Enterprise Business Support System (EBSS) 2012

Abstract

The Enterprise Business Support System (EBSS) is an Employment and Training Administration (ETA) Major Information System. EBSS is a Major Application that consists of multiple individual modules that generate management reports for ETA. A PIA is being conducted because EBSS stores personally identifiable information (PII).

Overview

The first components of EBSS were developed in mid 1998 and have been operational since then. EBSS is a Major Application (MA) that consists of multiple individual applications (known as modules) that collect grantee performance data and generate management reports on ETA programs. EBSS has an Oracle Relational Database Management System (RDBMS) backend and provides both internal and external web-enabled user interface which is front-end accessible by ETA headquarters’ intranet, regional locations nationwide, grantees, and registered users nationally.

For ETA, EBSS is a management tool that assists with the review and analysis of program data. EBSS enables ETA to review the data submitted by grantees and generate management reports (e.g., delinquency, aggregate, projections, etc.). A business intelligence and data warehouse component is under development to generate these management reports and to display them as a series of charts, graphs and tables accessible to ETA users from the Active Desktop after logging in from the General Support System (GSS). Information is first displayed at a national level, with a “drill down” capacity to show regional, state, and then grantee level data.

All of the EBSS applications share a networked computer infrastructure and have a common Oracle back-end for data storage and retrieval.

EBSS comprises various modules including:

Data Validation Reporting System (DVRS) — an application that provides report validation and data element validation for the Workforce Investment Act (WIA) program. This software allows the States to review and validate their WIA reporting data before final submission to the National Office (NO).
Data Warehouse and the Date Management Reporting System (DMRS) — an application that collects and maintains program performance and participant information.
Registered Apprenticeship Partners Information Data Systems (RAPIDS) — is a web-based apprenticeship training program management and reporting system. It is composed of two major components: the RAPIDS system and the E-Registration. The RAPIDS system allows RAPIDS users (Apprenticeship Training Employer and Labor Services management, regional and state directors and Apprenticeship Training Representatives) to register, process, manage, and report apprenticeship programs and apprentices registered in these programs. E-Registration allows apprenticeship sponsors to register and manage apprentices in programs they sponsor.
Prisoner Reentry Initiative (PRI) — A case management and grantee reporting system that tracks program participants and supports on-line grantee performance reporting. Youth Builds and Youth Offenders are the two additional youth programs modeled on PRI. These are considered sub-systems of PRI.
Youth Builds - a case management and grantee performance reporting system. The system collects participant level data and manages the program lifecycle at the participant level. The system also provides grantees with quarterly reporting capability and tools to manage sub-grantees.
Bene-Choice (formerly Youth Offenders) — a case management and grantee performance reporting system. The system collects participant level data and manages the program lifecycle at the participant level. The system also provides grantees with quarterly reporting capability and tools to manage sub-grantees.
Division of Trade Adjustment Assistance Management Information System (DTAA MIS) (previously known as Trade Adjustment Assistance) — an internal case tracking and management system.
Trade Act Participant Records (TAPR) — an application which collects and maintains program performance and participant outcomes for TAA and NAFTA Transitional Adjustment Assistance (NAFTA-TAA) programs.
National Emergency Grant (NEG) On-line Submission and e-Review System — a web-enabled application that automates the workflow of NEG applications. The system is comprised of two components: external and internal. The external component allows States and localities to submit the emergency grant application via on-line forms. The internal component allows the Division of NEG to review and manage the review cycle of emergency applications. In addition, management tools and reports are provided to internal users.
Rapid Response (RR) — an on-line system that allows States to inform the NO of projected closings or lay-offs, as well as reporting the estimated impact, duration, and severity of those closings.
Automated Waiver System (WAIVERS) — is an application that receives, processes, and publishes waivers for statutes and regulations as mandated by Congress.
State Employment Security Agencies (SESA) Real Property — an application to track and report federal equity in real property purchased or improved by grantees with grant money.
Job Corp Financial Accounting System (J-FAS) — an internal budget and cost reporting/tracking system which manages the Annual Advance Procurement Plan, contract history, and Financial Operating Plan changes for the Job Corps Budget Office.
WIA Standardized Record Data (WIASRD) — a system which manages file submissions and serves as a repository for annually submitted files of individual records on all participants who exit the WIA programs.
WIA Performance Reporting (WIAPR) (Quarterly) — Each state administering a grant under the WIA adult, dislocated worker, and youth programs is required to submit quarterly (ETA Form 9090) reports containing information related to levels of participation and performance outcomes. This system manages those quarterly reports.
WIA Annual Reports (WIA-AR) — Each state administering a grant under the WIA adult, dislocated worker, and youth programs is also required to submit annual (ETA Form 9091) reports containing information related to levels of participation and performance outcomes. This system manages those annual reports.
Labor Exchange (Pers9002/VETS200) Reporting — is a web-enabled application that automates the submission and review of LERS 9002 A, 9002 B, 9002 C, 9002 D, and 9002 E reports and VETS 200 A, B, and C reports.
Tax Credit Reporting System (WOTC/WtW) — is a system which automates the on-line submission of conditional certification information by state coordinators and helps regional/national coordinators assess the certification data submitted by the state coordinators so that they can better monitor and oversee the WOTC/WtW tax credit programs.
Labor Exchange Agricultural Reporting System (LEARS — migrants) — is a web-enabled application that supports the collection, certification, and assessment of services to migrant and seasonal farmworkers data submitted by the SESA. The system is composed of two components: internal and external. For external users, the system supports the electronic submission of services to migrant and seasonal farmworkers data by the States. For internal users, the system enables users to retrieve, review, and assess the data submitted by SESAs.
Senior Community Service Employment Program (SCSEP) Performance and Results Quarterly Performance Results (QPR) System (SPARQ) — a reporting system that collects financial and participant data from grantees.
Title XII Tracking System — used for State loans and payment tracking for the Office of Workforce Security.
Indian and Native American Program (INAP) — collects performance data for INA grants.
High Growth and Community Based Job Training and Performance Reporting (HGJTP) — is a web-enabled application that collects performance results from High Growth and Community Based grant programs.
Veteran’s Employment and Training Service (VETS) Operations and Programs Activity Report (VOPAR).*
Trade Adjustment Assistance Community College and Career Training (TAACCCT) subsystem will track TAACCCT grant performance over the life of the grant. The system will not collect detailed participant records, but will collect aggregate data from grantees to include a quarterly narrative performance report and annual performance data — This module is currently under-development.
Veterans Retraining Assistance Program (VRAP) aimed at providing retraining for veterans hardest hit by current economic conditions. — This module has not yet been developed.

The legal authority to operate is under Section 303(a)(6) of the Social Security Act.

Introduction

EBSS is a collection of subsystems that provide automated support across various program offices for Employment and Training Administration (ETA). For ETA, EBSS is a management tool that assists with the review, analysis, and reporting of the data collected and/or submitted.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed. Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

EBSS collects personally identifiable information (PII) on members of the public who participate in the grant programs.

What are the sources of the PII in the information system?

Grantees collect PII from participants in the program.

What is the PII being collected, used, disseminated, or maintained?

PII collected includes name, mailing address, phone number, education records, ethnic group, wages, veteran status, sex, etc.

How is the PII collected?

Below is a brief description of how applicable modules collect PII:

DTAA MIS: Form ETA-9042A is faxed or mailed to DTAA by petitioners, and internal DTAA staffs enter the information.
SCSEP: Collects the SCSEP program participant data from the Grantees when they complete the ETA report forms.
PRI: Case Managers enter the data provided by the participants.
YOUTH BUILDS: Case managers enter the data provided by the participants.
BeneChoice (formerly Youth Offenders): Case managers enter the data provided by the participants.
RAPIDS: Apprentice Training Representatives (ATR) enter the PII information.
INAP: PII Case Managers enter the data provided by the participants.
HGJTP: Case Managers enter the data provided by the participants.
How will the information be checked for accuracy?

The information is not checked for accuracy because that is not required.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

Workforce Investment Act of (29 U.S.C. 2801 et seq.) and Section 303(a)(6) of the Social Security Act.

Privacy Impact Analysis

Privacy risks identified include inappropriate handling or disclosure of PII. For that reason, solid access controls have been put in place to mitigate the risk of data being compromised.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The system collects PII for the Common Reporting Interchange System (CRIS). CRIS uses state and Federal Employment Data Exchange System (FEDES) and Wage Record Interchange System (WRIS) in generating reports. CRIS provides common performance measures for the grant programs, which do not have the ability to collect the common measure outcomes ie Entered Employment Rate, Retention Rate, and Average Earnings etc on their own.

Other PII collected enable grantees segregate participants’ data.

What types of tools are used to analyze data and what type of data may be produced?

Not applicable. Tools are not used to analyze the data.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

EBSS does not derive new data through aggregation of collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

EBSS does not use publicly available data.

Privacy Impact Analysis

The following security controls have been implemented to prevent data from being compromised:

Each grantee is assigned a unique Personal Identification number (PIN) and password.
Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains PII.
The page for the file upload has Secure Socket Layer (SSL) enabled.
Secure File Transfer protocol (S-FTP) is used to transfer files from ETA to Kansas.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

Records are maintained indefinitely.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

The retention schedule has been approved by the System Owner but there is no contract/agreement with National Archives and Records Administration (NARA).

Privacy Impact Analysis

Risks associated with the length of time data are retained, include inadvertent disclosure of confidential information. These risks are mitigated by the implementation of the following controls:

Data are encrypted in the database
An audit trail is kept of attempts to decrypt the data

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII is not shared with internal organizations.

How is the PII transmitted or disclosed?

Not applicable.

Privacy Impact Analysis

Not applicable. There is no internal sharing of PII data.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Information is shared with CRIS through Kansas. EBSS provides PII to Kansas for processing by CRIS. CRIS provides common performance measures for grant programs that do not have the ability to collect common measure outcomes ie Entered Employment Rate, Retention Rate, and Average Earnings. Kansas returns aggregate data that can not be attributed to a particular individual.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes. Information collected is not doctored prior to transmittal to Kansas. ETA has a Memorandum of Agreement with Kansas. In addition, SORNs for some EBSS modules have been published in the Federal Register but others are yet to be published.

How is the information shared outside the Department and what security measures safeguard its transmission?

Information is transmitted to Kansas for processing and the following security controls have been put in place:

Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file.
The page for the file upload (for grantees) has Secure Socket Layer (SSL) enabled.
Secure File Transfer protocol (S-FTP) is used to transfer files from ETA to Kansas.
Data returned by Kansas do not include social security numbers.
Data are not returned by Kansas if there are fewer than 4 records.

Privacy Impact Analysis

Given the external sharing of data, ETA identified privacy risks to include inadvertent disclosure of confidential information. For that reason, ETA established an MOU with Kansas and also implemented various security controls as mentioned above.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes; notice was provided to individuals (participants). PII is collected through grantees, not collected directly from the individuals.

Do individuals have the opportunity and/or right to decline to provide information?

Yes.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Yes. Individuals have the right to consent to particular uses in writing.

Privacy Impact Analysis

Individuals are informed that providing certain PII is voluntary.

Access, Redress, and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

Individuals do not have access to the system; only grantees can access the system.

What are the procedures for correcting inaccurate or erroneous information?

Not applicable

How are individuals notified of the procedures for correcting their information?

Not applicable

If no formal redress is provided, what alternatives are available to the individual?

Not applicable

Privacy Impact Analysis

Individuals have the right to withdraw from the program.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

Only grantees access the system using a unique PIN and password. This process is documented.

Will Department contractors have access to the system?

Yes

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

None

What auditing measures and technical safeguards are in place to prevent misuse of data?

Data are encrypted in the database and an audit trail of activities performed on the database is tracked.

Privacy Impact Analysis

Given the sensitivity and scope of the information collected, as well as any information sharing conducted on the system, privacy risks identified include inadvertent disclosure and misuse of confidential information. These risks are mitigated by the implementation of the following controls:

Developed an MOU between ETA and Kansas to address key issues.
Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file.
The page for the file upload (for grantees) has Secure Socket Layer (SSL) enabled.
Secure File Transfer protocol (S-FTP) is used to transfer files from ETA to Kansas. Kansas has an S-FTP server and DOL has an S-FTP client.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

EBSS is operational; the system development conforms to computer security lifecycle defined in the DOL System Development Lifecycle Management Manual (SDLCMM). Based on the SDLCMM, the system is in the ‘Operations and Maintenance’ phase.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

EBSS does not employ technology which may raise privacy concerns.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

ETA has completed the PIA for EBSS which is currently in operation. ETA has determined that the safeguards and controls for this moderate system adequately protect the information.
ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.

*VOPAR is currently under-development