Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

The Secretary’s Information Management System (SIMS) — FY2013

Overview

The Secretary’s Information Management System (SIMS) is a web-based system owned by the Office of the Secretary designed to track Executive Correspondence and decision and informational papers through DOL. SIMS enables users to collect metadata; track document compliance; process electronic mail notification; store images; and query, as well as to track, and report on limited data. SIMS provides a singular correspondence system DOL-wide and allows electronic dialogue capabilities for clearance between the Executive Secretariat, peers, and intra-organizationally. SIMS supports the current paper based business model. DOL agencies have been allowed to use a segregated component of SIMS to track agency correspondence in accordance.

Information contained in SIMS is covered by a “system of record notice (SORN)” as defined by the Privacy Act of 1974. The information processed by the system includes Personally Identifiable Information (PII), in the form of names, mailing addresses, telephone numbers, and email addresses. Of this information only names are required and displayed in the SIMS Web Interface. The other additional information, to the extent that it is present, is contained in the actual documents which are stored in scanned form. As SIMS collects personal and similar data, the public disclosure of certain data in the system would constitute a clearly unwarranted invasion of personal privacy.

SIMS supports the SIMS FOIA sub-system which is a department-wide system based on SIMS, with additional FOIA-specific features. SIMS and SIMS FOIA share the same production database and are referenced with the same OASAM System ID, since they are one system from a security perspective. While SIMS and SIMS FOIA are components of the same system, they serve two user bases: SIMS serves the Executive Secretariat community, while SIMS FOIA supports FOIA related activities across the Department.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public including U.S. citizens, foreign citizens, or minor children.

What are the sources of the PII in the information system?

Correspondence from the public. The only PII that is searchable in SIMS is the user’s name.

What is the PII being collected, used, disseminated, or maintained?

First and/or last name. The following information is not required by SIMS, but it might be provided as part of supporting documents by requestors. Personal phone number, mailing address, personal email address, and business address.

SIMS-FOIA collects information concerning requests received by members of the public including: full name of the requester; personal mailing address; home telephone numbers; personal email addresses; and, a unique tracking number which identifies each request. That information can be used, in and of itself, as a unique identifier as established by the Privacy Act.

How is the PII collected?

The PII is entered by a SIMS system user via a web form.

How will the information be checked for accuracy?

The information is cross-referenced against the correspondence or request submitted.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

The Freedom of Information Act (FOIA) requires that certain information about each FOIA requester be collected for mandated tracking responsibilities as outlined by the statute.

Privacy Impact Analysis

The amount of PII collected is minimal and is used for appropriately responding to information requests from members of the public. This poses limited to no security risk to the department or the public.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII is used to compile and submit a response to the requestor.

What types of tools are used to analyze data and what type of data may be produced?

There are no specific tools used to analyze the data and report on it. However, SIMS-FOIA has a dynamic reporting capability that allows system user to analyze data in many ways, including by search of a users name.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No.

If the system uses commercial or publicly available data, please explain why and how it is used.

N/A

Privacy Impact Analysis

The system implements TLS encryption on all communications and implements role based access controls to segregate duties.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

SIMS records are kept locally within DOL for 10 years; after 10 years the records are transferred to NARA. SIMS-FOIA has not been scheduled; therefore there is no approved disposition for the data in the system.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

Yes. SIMS-FOIA has not yet been scheduled.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

SIMS collects only the minimal amount of PII necessary to perform its business function.

How is it determined that PII is no longer required?

An assessment is performed annually to ascertain if PII is no longer required for responding to inquiries.

Privacy Impact Analysis

The data is securely maintained and only contains information necessary for correspondence.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The PII collected (last name, first name) is shared internally with other organizations strictly for the purpose of responding to the requester.

How is the PII transmitted or disclosed?

SIMS information is transmitted digitally within the system using encryption via TLS.

Privacy Impact Analysis

There is no privacy impact to internal sharing of data.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

When necessary, incoming correspondence (but not the SIMS record itself) may be transferred to a more appropriate governmental entity.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

There are no external systems that connect to SIMS. SIMS leverages the following SORN: DOL/OASAM-24 — Privacy Act/Freedom of Information Act Requests File System

How is the information shared outside the Department and what security measures safeguard its transmission?

N/A

Privacy Impact Analysis

There is no privacy impact to external sharing of data, as no information is shared externally.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

The information is submitted voluntarily, no notice of PII collection is provided before collection. For FOIA and Privacy Act requests, DOL has provided appropriate public notice of the collection of information necessary to process requests under the statutes in full compliance with the law and OMB guidance.

Do individuals have the opportunity and/or right to decline to provide information?

The information is voluntarily submitted, thereby the individual can decline to provide information they deem private. In accordance with DOL’s regulations implementing the provisions of FOIA and the Privacy Act, a requester must provide a complete name and mailing address in order to facilitate the processing of their request. Failure to properly submit a request impairs DOL’s ability to respond.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

The public has been made aware, through formal publication, of the types of information collected and routine uses that will be made of the information collected under DOL/OASAM-24 — Privacy Act/Freedom of Information Act Requests File System. An individual, armed with that knowledge, may decide whether or not to correspond with the Department or submit a FOIA request. The decision to do so is voluntary.

Privacy Impact Analysis

There is no privacy impact to providing notification.

Access, Redress, and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

None — members of the public do not have direct access to the system. Information from the system may be made available, consistent with Federal law, in response to a request for such information.

What are the procedures for correcting inaccurate or erroneous information?

As appropriate, any corrections are done per individual’s request, consistent with the provisions of the Privacy Act and DOL’s implementing regulations.

How are individuals notified of the procedures for correcting their information?

If system user finds information that requires correction, notification may occur in writing, via fax, mail, or e-mail, to the requestor of the information. For records subject to the provisions of the Privacy Act, notification procedures are provided in the SORN and in DOL’s regulations.

If no formal redress is provided, what alternatives are available to the individual?

There is no formal redress or alternate process available as the information is voluntarily submitted. If additional information is needed the individual is contacted and erroneous data is corrected at that time. For records subject to the provisions of the Privacy Act, redress procedures are provided in the SORN and in DOL’s regulations.

Privacy Impact Analysis

There is no additional risk in redress process as the public does not have direct access.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

A formal user access and account management procedure is in place to grant access to the system. User access forms and rules of behavior are two of the documented products.

Will Department contractors have access to the system?

Yes.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Annual Computer Security Awareness Training is provided to all ECN/DCN users as documented within the Computer Security Handbook.

What auditing measures and technical safeguards are in place to prevent misuse of data?

SIMS Leverages Audit Web Service, which logs all system events. SIMS leverages TLS for all internal communications. Role based access controls denote what information users have access to.

Privacy Impact Analysis

The logical and physical access controls as identified in the SIMS SSP mitigates the risks.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

Operation and Maintenance — DOL SDLCM is used.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • OASAM has completed the PIA for SIMS which is currently in operation. OASAM has determined that the safeguards and controls for this moderate system adequately protect the information.
  • OASAM has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.