Skip to page content
Office of the Chief Information Officer
Bookmark and Share

DOL Online Opportunities Recruitment System (DOORS)

Privacy Impact Assessment Questionnaire

DOL Online Opportunities Recruitment System (DOORS) — FY2012

Overview

The system name and the name of the DOL component(s) which own(s) the system.

The Department of Labor's (DOL) e-Recruit System is called "DOORS" (DOL Online Opportunities Recruitment System).

DOORS is a contractor-managed system that is owned by the DOL OASAM Office of HR Management Information Systems and Solutions (OHRMISS),

The purpose/function of the program, system, or technology and how it relates to the component's and DOL mission

The Department of Labor (DOL) has been using this on-line application process for recruiting and filling vacancies as part of the Department's efforts to implement the Strategic Management of Human Capital initiative of the President's Management Agenda (PMA). These efforts are the basis for DOL's e-Recruit initiative, which incorporates finding ways to streamline the vacancy recruitment process, improve the feedback to job applicants, and dramatically shorten the time needed to complete the recruitment process.

The Department of Labor's (DOL) e-Recruit System, called "DOORS" (DOL Online Opportunities Recruitment System), is the service delivery mechanism that automates the federal hiring process and is fully integrated with the Federal government's USAJOBS (Recruitment One-Stop (ROS)) System.

These efforts are the basis for DOL's e-Recruit initiative, which incorporates finding ways to streamline the vacancy recruitment process, improve the feedback to job applicants, and dramatically shorten the time needed to complete the recruitment process.

A general description of the information in the system and a description of a typical transaction conducted on the system.

DOORS is used by DOL to build and post vacancies directly to the USAJOBS website and to receive on-line applications from job applicants. After the vacancy closes the HR office uses the system to help rate, rank and certify candidates. Top-talent is quickly identified and can be forwarded to the selecting official.

A typical transaction conducted on the system would include the building of a vacancy announcement. Hiring Management software is used to perform the fundamental tasks for managing the Hiring Process. Such tasks include:

  • Generating, and managing/updating vacancies.
  • Posting vacancies to a web server for public access.
  • Collect and viewing applicant data, including qualification and contact info.
  • Corresponding with applicants via electronic mail in regards to a specific application or in the form of mailing lists for employment notification purposes.
  • Building HR related reports and applicant rankings.

The system holds DOL applications, including the applicants' profile information, responses to DOL's 27 core questions, responses to the vacancy questions and the applicants' resumes.

Any information sharing conducted by the program or system.

Information sharing occurs between the www.usajobs.gov website and DOORS system. The integration process between the two systems includes allows for an applicant to builder their resume, search for jobs and begin applying to the announcement, the resume to flow from USAJOBS into the DOORS system, for the applicants questions to be captured by the DOORS system and for applicant status codes to flow back to the www.usajobs.gov website.

A general description of the modules and subsystems, where relevant, and their functions.

DOORS is comprised of the following modules:

Vacancy Builder allows you to create, copy, and edit vacancies. You can also change vacancy statuses.

Question Library is a database of questions designed to determine an applicant's qualifications. It gives users the ability to add, edit and delete questions, as well as view core questions and manage other Question Library data. Only select users have permission to use this feature.

Applicant Manager Module allows you to monitor the progress through the hiring cycle. Users can view the applicants, their applications and resume. From the Applicant Manager, you can email, select and hire applicants, run reports and track comments and changes to applicant data and individual jobs.

Reports Module allows you to run the standard or "canned" reports in the system and features Ad Hoc Reporting. (Staging Area Demographics, Demographic Summary, Selecting Official Workload, Cost Summary, Vacancy Demographics, Demographic Responses, Employment Packet, Weights and Screen Outs, Vacancy Statistics, and DEU Quarterly Workload Reports).

User Manager allows system administrators to create user profiles; add, edit, and delete user information; and create and assign user permission groups.

Utility is used to manage system information and vacancy, email and certificate templates. For example, add depts., associate grades for series, edit custom applicant status, etc.

Monster Analytics provides the ability to analyze, to export and to manipulate Hiring Management data. The core product suite provides access to pre-defined reports (including OPM & EEOC reports), dashboard functionality and ad-hoc reporting capability.

Admin Site allows Managers to create/edit list of questions for HR specialists; view & weigh question choices; and send the question list via email. It also allows managers to preview the vacancy and question before or after HR posts it. Last, this is where Managers review the certificates and make selections.

Where appropriate, a citation to the legal authority to operate the program or system.

65 CFR24732 (Federal Register April 27, 2000)
www.opm.gov/feddata/federalr.pdf
OPM/GOVT-5 Recruiting, Examining and Placement Records

Notice publication of the eight Government-wide systems of records managed by the Office of Personnel Management, proposing routine uses for various systems of records, the amending of one of OPM's Government-wide systems of records, and making needed administrative changes necessitated by various changes in office titles.

"Social Security Number

Executive Order 9397 (November 22, 1943) requires that any person doing business with the Federal government must furnish a Social Security Number or tax identification number. We must have your Social Security Number (SSN) to identify your records because other people may have the same name and birth date. The Office of Personnel Management may also use your SSN to make requests for information about you from employers, schools, banks, and others who know you, but only as allowed by law or Presidential directive. The information we collect by using your SSN will be used for employment purposes and also for studies and statistics that will not identify you. Providing your SSN, or any other information is voluntary. However, we cannot process your application, which is the first step toward getting a job, if you do not provide us with requested information."

A description of why the PIA is being conducted.

This PIA is being completed in support of the annual PIA review and as a result of OCIO Security's recommendations on the Privacy Screening Form dated November 5, 2010.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

DOL applicants use USAJOBS to create their applicant profile maintaining information about the applicant, including their resumes. DOL applicants include the following: DOL employees, other federal employees, contractors and members of the public (U.S. Citizens). For a select number of jobs, individuals authorized to work in the US may apply to DOL jobs.

What are the sources of the PII in the information system?

Applicants input their PII information when creating or updating their USAJOBS profile and resume and when creating or updating their DOL profile information through the USAJOBS integration. They provide this information during the application process.

What is the PII being collected, used, disseminated, or maintained?

The PII is being collected, used, disseminated (only as appropriate) and maintained. Only HR Users and Hiring Managers who need access to the information are given the ability to view the information.

The following PII is collected:

  • first name
  • last name
  • address
  • phone
  • email
  • country of citizenship
  • veteran's preference
  • social security number.

Applicants are also given the ability to answer 6 demographic questions, but this is voluntary. The questions are listed below.

  • Sex
  • Ethnicity
  • Race
  • Disability (submitted request to remove 06/2010)
  • If yes, is your disability one of the targeted disabilities listed below. (submitted request to remove 06/2010)
  • If you checked Yes above, please identify your targeted disability? (Check all that apply) (submitted request to remove 06/2010)

How is the PII collected?

The PII is collected via the on-line application. Since DOORS is integrated with USAJOBS via the Recruitment One Stop (ROS) initiative, applicants are asked to build a resume on USAJOBS, then are taken to DOL's website to create a profile and complete DOL's 27 core questions, demographic responses (not mandatory) and the application questions. The USAJOBS website sends the resume to the DOORS system via the integration. Therefore, DOORS maintains the entire application.

For defined hardship reasons, applicants are allowed to submit their application via paper. In this case, HR would input the application into DOORS.

How will the information be checked for accuracy?

It is the responsibility of the applicant to ensure that they enter their information accurately. At the end of the application process, applicants are given the ability to review their information prior to clicking the "Finished" button.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

65 CFR24732 (Federal Register April 27, 2000)
www.opm.gov/feddata/federalr.pdf
OPM/GOVT-5 Recruiting, Examining and Placement Records

Notice publication of the eight Government-wide systems of records managed by the Office of Personnel Management, proposing routine uses for various systems of records, the amending of one of OPM's Government-wide systems of records, and making needed administrative changes necessitated by various changes in office titles.

"Social Security Number
Executive Order 9397 (November 22, 1943) requires that any person doing business with the Federal government must furnish a Social Security Number or tax identification number. We must have your Social Security Number (SSN) to identify your records because other people may have the same name and birth date. The Office of Personnel Management may also use your SSN to make requests for information about you from employers, schools, banks, and others who know you, but only as allowed by law or Presidential directive. The information we collect by using your SSN will be used for employment purposes and also for studies and statistics that will not identify you. Providing your SSN, or any other information is voluntary. However, we cannot process your application, which is the first step toward getting a job, if you do not provide us with requested information."

Privacy Impact Analysis

Risks identified with the type of data collected include that personal information may be used in such a manner that would negatively impact an individual. For example, if a social security number is compromised, an individual may become the victim of identify theft, therefore affecting credit and other financial factors of the individual. If address information is compromised, the individual's safety could be at risk if someone with the intent to harm or negatively impact the individual was able to access this information. If an individual's contact information is compromised, the individual may become the victim of receiving unsolicited electronic marketing information (while simultaneously putting the individual's personal computer systems and files at risk) and non-electronic marketing information.

The DOORS information system contains PII and must be protected by the Privacy Act through privacy notification and system security. Risks are mitigated by requiring users with access to login with a secure User ID and Password. In addition, Rules of Behavior have been developed to emphasize the importance of keeping information "safe" (ex. Do not share your password). When the user logs in, they are first presented with the following message which refers to the Rules of Behavior:
"This is a federal computer system and is the property of the US Govt. It is for authorized use only. Users (authorized/unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected and disclosed to agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection and disclosure at the discretion of authorized site or US Govt personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. When accessing a system that contains personally identifiable information, users should adhere to the Rules of Behavior. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning."
Terms and conditions are also provided as detailed below.

The following information regarding privacy is provided on the USAJOBS website:
"Summary: The United States Office of Personnel Management gives notice that it has conducted a Privacy Impact Assessment for USAJOBS. USAJOBS is the official job search web site of the United States Government. It is the one-stop source for Federal jobs and employment information, career information as well as job listings.

Privacy Policy
Thank you for visiting the Office of Personnel Management (OPM) website and reviewing our privacy policy. Our privacy policy is clear: We will collect no personal information about you when you visit our website unless you choose to provide that information to us.

The data collected resides in a System of Records under the Privacy Act of 1974 (5 U.S.C. § 552a). A Privacy Act "system of records" is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."

Furthermore, under 5 CFR §293.107 – DOL has established administrative, technical, physical, and security safeguards for data about individuals in automated records, including input and output documents, reports, punched cards, magnetic tapes, disks, and on-line computer storage.

In addition, per 5 CFR §293.108 - DOL requires all employees responsible for the creation, development, maintenance, processing, use, dissemination, and safeguarding of personnel records to be familiar with the rules of conduct presented in this section.
Finally, under 5 CFR §1001.102 – DOL ensures that employees and contractors are reminded of their obligation to follow the Privacy Act with the use of mandatory annual training coursework.

The system security requirements that govern Hiring Management are derived from public law, executive order, and regulations of designated agencies of the Executive Branch of the U.S. Government. Monster Hiring Management was developed while ensuring that the associated security standards were adhered to. The Monster Hiring Management design reflects compliance to the mandated requirements within each of those standards. Below are policies and regulations that govern the MGS Hiring Management System.

  • Public Law 107-347, Federal Information Security Management Act of 2002 (FISMA)
  • Public Law 107-347, "Section 208 of the E-Government Act of 2002" (44 U.S.C. Ch 36)
  • Public Law 105-277, "Government Paperwork Elimination Act" (44 USC 3504)
  • Public Law 104-13, Paperwork Reduction Act of 1995 (44 U.S.C 35)
  • Public Law 99-508, "Electronic Communications Privacy Act of 1986"
  • Computer Fraud and Abuse Act of 1986 (Public Law 99-474), October 1986
  • Public Law 97-225, "Federal Information Managers Financial Integrity Act of 1982"
  • Public Law 93-574, "Privacy Act of 1974" (5 U.S.C. 552)
  • Freedom of Information Act (5 U.S.C. 552) as amended by Public Law 104-231, "Electronic Freedom of Information Act Amendments of 1996"
  • The Uniting and Strengthening America Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act)
  • OMB Circular A-123, Internal Control Systems
  • OMB Circular A-130 (revised), Information Resources Management, Appendix III, Security of NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
  • NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems
  • NIST Publication 800-37 - Guide for the Security Certification and Accreditation of Federal Information Systems
  • GAO/AIMD-12.19.6, Federal Information System Controls Audit Manual
  • Federal Register, volume 67, No. 36, page 8452, February 22, 2002, "Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of
  • Information Disseminated by Federal Agencies" (Final guidance, re-publication)
  • Department of Defense Directive (DODD) 8500.1, Information Assurance, October 2002
  • Department of Defense Instruction (DODI) 8500.2, Information Assurance (IA) Implementation, February 2003
  • Section 5 of the DOL Act
  • Online Privacy Act of 2001
  • The Computer Security Act of 1987
  • Federal Preparedness Circular (FPC) 65, Federal Executive Branch Continuity of Operations, July 1999
  • Presidential Decision Directive (PDD) 67, Enduring Constitutional Government and Continuity of Government Operations, October 1998
  • PDD 63, Critical Infrastructure Protection, May 1998
  • Federal Emergency Management Agency (FEMA) The Federal Response Plan (FRP), April 1999
  • Defense Authorization Act (Public Law 106-398), Title X, Subtitle G, "Government Information Security Reform," October 30, 2000
  • U.S. Code Title 18 Section 1030, Fraud and Related Activity in Connection with Computers
  • NIST 800-34, Contingency Planning Guide for Information Technology Systems

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The source of the PII is the applicant who provides PII as requested when creating an account on USAJOBS. At least one resume must be created on the USAJOBS website in order to apply for a DOL job. The applicant is asked to provide basic PII including name and address in order to set up a new account. The PII is used for identifying an applicant and for contacting the applicant if necessary for an interview or additional questions in relation to the applicant's application.

Per the USAJOBS website: "We collect personally identifiable information (name, email address, Social Security number, or other unique identifier) only if specifically and knowingly provided by you. We only share the information you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. Moreover, we do not create individual profiles with the information you provide or give it to any private organizations. We do not collect information for commercial marketing."

What types of tools are used to analyze data and what type of data may be produced?

MGS has a reporting tool called Analytics from which Ad Hoc and canned reports may be produced. Canned reports are also available in the DOORS Hiring Management system. Canned reports include: Ineligible Applicant Report and Vacancy Statistics Report (how many Veteran's applied). The Ad Hoc tool contains 5 datasets:

Applicants Dataset: The Applicants dataset contains information from Applicant Manager in Hiring Management. Example - Provide a listing of all applicants that registered in the past week.

Vacancies Dataset: The Vacancies dataset contains information from the Vacancy Builder in Hiring Management. The grouping for Vacancy Options includes fields to differentiate a vacancy record (ex - each phase will show as an individual record in this dataset). Example - Provide a vacancy listing of all jobs managed by a specific HR Manager.

Certificates Dataset: The Certificates dataset contains information related to the Certificate. If a certificate has not been issued, the vacancy will be excluded from this dataset. Example - Display a list of all vacancies with certificates issued in Quarter 1.

Applications Dataset: The Applications dataset contains information across the hiring process. Example - Display a list of all applicants for vacancies that have not yet been issued a certificate.

Demographics Dataset: The Demographics dataset is used to generate the RNO and disability breakdowns for a given vacancy or certificate. Example - Provide a summary count of all minority applicants for a specific vacancy.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No.

If the system uses commercial or publicly available data, please explain why and how it is used.

N/A

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security.

Under 5 CFR 293.106 – DOL has established administrative, technical, and physical controls to protect information in personnel records from unauthorized access, use, modification, destruction, or disclosure.
Currently, access is given to those users whose strict permissions allow them to pull data from the system. Full Terms and Conditions of Use are clearly defined and Rules of Behavior have been established.

Furthermore, a 15 minute period of inactivity will cause any user to be automatically logged out of the system. Inactivity may be defined as anything other than submitting a form by clicking a submit button or requesting a new page by clicking a link.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

OPM manages applicant profiles on www.usajobs.gov and is therefore responsible for information stored within USAJOBS. The application-related data submitted from the www.usajobs.gov website to the DOORS system, per OPM's Delegated Examining Operations Handbook, is kept for 3 years for DE, Merit Staffing, SES and other jobs.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

No, we adhere to OPM's retention schedule outlined in OPM's Delegated Examining Operations Handbook, which has developed the mandate for retaining these records.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

The Department is adhering to retention guidance provided by OPM through the Delegating Examining Operations Handbook, dated May 2007, on page 18.

Under Chapter 1 – OPM and Agency Responsibilities, Section C - Agency Responsibilities, Record Keeping is states:

"You are responsible for:

Retaining records in accordance with the DEOH Records Retention and Disposition Schedule (see Appendix C). Appendix C provides specific instructions for disposing of documents associated with delegated examining activities. Appendix C supersedes any previous record-keeping schedule that may have been furnished to a delegated examining office, including any schedule that may have been attached to a delegated examining agreement;

• Ensuring that the records used to implement the delegation of authority are maintained in a manner that is consistent with OPM's Governmentwide system of records (OPM-GOVT-5) and the Privacy Act."

How is it determined that PII is no longer required?

Targeted records are locked within the system on a per annum cycle in the beginning of the calendar year. These records are targeted for disposal based on the following three factors:

  • Three (3) years after closing date of job announcement and are not for use in any grievance case – The majority of records that are targeted for disposal per annum are based on this determination. (Usually several hundred records per annum.)
  • Three (3) years after arbitration date for records identified for use in any grievance case – These records are used for grievance cases filed against the Department. An arbitration date is given when there is arbitration/determination for the grievance or the grievance is dropped. (Usually >fifty (50) records per annum.)
  • Records under continued grievance, appeal or special investigation are kept until an arbitration date is given. (Usually >twenty-five (25) records per annum.)

After records have been locked from use for one year, they are permanently deleted from the system using a special utility built into the system.

There are reconciliation processes in place to confirm that the proper records are targeted for disposal.

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security. With regards to risks, the same risks apply as described in Section 3.4 and 3.5 because the data is still accessible in the system and has not been archived:

Risks identified with the type of data collected include that personal information may be used in such a manner that would negatively impact an individual. For example, if a social security number is compromised, an individual may become the victim of identify theft, therefore affecting credit and other financial factors of the individual. If address information is compromised, the individual's safety could be at risk if someone with the intent to harm or negatively impact the individual was able to access this information. If an individual's contact information is compromised, the individual may become the victim of receiving unsolicited electronic marketing information (while simultaneously putting the individual's personal computer systems and files at risk) and non-electronic marketing information.

DOL is committed to privacy protection. The collection of data is retained in the system until such time where it can be archived per OPM's retention schedule. Under 5 CFR 293.106 – DOL has mitigated risks by establishing administrative, technical, and physical controls to protect information in personnel records from unauthorized access, use, modification, destruction, or disclosure.
Currently, users are required to login with a User ID and Password. Account access is only given to those HR users who need access (to build a job or manage applicants). Permissions can be assigned only as necessary (ex. Senior HR Specialists have more permissions than HR Specialists). Full Terms and Conditions of Use are clearly defined and Rules of Behavior have been established.

Furthermore, a 15 minute period of inactivity will cause any user to be automatically logged out of the system. Inactivity may be defined as anything other than submitting a form by clicking a submit button or requesting a new page by clicking a link.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

Applicant information containing PII is only shared with Managers or Selecting Officials who will be reviewing the certificate of eligibles in order to make a selection(s) for the job. Otherwise, only the HR office handling the vacancy announcement or the policy group, if conducting an audit, will access the announcement in the DOORS Hiring Management system.

How is the PII transmitted or disclosed?

The information is shared with the Manager via an on-line certificate. This on-line certificate allows the Manager to view the applicants' application information. Managers must also be given a User ID and Password to access the system to view the certificate.

If for some justified reason (ex: audit by Office of Policy and Accountability (Policy) within the Human Resources Center), some additional information is to be transmitted in a format other than through DOORS, Pointsec Media Encryption (PME) is the solution used by the Department of Labor to encrypt data on portable storage devices. Portable storage devices are all devices for storing data that can be easily inserted into and removed from computers, such as CDs, DVDs, thumb drives, zip drives, external hard drives, and floppy disks. PME has been installed on all workstations connected to the Employee Computer Network and all data saved to portable storage devices from these workstations is encrypted.

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security. There is minimal risk associated with internal sharing and disclosure as a result of the safeguards in place (i.e. the manager must be given a secure User ID and PW to access an on-line certificate and will only be given access for the job they are hiring for; the system also allows for additional security via a feature which allows a secure password to be created for each individual certificate if more than 1 manager will be hiring for the job). If Policy is conducting an internal audit, this would be an exception to the rule where information would need to be shared, but Policy should be able to access all information within the system

The data collected resides in a System of Records under the Privacy Act of 1974 (5 U.S.C. § 552a). A Privacy Act "system of records" is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."

Furthermore, under 5 CFR §293.107 – DOL has established administrative, technical, physical, and security safeguards for data about individuals in automated records, including input and output documents, reports, punched cards, magnetic tapes, disks, and on-line computer storage.

In addition, per 5 CFR §293.108 - DOL requires all employees responsible for the creation, development, maintenance, processing, use, dissemination, and safeguarding of personnel records to be familiar with the rules of conduct presented in this section.
Finally, under 5 CFR §1001.102 – DOL ensures that employees and contractors are reminded of their obligation to follow the Privacy Act with the use of mandatory annual training coursework.

Risk mitigation is further minimized through the development of several activities.

  • The establishment of data management practices and compliance rules across various lines of business within the HR community.
  • Establishment of a system wide approach for the dissemination of information and reporting functions. This ensures that the information compiled can be utilized to enhance operational and administrative operations.
  • Per OMB, agencies are required, quarterly, to respond to OMB requests on the status(s) of a number of metrics and required reports such as Race and Nationality and Origin as related to the MD 715, and the 45 day hiring rule (performance measurement)

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
  • OPM requires that agencies report EHRI data on a quarterly basis.
  • Per OMB, agencies are required, quarterly, to respond to OMB requests on the status(s) of a number of metrics and the 45 day hiring rule (performance measurement).
  • Per OMB, required reports such as Race and Nationality and Origin as related to the MD 715 which is reported annually.
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

DOL fully complies with SORN; 65 CFR24732 (Federal Register April 27, 2000). OPM and OMB have the authority to review the original collection of information. The following information is described in the following link, which may also be accessed for additional details: http://www.defenselink.mil/privacy/govwide/opm_govt-5.html

"Authority for maintenance of the system: 5 U.S.C. 1302, 3109, 3301, 3302, 3304, 3305, 3306, 3307, 309, 3313, 3317, 3318, 3319, 3326, 4103, 4723, 5532, and 5533, and Executive Order 9397.

Purpose(s): The records are used in considering individuals who have applied for positions in the Federal service by making determinations of qualifications including medical qualifications, for positions applied for, and to rate and rank applicants applying for the same or similar positions. They are also used to refer candidates to Federal agencies for employment consideration, including appointment, transfer, reinstatement, reassignment, or promotion. Records derived from the Office-developed or agency-developed assessment center exercises may be used to determine training needs of participants. These records may also be used to locate individuals for personnel research."

How is the information shared outside the Department and what security measures safeguard its transmission?

Privacy information should not need to be shared externally from the department. In rare circumstances where this information should be shared (ex. for OPM Audit purposes), Pointsec Media Encryption (PME) is the solution used by the Department of Labor to encrypt data on portable storage devices. Portable storage devices are all devices for storing data that can be easily inserted into and removed from computers, such as CDs, DVDs, thumb drives, zip drives, external hard drives, and floppy disks. PME has been installed on all workstations connected to the Employee Computer Network and all data saved to portable storage devices from these workstations is encrypted.

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security. There is minimal risk associated with external sharing and disclosure because the information is not typically shared externally. In case of an audit or to report an issue to the system vendor, this would be an exception to the rule where information would need to be shared. Again, Pointsec is the tool of encryption used. Data is fully encrypted and password protected before dissemination.

The data collected resides in a System of Records under the Privacy Act of 1974 (5 U.S.C. § 552a). A Privacy Act "system of records" is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."

Risk mitigation is further minimized through the development of several activities as follows:

  • The establishment of data management practices and compliance rules across various lines of business within the HR community.
  • Establishment of a system wide approach for the dissemination of information and reporting functions. This ensures that the information compiled can be utilized to enhance operational and administrative operations.
  • Per OMB, agencies are required, quarterly, to respond to OMB requests on the status(s) of a number of metrics and required reports such as Race and Nationality and Origin as related to the MD 715, and the 45 day hiring rule (performance measurement)

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes, through the use of the USAJOBS website.

Do individuals have the opportunity and/or right to decline to provide information?

Yes, USAJOBS states the following: "Giving us your SSN or any of the other information is voluntary. However, we cannot process your application, which is the first step toward getting a job, if you do not give us the information we request."

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Yes, by not providing their information through USAJOBS website.

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security. The primary risk in regards to notice is that applicants may be hesitant to input their personal information into the system due to concern of their personal information being compromised. This risk is mitigated by posting notifications on the website confirming that information is only used as necessary (ex. SSN is only used for employment purposes) and by posting notifications on how to safeguard your information (ex. the "Anti-phishing Notice" posted on www.usajobs.gov explains how to be on alert for fraudulent emails and explains how to report fraud if suspected). USAJOBS has also posted information addressing "How to be a safe internet user" to educate individuals on how to use the Internet safely.

The PII is used for identifying an applicant and for contacting the applicant if necessary for an interview or additional questions in relation to the applicant's application.

Per the USAJOBS website: "We collect personally identifiable information (name, email address, Social Security number, or other unique identifier) only if specifically and knowingly provided by you. We only share the information you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. Moreover, we do not create individual profiles with the information you provide or give it to any private organizations. We do not collect information for commercial marketing."

"Executive Order 9397 (November 22, 1943) requires that any person doing business with the Federal government must furnish a Social Security Number or tax identification number. We must have your Social Security Number (SSN) to identify your records because other people may have the same name and birth date. The Office of Personnel Management may also use your SSN to make requests for information about you from employers, schools, banks, and others who know you, but only as allowed by law or Presidential directive. The information we collect by using your SSN will be used for employment purposes and also for studies and statistics that will not identify you.

Information we have about you may also be given to Federal, State, and local agencies for checking on law violations or other lawful purposes. We may send your name and address to State and local Government agencies, Congressional and other public offices, and public international organizations, if they request names of people to consider for employment. We may also notify your school placement office if you are selected for a Federal job.

Giving us your SSN or any of the other information is voluntary. However, we cannot process your application, which is the first step toward getting a job, if you do not give us the information we request."

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

Applicants may log on to the USAJOBS website at any time to access and edit their account profile.

What are the procedures for correcting inaccurate or erroneous information?

Applicants may update their USAJOBS profile or resume (including SSN) if they notice any incorrect or outdated information. Applicants may also update their DOL Profile information via USAJOBS if they notice any incorrect or outdated information by accessing any open DOL announcement.

How are individuals notified of the procedures for correcting their information?

Per USAJOBS website and posted FAQs.

If no formal redress is provided, what alternatives are available to the individual?

None.

Per USAJOBS website and posted web page and FAQs.
"…
Giving us your SSN or any of the other information is voluntary. However, we cannot process your application, which is the first step toward getting a job, if you do not give us the information we request."

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security. Should an individual's information be compromised, the individual should contact the OPM Privacy Program Manager by emailing privacy@opm.gov to advise on rectifying the situation. Or, if an individual believes personal information has been compromised, the following guidance has been provided from the www.usajobs.gov website:

"…you can file a complaint at ftc.gov, and then visit the FTC's Identity Theft website at www.consumer.gov/idtheft. Victims of phishing can become victims of identity theft. While you can't entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit bureaus. See www.annualcreditreport.com for details on ordering a free annual credit report.

We remain committed to safeguarding the integrity of the information provided by job seekers. If you have any questions, please contact mayday@fedjobs.gov."

Lastly, the following initiatives were implemented in September 2007 by Monster to mitigate the risk of online fraud:

  • Implementing new, robust capabilities for worldwide monitoring and surveillance of site traffic.
  • Reviewing and tightening all site access policies and controls.
  • Launching a series of targeted initiatives to protect job seeker contact information.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

Data Administrators, HR Users and Managers have access to the DOORS System. The DOORS Team keeps an updated spreadsheet of all new, updated and inactivated DOORS Accounts.

For HR Users, a specified DOORS Point of Contact must be the originator of a request to create a new DOORS user account or must be copied on the email request. For Managers, an active DOORS HR User must put in requests to set up Manager Accounts.

For Data Administrators, the HR Project Manager or a member of the DOORS Team is responsible for confirming if the user needs Data Administrator permissions and is responsible for setting up these accounts.

Will Department contractors have access to the system?

Yes.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

All employees at DOL, including contractors, are required to take the Computer Security Awareness Training (CSAT) once a year.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Access Control List relating to network addresses ranges of respective DOL networks. Only Individuals using PC machines with proper IP addresses within the network ranges will be permitted to connect. Furthermore, account access is given to those users whose strict permissions allow them to pull data from the system. Full Terms and Conditions of Use are clearly defined and Rules of Behavior have been established.

Privacy Impact Analysis

This information system contains PII and must be protected by the Privacy Act through privacy notification and system security.

Currently, account access is given to those users whose strict permissions allow them to pull data from the system. Full Terms and Conditions of Use are clearly defined and Rules of Behavior have been established.
In reference to "AC-7 Unsuccessful Login Attempts", accounts are locked after five consecutive failed login attempts (user must contact DOORS@dol.gov to unlock)

In reference to "AC-11 Session Lock", a 15 minute period of inactivity will cause any user to be automatically logged out of the system.

"A period of inactivity may cause you to be automatically logged out of the system. Inactivity may be defined as anything other than submitting a form by clicking a submit button or requesting a new page by clicking a link. Due to security purposes your session will expire if you exceed the Maximum System Inactivity Time. You will NOT be notified prior to logout if this is about to occur. To prevent your session from expiring you may click a submit button or click a link.

Your Maximum System Inactivity Time is displayed upon login to the system. If you feel you require extra time to complete processes please contact your System Administrator (DOORS@dol.gov) to adjust your Maximum System Inactivity Time."

In reference to "AC-8 System Use Notification", users and administrators are provided a message for review prior to logging into the information system. The system use notification includes all the expected elements: (i) the user is accessing a U.S. Government information system; (ii) information system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the information system is prohibited and subject to criminal and civil penalties; (iv) use of the information system indicates consent to monitoring and recording; and (v) appropriate privacy and security notices (based on associated privacy and security policies or summaries).

In reference to "IA-5 Authenticator Management", passwords are masked out by star (*) symbols when the passwords are entered, DOORS has a minimum lifetime restriction of 15 days and a maximum lifetime restriction of 90 days for passwords, and the system limits password reuse to 5 generations.

Password rules are as follows:

"For security purposes, you are required to change your password every 90 days. Passwords must follow the convention described below:

  • The password must be different from the last 5 passwords.
  • Password length cannot exceed 15 characters.
  • Password length must be at least 9 characters.
  • The password must not contain any part of the user id, first name, or last name.
  • The password must contain characters from 3 of the following character classes:
    • English Upper Case Letters (A,B,C,...Z)
    • English Lower Case Letters (a,b,c,...z)
    • Westernized Arabic Numerals (0,1,2,...9)
    • Non-alphanumeric special characters (!,@,#,$,%,^,&,*,(,))"

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

This is a steady state system.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

This system is part of an integration project working with OPM for supporting the function of hiring applicants into the Federal Government @ the Department of Labor. The USAJOBS website is accessible by applicants, but the DOORS system is not exposed to typical threats such as website defacement, brute force password attacks or denial of service as it is integrated with the USAJOBS website. Applicants apply by first going to the USAJOBS website. Their PII is transferred into the DOORS system when they continue in the process of applying for a DOL job.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • DOL has completed the PIA for DOORS which is currently in operation. DOL has determined that the safeguards and controls for this moderate system adequately protect the information.
  • DOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.