change their contact information or network keys (i.e., password) after successful authentication to the web portal.
What are the procedures for correcting inaccurate or erroneous information?
EFAST 2 will automatically review submitted filing information for certain errors and omissions. If an error or omission is discovered by EFAST2, the filer will be electronically notified through a web service message. Inaccurate or erroneous information in a filing (whether or not it was discovered by EFAST2) can be corrected by the filer creating and submitting an amended filing.
How are individuals notified of the procedures for correcting their information?
The Form 5500 instructions alert filers of the procedures for correcting or amending filing information. Form 5500 software manuals further describe the steps the filers must follow to amend a filing, specific to that software product.
If no formal redress is provided, what alternatives are available to the individual?
Privacy Impact Analysis
EFAST2 collects and retrieves information about employee benefit plans. The vast majority of this information is publicly disclosable and posted on EBSA’s website. In the event erroneous filing information is submitted and then corrected through a linked process, only the corrected filing information would be disclosed on the website. The erroneous filing information would only be provided through EBSA’s public disclosure office.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
EFAST2 implements an access control list which is provided to the Contractor through documented Government Furnished Information. The access control list specifies which information may be disclosed to which users through the EFAST2 web portal.
EFAST2 also implements interface requirements which are also provided to the Contractor through documented Government Furnished Information. The Interface Requirements Document (IRD) specifies which information may be disclosed to which Government users outside of the EFAST2 web portal.
EFAST2 access security controls meet NIST, DOL, IRS, and PBGC requirements. User groups include government staff and contractor staff, and consist of administrators, developers, and end users, and are segregated by system policies to ensure least privilege and need to know basis. The security controls and status are identified and addressed in the EFAST2 System Security Plan. Access controls implemented include, but are not limited to: credential authentication, firewalls, encryption, intrusion detection system, audit trails, access cards, and background investigations.
Yes. Department contractors will access the system as administrators, developers, and users.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
Contractor and Government users are subject to privacy security awareness training requirements prescribed by the DOL.
Users requesting an EFAST2 account will be required to read and agree to an EFAST2 privacy statement.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Auditing controls adhere to and are implemented in accordance with contractual requirements and per guidance issued by the OMB, NIST, and outlined in the DOL CSH. System-specific procedures for audit controls are documented in the EFAST2 System Security Plan.
Privacy Impact Analysis
EFAST2 is currently in the Operations phase. As EFAST2 has progressed through its life cycle, risks have been assessed, updated, and documented.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
EFAST2 is in the Operation phase of its development life cycle. The life cycle methodology is iterative in nature, but overall conforms to the DOL’s System Development Life Cycle Management Manual, Version 2.2, November 2006.
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
There are no privacy concerns that are not already identified and addressed in the earlier sections of this PIA.
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
The Employee Benefits Security Administration has completed the PIA for the Employee Retirement Income Security Act (ERISA) Filing Acceptance System 2 (EFAST2), which is currently in operation. The Employee Benefits Security Administration has determined that the safeguards and controls for this moderate system will adequately protect the information.
The Employee Benefits Security Administration has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.
This assessment demonstrated that EBSA is adhering to and will continue to adhere to the provisions of the Privacy Act of 1974 for PII contained in EFAST2. EFAST2 will contain a limited amount of PII. Some PII will be contained on Forms open to public inspection but not retrievable by PII. PII on non-disclosable Forms will be stored for the exclusive purpose of performing the duties of the Federal Agencies involved and will be collected directly from the individuals, whenever possible. All PII will be protected by security controls, which will be subjected to rigorous Security Test & Evaluation as part of re-authorization of the system. The risk of misuse or loss of filing data is, therefore, judged to be minimal.