Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

OASAM – Title VI/VII FY2011

Overview

The Title VI/VII Processing System is owned by the Civil Rights Center (CRC) which uses this system to record and track discrimination complaints filed by DOL employees, members of the public who have applied for employment with DOL or members of the public who are either employed with or receive benefits from an entity that is funded by DOL. Only DOL employees with Equal Employment Opportunity (EEO) responsibility (Regional Civil Rights Officers and EEO managers) have access to the system. The information processed by the system includes PII in the form of names, business and home: address, telephone number, email address, SSN (last 4 digits), medical information, date of birth, device identifiers, network logon credentials, and the issues of causes of the complaints. Therefore, unlawful disclosure of this data would constitute an unwarranted invasion of personal privacy. The loss, misuse or unauthorized access or modification of data could lead to identify theft and fraudulent activity.

The intent of Title VI/VII Processing System's PIA is to ensure the protection of how PII is collected, stored, protected, shared and managed.


Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The Title VI/VII Processing Systems collects information about DOL employees, members of the public who have applied for employment with DOL or members of the public who are either employed with or receive benefits from an entity that is funded by DOL.

  • What are the sources of the PII in the information system?

The applicants that file the complaints are the source of the PII.

  • What is the PII being collected, used, disseminated, or maintained?

    The PII being collected on applicants that file complaints:
    • First and last name
    • Date of Birth
    • Personal home address, phone number and email address
    • Business mailing address, phone number and email address
    • Medical information including physician's notes
    • Medical record number
    • Device identifiers
    • Network logon credentials
  • The PII being stored for authorized users of the system:
    • First and last name
    • Date of Birth
    • SSN (last 4 digits)
    • Work email address
    • Network logon credentials
  • How is the PII collected?
    PII data (for complainants) is initially collected through paper forms and later manually entered into the Title VI/VII Processing System via the CRC staff.
  • How will the information be checked for accuracy?
    There an informal process in place for information verification. Erroneous information is revealed during the investigation of the applicant.
  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?
    The following legal authorities are applicable for the Title VI Process:
    • Title VI of the Civil Rights Act of 1964
    • Rehabilitation Act of 1973 Sections 504 & 508
    • Age Discrimination Act of 1975
    • Title IX, Education Amendments of 1972
    • Social Security Act
    • Job Training Partnership Act Section 167
    • Workforce Investment Act of 1998 Section 188
    • Americans with Disabilities Act of 1990
    • Executive Order 13160
    • Secretary's Order 4-2000
  • The following legal authorities are applicable for the Title VII Process:
    • Executive Order 11478
    • Title VII of the Civil Rights Act of 1964
    • Equal Pay Act of 1963
    • Age Discrimination in Employment Act of 1967
    • Rehabilitation Act of 1973 Sections 501, 504 & 508
    • Civil Service Reform Act of 1978
    • Secretary's Order 2-81 & 3-96
  • Privacy Impact Analysis
    Whenever personal information is gathered and stored there is some level of risk involved, such as identify theft or other fraudulent activities. Since the PII that is collected within Title VI/VII Processing System is initially captured via paper forms, the information is therefore safeguarded in secured file cabinets or in restricted areas where access to them is limited only to authorized personnel. Automated files and system access are controlled by means of identification numbers and passwords.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII
    An individuals name and contact information (business and home: address, telephone number and email address) is used for identification and means of communicating status updates and other notifications. The date of birth is used to assist in claims of age discrimination. The medical information and device identifiers are primarily used for determining eligibility for disability. Network logon credentials are used to ensure appropriate authentication into the Title VI/VII Processing System.

    Date of Birth and SSN information is captured for users of the system to authenticate system users.
  • What types of tools are used to analyze data and what type of data may be produced?
    Title VI/VII Processing System does not use any tools for data analysis; thereby, no other additional data is produced.
  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
    No, Title VI/VII Processing System does not derive new data or create previously unavailable data about an individual.
  • If the system uses commercial or publicly available data, please explain why and how it is used.
    Title VI/VII Processing System does not use commercial or publicly available data.
  • Privacy Impact Analysis
    An applicant's compliant forms are stored in secured file cabinets, in restricted areas where access to them is limited only to authorized personnel. Automated files and system access are controlled by means of identification numbers and passwords.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?
    Information contained in Title VI/VII Processing System remains available since its initial operation in production - 2007. The information has never been purged from the system.

    However, manual records are retained for a period of three (3) years after the final disposition of a compliant. Automated files are stored for two (2) years. After the 3 year retention period of manual records, they are then retired to the Federal Records Center located in College Park, MD for two (2) years, and then destroyed via shredding. Automated files are stored on disc or tape for three (3) additional years and then destroyed via shredding.
  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
    The retention schedule is currently undergoing the initial stages of the approval process by the DOL agency records officers and NARA.
  • How is it determined that PII is no longer required?
    N/A
  • What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
    N/A
  • Privacy Impact Analysis
    The information in the Title VI/VII Processing Systems has never been purged. Therefore, a password must be entered in order to access the system. The required DOL's authentication requirements are enforced during Title VI/VII Processing System's password creation process.

    After the 3 year retention period of manual records, they are then retired to the Federal Records Center located in College Park, MD for two (2) years, and then destroyed via shredding. Automated files are stored on disc or tape for three (3) additional years and then destroyed via shredding.


Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
    All PII within Title VI Process (see section 1 for information collected) is shared with Office of Workers' Compensation Programs (OWSP) Office of Federal Contract Compliance Program (OFCCP) when a complainant is alleging discrimination due to an issue within a federal contract. PII is also shared with the Employment and Training Administration (ETA) when an applicant is alleging discrimination related to an ETA program.

    All PII captured within Title VII Process (see section 1 for information collected) is shared with the following nine (9) internal organizations:
    BLS, OWSP, ETA, MSHA, OASAM, OIG, OSHA, EBSA and SOL. The information is limited only to the Agency EEO Managers and Regional Civil Rights Officers to assist in the applicant's compliant process.

    * Note: SSN (last 4 digits) are only captured for system users.
  • How is the PII transmitted or disclosed?
    PII within Title VI Process is transmitted via DOL's internal mail.

    PII within Title VII Process is not transmitted as the EEO Managers have direct access to the system.
  • Privacy Impact Analysis
    PII that's transmitted through DOL's interoffice mail system is marked confidential and sealed.


External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    In the event that a discrimination case file falls outside of DOL's jurisdiction for the Title VI Process, the entire complainants' case file (paper form) is then forwarded via Fed Ex to the appropriate federal agency that is responsible for processing and now resolving the complaint. Other federal agencies that may have impact are: Department of Labor (DOL), Department of Education (DOE), Equal Employment Opportunity Commission (federal and/or state level) (EEOC), Health and Human Services (HHS), and the Department of Transportation (DOT).

    Medical information within Title VII Process is shared with the Public Health Service (PHS). They assist in determining whether individuals are eligible for disability.
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
    Yes, the sharing of PII outside of the Department is compatible with the original collection, and is addressed in SORN (DOL/OASAM-22) for Title VI Process:
    http://www.dol.gov/sol/privacy/dol-oasam-22.htm

    As well as in SORN (DOL/OASAM-17) for Title VII Process:
    http://www.dol.gov/sol/privacy/dol-oasam-17.htm.
  • How is the information shared outside the Department and what security measures safeguard its transmission?
    Information is transported via Federal Express (FedEx) carrier for both Title VI/VII Processing Systems. The PII is in paper form and enclosed in a sealed enveloped.
  • Privacy Impact Analysis
    There are privacy risks associated with personal information being handled by a third party. Should the Fed Ex envelope become lost, stolen or tampered with in any way the complaints information is vulnerable to identify theft or other fraudulent activities. In order to mitigate this potential issue, information should be transmitted in electronic media only (e.g. disc, flash drive…etc) with encryption to safeguard against unauthorized access to PII.


Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?
    Yes, notice is provided to individuals prior to collection of PII.
  • Do individuals have the opportunity and/or right to decline to provide information?
    Yes, individuals have the opportunity and/or right to decline to provide information
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
    Yes, individuals have the right to consent to particular uses of the information. For instance, an applicant can submit a compliant anonymously, thus not disclosing there name and contact information.
  • Privacy Impact Analysis
    The Civil Rights Center (CRC) provides a public website (http://www.dol.gov/oasam/programs/crc/complaint.htm) which explains the compliant process. Potential applicants have prior access to the complaint form where they can view what would be expected of them.


Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?
    Due to the sensitive nature of the information collected applicants are not allowed to directly access their information. However, they can request a status of their compliant and information will be provided via email or US mail.

  • What are the procedures for correcting inaccurate or erroneous information?
    If inaccurate or erroneous information was initially identified by the applicant or the CRC staff, typically a phone call is placed advising of the situation and the corrective actions needed.

  • How are individuals notified of the procedures for correcting their information?
    An official correspondence will be sent to the individual on DOL Letterhead notifying them of the correction(s) made.
  • If no formal redress is provided, what alternatives are available to the individual
    This is not applicable as the Civil Rights Center's staff makes every effort to rectify inaccurate or erroneous information and inform the applicant of the process prior to involvement.

  • Privacy Impact Analysis
    No privacy risks have been identified at this time.


Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?
    Yes, procedures/functionality is in-place to ensure only authorized users are added to the Title VI/VII Processing System. The authentication process uses SSN information (last 4 digits) to guarantee only authorized DOL users have access to the system.
    NOTE: SSNs (last 4 digits) are not stored for applicants that file complaints.

  • Will Department contractors have access to the system?
    No, contractors do not have access to Title VI/VII Processing System.

  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
    Informal training is offered to new users on Title VI/VII Processing System to ensure the proper use of the system. Additionally, there's a yearly training offered at the program level to all employees and managers that utilize the Title VI/VII Processing System.

  • What auditing measures and technical safeguards are in place to prevent misuse of data?
    Manual records are maintained in secured file cabinets or in restricted areas, access to which is limited to authorized personnel. Automated files are controlled by means of identification numbers and passwords.

Title VI/VII has implemented various auditing functions to track changes to the data.

  • Privacy Impact Analysis
    The primary risks associated with the handling of privacy data include fraud and the unauthorized release of data outside of the controls of Title VI/VII. OASAM has implemented a required Security Awareness Training program, which includes the proper handling of privacy data. All staff members must complete online training, which includes a exam at the end of the training session. All Title VI/VII users must also read and sign a Rules of Behavior document that outlines the expectations that Title VI/VII has for all staff members who handle privacy data. Title VI/VII has also implemented various auditing functions to track changes to the data. Also, online training has been implemented to ensure the proper handling of privacy data according to job function.


Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?
    Title VI/VII Processing System is in the operations and maintenance phase of the Software Development Life Cycle Management Manual (SDLCM).
  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
    No, Title VI/VII Processing System does not employ technology that would raise privacy concerns.


Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

OASAM has completed the PIA for Title VI/VII Processing System which is currently in production. OASAM has determined that the safeguards and controls for this moderate system are adequately protect the information.

OASAM has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.