Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

MSHA Mine Accident Injury and Employment System (MAIES) — FY2013

Overview

The Mine Accident Injury and Employment System (MAIES) is owned by the Office of Injury and Employment Information (OIEI) of the Information Technology Center (ITC) and maintained by the Legacy Systems Branch (LSB) which is also part of ITC. The Mine Accident, Injury and Employment System (MAIES) accomplishes the functions that are authorized by 30 USC 819. 

MAIES collects, edits, updates, stores and reports information pertaining to mine operators and independent contractors working at mining operations, as well as employment, accidents, injuries and fatalities chargeable to mine operators and contractors as defined in Part 50, 30 CFR.  The system also provides statistical information.  This data provides MSHA timely information for making decisions on improving safety and health programs, improving education and training efforts, and establishing priorities in technical assistance activities in the mining industry. The primary uses of the records are (a) to determine probable cause of accidents, injuries, and illnesses and (b) to provide a statistical analytic data base for allocation of MSHA and other resources to reduce occupational injuries and illnesses. 

The accident and injury data maintained by MAIES is utilized to provide statistical information and is not reported for an individual. Reported information is not traceable to a specific individual. 

MAIES is a self contained system with data that is shared with MSHA Standardized Information System (MSIS) as MAIES is to be incorporated within the MSIS infrastructure at a future date. However, at this level of data sharing no PII information is shared between these systems.  General:  PL 93-579 (Privacy Act of 1974) December 31, 1974 Authority:  Section 103 of Public Law 91-173, as amended by Public Law 95-164 Effects of Non-Disclosure:  PL 93-579 Section 7(b).

MSHA asks for the last 4 digits of the social security number, under authority of Section 103 of Public Law 91-173, as amended by Public Law 95-164.  This personal identification, which is not unique to any individual, helps MSHA establish the accuracy and usefulness of the information from injury and illness records.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.   

Members of the public (miners and/or people who are injured on mine property).

What are the sources of the PII in the information system?

PII is collected from submitted 7000-1 forms (a.k.a. Mine Accident, Injury Reports which contain accident/injury information), that are completed by mine operators and independent contractors.

What is the PII being collected, used, disseminated, or maintained?

The PII collected consists of last name, date of birth and the last 4 digits of the Social Security Number.  It is used and maintained for statistical purposes.

How is the PII collected?

7000-1 forms (aka Mine Accident Injury Reports) are submitted either via hardcopy, facsimile or electronically by mine operators and independent contractors.

How will the information be checked for accuracy?

Personal data collected is provided by the mine operator or contractor as obtained from the individual who is the subject of the data being collected.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

PL 93-579 (Privacy Act of 1974) December 31, 1974
Authority:  Section 103 of Public Law 91-173, as amended by Public Law 95-164
Effects of Non-Disclosure:  PL 93-579 Section 7(b) authorized by 30 USC 819
Part 50, 30 CFR

Privacy Impact Analysis

The MAIES is hosted by SunGard on an IBM mainframe computer located in Voorhees, New Jersey.  The SunGard facility provides:

  • High availability in a fully secure data center
  • 24 x 7 operations monitoring and support
  • Automated system backups
  • Disaster recovery planning and hot-site backup

System security is enforced through IBM's Resource Access Control Facility (RACF), a powerful security program that allows system administrators to implement the security policies.  Following is a partial list of what RACF lets system administrators do:

  • identify and verify system users;
  • identify, classify, and protect system resources;
  • authorize the users who need access to the resources administrators have protected;
  • control the means of access to these resources; and
  • log and report unauthorized attempts at gaining access to the system and to the protected resources.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

Indexed and filed by mine identification number and date of accident and injury occurrence or illness diagnosis.  Accessed by programs that reference the following types of information:

  • mine identification,
  • date of accident,
  • date of birth,
  • last name, and
  • last four digits of social security number of individual(s) involved in an injury or illness being reported upon.

What types of tools are used to analyze data and what type of data may be produced?

Data stores on the IBM mainframe are accessed by authorized personnel using COBOL retrieval programs and reports.  Some reports contain detailed information about specific accidents, illnesses, or injuries; others provide summarized statistical information.  Information containing PII is restricted to those authorized to view it. These individuals have been trained on their duties and responsibilities of handling PII data and are given annual refresher training in this area. Data to outside parties is stripped of PII information and provided in text format.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No

If the system uses commercial or publicly available data, please explain why and how it is used.

N/A Uses data provided by mine operators and independent contractors.

Privacy Impact Analysis

Computer safeguards and procedures developed by MSHA under GSA Circular E-34. Appropriate reports are marked with the Privacy Act warning.  Only authorized personnel have access to files.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

MSHA Forms 7000-1, Mine Accident, Injury, and Illness Report, are retained for 6 years after year of record and then destroyed.  Electronic copies of these documents are retained by the Office of Injury and Employment Information permanently (older magnetic media is being converted to electronic media).  Records in electronic media are transferred to NARA as permanent records immediately after each annual close-out.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

Yes. 

How is it determined that PII is no longer required?   

Since the system manages data about injuries and illnesses experienced by persons, some PII will always be required to distinguish similar or concurrent incidents.  In the past, data was removed from the system and archived because regulatory changes had rendered it obsolete and enough subsequent data had been collected to begin trend analysis.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

Since the system manages data about injuries and illnesses experienced by persons, some PII will always be required to distinguish similar or concurrent incidents.  The system collects only partial names and partial SSNs.  A further reduction in the PII collected is not anticipated.

Privacy Impact Analysis

Data retention is a requirement through NARA and the meeting of these requirements is necessary for the survivability of data once entered into the system. The data is held in the data back up system and continues to be accessible should there be cause for investigation of a particular case.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

No data from the MAIES system pertaining to PII is transferred to any other system within the MSHA domain.

How is the PII transmitted or disclosed?

N/A

Privacy Impact Analysis

N/A

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

None

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

N/A

How is the information shared outside the Department and what security measures safeguard its transmission?

N/A

Privacy Impact Analysis

N/A

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes, Privacy Notification is located on the website, on form 7000-1 and in Part 50, 30 CFR. See http://www.msha.gov/privacy.htm on the main portal page or http://www.msha.gov/specdisc/70001-Disclaim.htm on the MSHA Form 7000-1

Do individuals have the opportunity and/or right to decline to provide information?

No

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No.

Privacy Impact Analysis

There are three ways to have forms submitted through for processing on the MAIES system. They are online, mail, or facsimile.

Individuals deciding to provide this information online must first have a valid user account and password on the system. If this is the case these individuals have been instructed of their responsibility of keeping privacy data, including information pertaining to them, secured and transmitted through the proper channels.

On the initial webpage there is the prerequisite posting of Privacy Statement required by the Privacy Act of 1974. DOL has also provided additional information in subsequent hyperlinks within this thread http://www.dol.gov/dol/privacynotice.htm to their requirements that MSHA must also meet in order to be in compliance with Federal mandates.

This information is classified and correlated by category not by individual. There are specific procedures and guidelines for those within the public domain to request information contained within this system under the Freedom of Information Act.

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

Mine operators and independent contractors with a valid ID may view their information online. Individuals may obtain their own information by contacting the Chief of the Office of Injury and Employment Information (OIEI) in writing and providing specific information about the records sought, along with the following information:

  • Mine ID or Contractor ID
  • Full name
  • Date of birth
  • Signature

What are the procedures for correcting inaccurate or erroneous information?

Employees of the Office of Injury and Employment Information (OIEI) conduct regular quality reviews to identify erroneous information and, upon review, may enter corrections. Request for changes may also be submitted in writing to the Office of Injury and Employment Information (OIEI). Individuals requesting amendment to the record should contact the Chief of the Office of Injury and Employment Information (OIEI) in writing and furnish the following information:

  • Mine ID or Contractor ID
  • Full name
  • Date of birth
  • Signature

How are individuals notified of the procedures for correcting their information?

Mine operators and independent contractors are provided annual reports of the information they have provided, along with contact information for corrections.

If no formal redress is provided, what alternatives are available to the individual?

N/A Procedures exist for correction of data.

Privacy Impact Analysis

Correspondence requesting corrections are subject to the same procedures within the Office of Injury and Employment Information as initial submissions of form 7000-1.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

Network and mainframe access for internal users is granted only upon written request of a supervisor and review by one of MSHA's Delegated Requestors. E-Gov submission requires a registration process and is password-protected.

Will Department contractors have access to the system?

Yes as described for internal users above.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

As annual PII training is provided through the DOL. The user community is also given periodic updates through e-mails from the CIO reminding them of their responsibility in the area of privacy and privacy issues.

What auditing measures and technical safeguards are in place to prevent misuse of data?

All users are authenticated prior to logon and access to the data. These General Support Systems employ security measures which are documented elsewhere. Internal access requires both a network and mainframe account. In addition, data update logs are provided to the Office of Injury and Employment Information daily for review.

Privacy Impact Analysis

Typically within a system that has forms in use for submitting privacy data the end user has to take the onus upon them to determine the best practice or course of action for submitting this information in a timely manner as required by 30 CFR 50.20. However, if the user community, i.e., the mine operators and independent contractors, do obtain their valid account and file on line the controls of the E-Gov system apply. External users do not have access to the MAIES system directly.

SunGard has been authorized by the DOL to provide third party services to MSHA MAIES under contract and has maintained their certification of service for the past several years.

Computer safeguards and procedures developed by MSHA under GSA Circular E-34. Appropriate reports are marked with the Privacy Act warning. Only authorized personnel have access to files.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

Operations and Maintenance Phase

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No The PII in this system are protected by multiple layers of security including both mainframe and MSHA network. It is also protected by manual procedures within the Office of Injury and Employment Information (OIEI).

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • MSHA has completed the PIA for the Mine Accident Injury and Employment System (MAIES) which is currently in operation.
  • MSHA has determined that the safeguards and controls for this moderate system adequately protect the information.
  • MSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.