Privacy Impact Assessment Questionnaire
OASAM – Safety and health Information Management System Hosting (SHIMS-Hosting V4) – FY2011
Safety and Health Information Management System Hosting (SHIMS-Hosting V4) is a web based e-filing system responsible for the collection, submission and tracking of CA-1 (Notice of Traumatic Injury and Claim for Continuation of Pay/Compensation) and CA-2 (Notice of Occupational Disease and Claim for compensation) forms for DOL, Department of Education (DoED) and the Transportation Security Authority (TSA).
Currently, DOL employees, Job Corp Center students, DoED, and TSA employees use the system to file an electronic CA-1 and CA-2 claim form dealing with accidents or injuries, but the overall benefit of SHIMS-Hosting V4 is the potential availability and consolidation of e-filing systems for the entire federal government allowing the submission of CA-1 or CA-2 forms by an employee electronically. Last Name, First Name, Date of Birth, and SSN used only for confirmation purpose; and, therefore, the PIA is being conducted annualy.
This system is used (a) to provide an information source for compliance with the Occupational Safety and Health Act; (b) to provide a documented record of job related accidents, injuries, and illnesses for the purpose of measuring safety and health programs' effectiveness; (c) to provide summary data of accident, injury and illness information to Departmental agencies in a number of formats for analytical purposes in establishing programs to reduce or eliminate loss producing hazards or conditions; (d) to provide summary listings of individual cases to Departmental agencies to ensure that all work-related injury/illness cases are reported through the SHIMS-Hosting V4 ; and (e) to use as a reference when adjudicating tort and employee claims.
Version 4.2 of SHIMS-Hosting V4 became operational on October 3, 2006. This version included upgraded Electronic Data Interchange (EDI) technologies for submission of claims to Office of Worker Compensation Program (OWCP) and enhanced functionality (e.g. Hazards Tracking, Tracking of Safety & Health Training). SHIMS Version 3.0 has been operational since 1997.
The SHIMS-Hosting V4 application handles all aspect of Federal on-the-job injury and illness reporting. SHIMS-Hosting V4 steps employees through the reporting process and ensures all required information is provided. Employee and supervisor portions of the CA-1 and CA-2 forms are completed and routed to the Worker's Compensation Coordinator (WCC) for review and compliance check. The WCC approves the claim and then files it via an Electronic Data Interchange (EDI) with the Department of Labor (DOL), Office of Worker's Compensation Programs (OWCP). The SHIMS-Hosting V4 application includes all data fields required by OWCP.
Sources of on-the-job injuries and illnesses can be analyzed through standardized and custom reports and graphs. The screen format of SHIMS-Hosting V4 replicates the familiar CA-1 and CA-2 paper forms.
The use of SHIMS-Hosting V4 advances the goals of the E-Government initiative, by providing accessible electronic services for workers to file injury and illness claims. Once sent to OWCP, Claims are within the handling and control of the OWCP process. OWCP performs their program functions related to filing.
A periodic refresh to SHIMS-Hosting V4 from OWCP occurs every two weeks, including information containing claims status. Thus, claimants are able to track their application for benefits. Management can review organizational performance metrics accordingly, as well as evaluate information for fraud or misuse.
Two variations from the general workflow described above exist:
- Claims can be submitted by supervisors on behalf of employees if the employee cannot file; and
- Claims can be submitted by the WCC on behalf of employees. Employees cannot file for each other if they are non-supervisors or non-WCCs.
SHIMS-Hosting V4 supports the Transportation Security Administration (TSA) and the Department of Education (DoED); MOUs have been signed to soon support the Department of Health and Human Services (HHS). Additionally, new external Federal agency clients are expected to join use of the SHIMS-Hosting V4 portal periodically over the lifetime of the system.
Biweekly offline batch data exchanges exist between SHIMS-Hosting V4 and customers' payroll/personnel systems from which SHIMS-Hosting V4 receives the agencies human resource data. For DOL biweekly HR/Payroll data is received from DOL PeoplePower system (Currently managed by OCFO) through batch file extracts. The human resource data is validated prior to load into the SHIMS-Hosting V4 application by loading into a temporary table and executing a validation script that checks for required fields and organization structure. The data that is invalid will be marked for rejection with a reason. Data received via these interfaces is not modified by DOL and is used for the pre-population of CA-1/CA-2 forms and it is used for statistical reports.
Authority for the system of records to support the SHIMS-hosting V4 function is granted under 5 U.S.C. 7902 and Chapter 81.
Section 208 of the E-Government Act of 2002 requires federal government agencies to conduct a Privacy Impact Assessment (PIA) for all new or substantially changed technology that collects, maintains, or disseminates Personally Identifiable Information (PII) for members of the public. PII is defined as information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
- SHIMS-Hosting V4 collects PII (First and Last Name, Date of Birth, SSN, Residential Address, Business Phone Numbers, Business e-mail Address, Business Address, and Injury Information, General Work Information, and Medical information that is limited to physician's notes related directly to the incident for which the claim is being filed) on DOL employees and contractors in order to allow them to process claims (CA-1 and CA-2).
- What are the sources of the PII in the information system?
The sources of PII in the SHIMS-Hosting V4 system are the DOL employees, contractors and Job Corps students.
- What is the PII being collected, used, disseminated, or maintained?
The PII (First and Last Name, Date of Birth, SSN, Residential Address, Business Phone Numbers, Business e-mail Address, Business Address, and Injury Information, General Work Information, and Medical information that is limited to physician's notes related directly to the incident for which the claim is being filed) being used by employees, supervisors, Workers Compensation Coordinator (WCC), and administrators in order to allow them to process claims. The PII is collected and maintained in the central database.
- How is the PII collected?
Employee information is collected by downloading Human Resources data from the HR system and also by manual entry during registration.
- How will the information be checked for accuracy?
The human resource data is validated prior to load into the SHIMS-Hosting V4 application by loading into a temporary table and executing a validation script that checks for required fields and organization structure. The data that is invalid will be marked for rejection with a reason.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The SHIMS-Hosting V4 System is subject to the federal privacy laws and regulations listed below.
- Privacy Act of 1974
- OMB Circular A-130
- OMB Memorandum M-03-22
- With regard to the administrative, technical, and operational security controls, the SHIMS-Hosting V4 System is subject to all applicable DOL, federal laws, directives, policies, regulations, standards, and guidance.
- Privacy Impact Analysis
Standard security (account, auditing, physical access) controls are in place to mitigate any risks.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
- Describe all the uses of the PII:
SHIMS-Hosting V4 collects PII (First and Last Name, Date of Birth, SSN, Residential Address, Business Phone Numbers, Business e-mail Address, Business Address, and Injury Information, General Work Information, and Medical information that is limited to physician's notes related directly to the incident for which the claim is being filed) on DOL employees and contractors in order to allow them to process claims (CA-1 and CA-2). Last Name, First Name, Date of Birth, and SSN are used only for confirmation purpose.
- What types of tools are used to analyze data and what type of data may be produced?
SQL reporting services used for generate report.
- Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
- If the system uses commercial or publicly available data, please explain why and how it is used.
- Privacy Impact Analysis
SHIMS-Hosting V4 does not contain any functionality to go outside of these boundaries. SHIMS-Hosting V4 staffs are trained on the proper business use of SHIMS-Hosting V4 as well as the security considerations that must be adhered to while using SHIMS-Hosting V4. SHIMS-Hosting V4 adheres to all required federal security controls as set forth by the Office of Management and Budget (OMB) and DOL. SHIMS-Hosting V4 complies with all applicable National Institute of Standards and Technology (NIST) guidelines as well as the Federal Information Security Management Act (FISMA) Controls.
The following questions are intended to outline how long information will be retained after the initial collection.
- How long is information retained in the system?
The SHIMS data is kept indefinitely and is archived on the same schedule as ECN/DCN data, until DOL-wide policy for records management has been approved.
- Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
No, awaiting DOL-wide DM/RM policy.
- What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
There is no mechanism in the system.
- How is it determined that PII is no longer required?
There is no mechanism in the system.
- Privacy Impact Analysis
The risks associated with data retention are unauthorized release of information outside of SHIMS-Hosting V4. SHIMS-Hosting V4 has mitigated these risks by implementing tight security controls on the SHIMS-Hosting V4 application and limits access to privacy data to only authorized SHIMS-Hosting V4 staff. SHIMS-Hosting V4 also conducts annual Information Systems Security and Privacy Awareness and Personal Identifiable Information Training to ensure that all SHIMS-Hosting V4 staff members are educated regarding the proper methods of handling privacy information.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
- With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
SHIMS-Hosting V4 PII is viewed by Office of Workers' Compensation Programs (OWCP) Administrators and is shared with OWCP through automated data transfer for the purpose of claims processing. The following PII is shared:
First and Last Name, Date of Birth, SSN, Residential Address, Business Phone Numbers, Business e-mail Address, Business Address, and Injury Information, General Work Information, and Medical information that is limited to physician's notes related directly to the incident for which the claim is being filed
With whom and for what purposes:
Employees, supervisors, Worker Compensation Coordinator (WCC), administrators, and OWCP in order to allow them to process claims.
- How is the PII transmitted or disclosed?
SHIMS-Hosting V4 information is transmitted by using SFTP.
- Privacy Impact Analysis
The extent of internal information sharing between participants in the SHIMS-Hosting V4 process – employees, supervisors, Worker Compensation Coordinator (WCC), and administrators who need to be involved in the process of processing (CA-1/CA-2) claims for agency employees and contractors. The risk associated with this sharing is low.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
SHIMS-Hosting V4 data is not shared with external agencies. An external agency such as Dept. of Education (DoED) and TSA provides SHIMS-Hosting V4 with their data which is viewable by them via SHIMS-Hosting V4.
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
SHIMS-Hosting V4 data is not shared with external agencies. External agencies such as DoED and TSA provide SHIMS-Hosting V4 with their data which is viewable by them via SHIMS-Hosting V4.
It is an external agency responsibility to ensure that the requirements of the Privacy Act are complied with, including publication of an appropriate Privacy Act System of Records Notice in the Federal Register.
The System of Records Notice (SORN) required for SHIMS-Hosting V4 information technology system has been published: http://www.dol.gov/sol/privacy/dol-oasam-4.htm
- How is the information shared outside the Department and what security measures safeguard its transmission?
An external agency such as DoED and TSA provides SHIMS-Hosting V4 with their data which have a signed subscription to use SHIMS-Hosting V4. This is also accompanied by an MOU and ISA. All data is protected from access by system passwords and user roles and defined and assigned by each external agency. Based on user roles, SHIMS-Hosting V4 users can view, modify, and/or generate reports based on data within. Data transmission occurs by using SFTP. SHIMS-Hosting V4 end users don't have direct access to the database; it can only be accessed through the business layer and data layer. Only authorized ITC data center administrators can access the database directly using strong passwords. SHIMS-Hosting V4 protects the confidentiality of transmitted information by using SFTP. As DOL is simply providing the reporting system for use by an external agency in complying with various legal filing and reporting requirements, it is an external agency's responsibility to ensure that the requirements of the Privacy Act are complied with, including publication of an appropriate Privacy Act System of Records Notice in the Federal Register.
- Privacy Impact Analysis
An external agency such as DoED and TSA provides SHIMS-Hosting V4 with their data which have a signed subscription to use SHIMS-Hosting V4. This is also accompanied by an MOU and ISA. All data is protected from access by system passwords and user roles and defined and assigned by each external agency. The Office of Systems Development and Integration (OSDI) has developed a very secure data transmission link that SHIMS-Hosting V4 uses to transmit the encrypted data in a very safe and protected manner.
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
- Was notice provided to the individual prior to collection of PII?
Yes, there is a notification page in the system prior to collection of PII.
- Do individuals have the opportunity and/or right to decline to provide information?
Yes, prior to collection PII there is a notification page that user can accept privacy act or deny it. Also an individual can hide their name associated with an OSHA 301 from view by selecting privacy case. Their name is hidden from view and can only be viewed by their supervisor and/or record keeper.
- Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
Yes, there is a notification page that user can consent to particular uses of the information, before individual enter their PII information into the system.
- Privacy Impact Analysis
In accordance to the section 208 of the FISMA and Privacy Act of 1974, SHIMS-Hosting V4 identify potential privacy risks and implement appropriate privacy controls and compliance requirements. Also SORN published in the Federal Register.
Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
- What are the procedures that allow individuals to gain access to their information?
The user can access their information that they have filed into the system by use of their credential.
Individuals wishing to request access to records should contact the appropriate office (national/regional). Individuals must furnish the following information for their records to be located: a)Full name b)Date of birth c) Signature Individuals requesting access must also comply with the Privacy Act Regulations on verification of identity and access to records (5 CFR 297.201 and 297.203).
- What are the procedures for correcting inaccurate or erroneous information?
The system provides administrators with a module to update employee's information.
During the claim submission process, if there is any erroneous user information, the claim is sent back by the OWCP. SHIMS-Hosting V4 administrators will have to go through the "Manage Employees" module to update employees' information.
- How are individuals notified of the procedures for correcting their information?
No notification is available. Users of the system need to contact the administrators for updates on their information. The user can only view their information based on their credential. The only way in which they can update their information is via a SHIMS-Hosting V4 administrator.
- If no formal redress is provided, what alternatives are available to the individual?
This is not applicable .The system provides administrators with a module to update employee's information. During the claim submission process, if there is any erroneous user information, the claim is sent back by the OWCP. SHIMS-Hosting V4 administrators will have to go through the "Manage Employees" module to update employees' information.
- Privacy Impact Analysis
No additional risk in redress process, since public does not have direct access to the SHIMS-Hosting V4. The SHIMS-Hosting V4 staff members are trained on the proper usage of SHMS-Hosting V4 and documentation requirements for data entry and corrections.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
- What procedures are in place to determine which users may access the system and are they documented?
The SHIMS-Hosting V4 business owner enforces separation of duties through agreement and assigned access authorization. Critical functions within SHIMS-Hosting V4 are divided among different individuals ensure that no individual has all necessary authority or information access that could result in fraudulent activity.
- Will Department contractors have access to the system?
Yes. Federal staffs, as well as department contractors, abide by the same sets of rules, policies and procedures for the proper handling of privacy data.
- Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
Federal and contractor personnel are required to complete refresher training annually. All SHIMS-Hosting V4 users are required to take Departmental annual Information System Security Awareness Training (ISSAT) and Personal Identifiable Information course.
SHIMS-Hosting V4 users acknowledges that they have read, understand, and agree to abide by SHIMS-Hosting V4 rules of behavior, before authorizing access to information system.
- What auditing measures and technical safeguards are in place to prevent misuse of data?
The SHIMS-Hosting V4 Admin functionality allows an administrator from the agency to manage users, assign roles, and view the audit logs. As a precondition, the SHIMS-Hosting V4 System Administrator (DOL) assigns a user the SHIMS-Hosting V4 Admin role to manage employee role privileges to conduct audits, create audit logs, and ensure security of PII. SHIMS-Hosting V4 has implemented multiple automated auditing features including network and database auditing. Other auditing processes include separation of duties within SHIMS-Hosting V4 to prevent fraud or misuse of data.
- Privacy Impact Analysis
The primary risks associated with the handling of privacy data include fraud and the unauthorized release of data outside of the controls of SHIMS-Hosting V4. DOL has implemented a required Security Awareness Training program, which includes the proper handling of privacy data. All staff members must complete the training. All SHIMS-Hosting V4 users must also read and sign a Rules of Behavior document that outlines the expectations that SHIMS-Hosting V4 has for all staff members who handle privacy data. SHIMS-Hosting V4 has also implemented various auditing functions to track changes to the data. A segregation of duties policy has also been implemented to ensure the proper handling of privacy data according to job function. Given that the information maintained is used only to process claims (CA-1 and CA-2). The logical and physical access controls mitigate the risks.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
- What stage of development is the system in, and what project development life cycle was used?
The SHIMS-Hosting V4 system has completed its initial implementation phase of the DOL System Development Life Cycle Management (SDLCM). The system is in the Operations and Maintenance Phase.
- Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
No, the DOL SHIMS-Hosting V4 is based on the evaluation of the applicable laws and provides a framework by which agencies can ensure that they have complied with all relevant privacy policies, regulations, and guidance, both internal and external to DOL.
SHIMS-Hosting V4 also receives very secure protection from the ECN/DCN General Support System which is composed of Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Anti-Virus systems and data encryption.
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
OASAM/OSDI has completed the PIA for SHIMS-Hosting V4 which is currently in operation. OASAM/OSDI has determined that the safeguards and controls for this moderate system adequately protect the information.
OASAM/OSDI has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.