Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

OFCCP Information Systems (OFCCP) — FY2013

Abstract

The OFCCP Information System, also known as OFIS, is the Office of Federal Contract Compliance Programs (OFCCP) Major Application (MA). OFIS was developed between FY 1997 through FY 1999 and has been operational since FY 2000.

The OFCCP Information System (OFIS) is a set of automated tools used to collect data, track, plan and report on the compliance evaluations and complaint investigations OFCCP conducts to ensure that the laws the program administers are enforced. OFIS consists of three application components: OFIS Case Management System (OFCMS), OFIS Executive Information System (OFEIS) and OFIS Administration Module (OFADM).

The Privacy Impact Assessment (PIA) is being conducted due to the fact that Personally Identifiable Information (PII) is collected as part of conducting complaint investigations received from employees annually.

Overview

The Office of Federal Contract Compliance Programs (OFCCP) is part of the U.S. Department of Labor. It has a national network of six Regional Offices (RO), each with District and Area Offices (DO) in major metropolitan centers. OFCCP administers and enforces laws pertaining to Federal Government contractors.

The Office of Federal Contract Compliance Programs (OFCCP) promotes federal contractors compliance with equal employment opportunity (EEO) and affirmative action laws and is subject to federal contract provisions. Through the authorities mentioned below, the OFCCP enforces non-discrimination and equal opportunity standards for all individuals, including women, minorities, Vietnam-era veterans and persons with disabilities.

The OFCCP monitors compliance with these equal employment opportunity and affirmative action requirements by performing compliance evaluations, during which a compliance officer examines the contractor's affirmative action program and investigate all aspects of employment. OFCCP also investigates complaints filed by individuals alleging discrimination on the basis of race, color, sex, religion, national origin, disability or veteran's status.

To help contractors understand their contractual obligations for EEO and affirmative action, OFCCP provides compliance assistance. Staff from district offices offers guidance to contractors on how to develop affirmative action programs and what to expect during a compliance evaluation. Compliance assistance is provided through company seminars, training programs held in conjunction with industry liaison groups, and individual consultations.

There are two typical transactions that are conducted and recorded within the OFIS application:

  • Compliance Evaluation A compliance evaluation case record includes all information captured by the compliance officer during a compliance review.
  • Complaint Investigation A complaint investigation case record includes all information collected by the compliance officer during the investigation process.

OFIS does not maintain any "Interconnections" to other information system (either internally or externally) for the purpose of sharing information electronically.

OFIS has three subsystems within the application. They are:

  • OFIS Case Management System (CMS): CMS is the primary data collection vehicle for the integrated OFIS suite. It provides compliance officers with essential progress tracking tools and an automated method to submit compliance information and case investigation milestones.
  • OFIS Executive Information System (EIS): EIS is the primary reporting vehicle for the integrated OFIS suite of applications. It is the reporting tool that accesses data through CMS.
  • OFIS Administration System (ADM): ADM is an administrative module developed for user authentication and authorization. It is used to grant and maintain system access and privileges to an authorized list of users by means of a customized interface of administrative templates and forms.

Introduction

Through the authorities mentioned below, the OFCCP enforces non-discrimination and equal opportunity standards for all individuals, including women, minorities, Vietnam era veterans and persons with disabilities:

  • Americans With Disabilities Act Of 1990
  • Executive Order (EO) 11246
  • 38 USC 4212 The Vietnam Era Veterans' Readjustment Assistance Act of 1974 including subsequent amendments
  • Notice of Employee Rights Concerning Payment of Union Dues EO 13496
  • Monitoring Contract Compliance
  • Compliance Assistance

OFCCP supports its core business through the operation and administration of the OFIS major application. This Privacy Impact Assessment will evaluate the effectiveness of the OFIS Application in protecting the privacy information during system operation.

Charcterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The OFCCP Information System (OFIS) collects personally identifiable information (PII) on members of the public (U.S. citizens) with regards to complaints of discrimination in employment with federal contractors.

What are the sources of the PII in the information system?

The sources of the PII for the compliance evaluation process are information collected through the receipt of an Affirmative Action Plan (AAP) submitted by the federal contractor. This submission is mandated by OFCCP regulations and policies. Information is also collected from the points of contact identified during the compliance evaluation process.

What is the PII being collected, used, disseminated, or maintained?

The PII that is collected as a part of compliance evaluation process are the following:

  • First Name, Middle Initial and Last Name of the federal contractors primary points of contact
  • The POC's official title, if known
  • The POC's business telephone number
  • The POC's E-Mail Address

The PII that is collected as a part of complaint investigation process are the following:

  • First Name, Middle Initial and Last Name of the complainant who files the complaint
  • The Street Address, City, State and Zip Code of the complainant who files the complaint
  • First Name, Middle Initial and Last Name of the federal contractors primary points of contact
  • The POC's official title, if known
  • The POC's business telephone number
  • The POC's business telephone number extension, if applicable
  • The POC's E-Mail Address

How is the PII collected?

PII for the compliance evaluation is collected from the POC identified as a part of the compliance evaluation process conducted on the federal contractor's facility.

PII for the complaint investigation is collected either electronically, through the use of OFCCP Form CC-4 or manually using the same form.

How will the information be checked for accuracy?

The data collected is checked for accuracy and verified by the OFCCP compliance officer and the OFCCP Regional and District Office management.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

The legal authority, arrangement, and or agreements that define and provide for the collection of this information from the OFCCP federal contractor community is provided in the Code of Federal Regulations (CFR), Title 41 (Public Contracts and Property Management), Chapter 60 (Office of Federal Contract Compliance Programs, Equal Employment Opportunity, Department of Labor). This and other OFCCP laws and regulations information is available for review from our Internet Web Site at OFCCP Laws and Regulations

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The only users that have direct access to this information are OFCCP compliance officers; designated OFCCP authorized users and OFIS operations teams. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  • Inappropriate use of the PII collected
  • Failure to secure any hardcopy documents on which PII appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  • Establish and provide secure access to the OFCCP Information System (OFIS)
  • Establish and provide secure access to all OFCCP office locations
  • Establish and provide secure storage of hardcopy documentation in OFCCP offices
  • Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  • Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII that has been identified is intended for the direct use of the compliance officer(s) who may be assigned the responsibility of conducting either the compliance evaluation or complaint investigation which may require the collection of the identified PII. While this PII is stored in OFIS, it is not included as data on the majority of reports accessible to end users of this information System. With the exception of the PII collected during the complaint investigation process, this information does not appear on any of the pre-formatted reports that are available within OFIS.

The PII for both compliance evaluations and complaint investigations conducted by OFCCP is intended for the direct use of the compliance officer(s) designated with the investigative activity and to inform the constituent of the progress of the evaluation/investigation. It also serves as a communication medium for information exchange during the investigative process conducted by the designated CO.

What types of tools are used to analyze data and what type of data may be produced?

There are no analytical tools which are made available to our user community for the purpose of performing analysis related to the identified PII. No qualitative or quantitative data is generated from the identified PII collected through OFIS.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No qualitative or quantitative data is generated from the identified PII contained within OFIS.

If the system uses commercial or publicly available data, please explain why and how it is used.

Not Applicable.

Privacy Impact Analysis

This explanation is repeated throughout the document, but a separate analysis discussion for each section is required.

The risks that identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The primary OFCCP user community that has direct access to this information is Compliance Officer Community. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  • Inappropriate use of the PII collected
  • Failure to secure hardcopy documentation on which the PII appears
  • The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

    • Establish and provide secure access to the OFCCP Information System (OFIS)
    • Establish and provide secure access to all OFCCP office locations
    • Establish and provide secure storage of hardcopy documentation in OFCCP offices
    • received (electronic and non-electronic) from federal contractors
    • the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

The following information is derived from the OFCCP Record Retention Plan which has been approved and is currently in use with the National Archives and Records Administration (NARA):

  • Electronic Record Media
    • The OFIS Database (Master File). This mission-critical database contains information on compliance and complaint investigations conducted by the OFCCP. This information is for both historical investigations and ongoing investigations. There is also a disaster recovery procedure in place. The information in the OFIS Database must adhere to the established impact criteria described below:
      • Data Confidentiality - Medium to High
      • Data Integrity - Medium to High
      • Data Availability - Low
      • Privacy Restrictions - Yes
      • Arrangement of Data - Data is available in the OFIS database for reporting Purposes according to the following structure:
        • Nationwide Scope
        • Regional Office Scope
        • District Office Scope
      • Electronic Media Volume: 2 CDs
      • Annual Accumulation: Less than 1 CD per year
      • Privacy Restrictions - Yes
      • Disposition - Permenant. Cutoff period 5 calendar years. Transfer to the NARA every 5 calendar years in a format acceptable to NARA at time of transfer.
  • Output Records (Paper Documents)
    • Case File Documents (Forms) - Computer generated forms provided by this system are used as part of the official case file.
      • Privacy Restrictions - Yes
      • Disposition - Temporary. Cut off file at end of calendar year. Hold in office and destroy when seven calendar years old.
      • Hard Copy Reports - Management reports generated by this system are provided when requested. These Reports are then retained by the requesting office (National, Regional, or District).
        • Disposition - Temporary. Cut off file at end of calendar year and hold in office. Transfer three calendar years after cut off to FRC. Destroy when seven calendar years old.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

Yes.

How is it determined that PII is no longer required?

Data requirements are reviewed regularly by OFCCP management and the OFCCP Records Manager, with additional input from the DOL Office of the Solicitor, if appropriate.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

OFCCP data requirements have been reviewed by OFCCP management and determined to be necessary for OFCCP operations. Should OFCCP operational requirements change, OFCCP management will review the data requirements with the purpose of altering the amount of PII collected, stored, or maintained by OFIS.

Privacy Impact Analysis

The risks that identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The primary OFCCP user community that has direct access to this information is the Compliance Officer Community. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  • Inappropriate use of the PII collected
  • Failure to secure hardcopy documentation on which the PII appears

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  • Establish and provide secure access to the OFCCP Information System (OFIS)
  • Establish and provide secure access to all OFCCP office locations
  • Establish and provide secure storage of hardcopy documentation in OFCCP offices
  • Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  • Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.
  • Data maintained by the system is retained in accordance with a schedule mandated by OFCCP and Federal records management
  • The data that is maintained has the appropriate safeguards to protect its integrity and to prohibit unauthorized disclosure while in retention.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The identified is collected through our regional, district and area office locations. This data is shared with employees of the national office, as required, and also with employees throughout our various field office locations. This information is available internally via our major applications (OFIS). This information is accessible through various reports which are available through OFIS. The type(s) of PII that are primarily shared are name and address information collected as part of our complaint investigation process.

How is the PII transmitted or disclosed?

The identified PII is transmitted internally between the OFCCP regional/district/area offices and the national office through OFIS. This information is transmitted electronically and is only disclosed to those employees on a "need-to-know" basis.

Privacy Impact Analysis

The risks that identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The primary OFCCP user community that has direct access to this information is Compliance Officer Community. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  • Inappropriate use of the PII collected
  • The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:
    • Establish and provide secure access to the OFCCP Information System (OFIS)
    • Establish and provide secure access to all OFCCP office locations
    • Establish and provide secure storage of hardcopy documentation in OFCCP offices
    • Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
    • Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.

OFIS data is shared with other internal organizations and is encrypted during transmission. However, there are controls to restrict access to and to limit permissions to users. In addition, privacy training is also provided to users of the system. Further, individuals are permitted the opportunity to decline to provide their information.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

How is the information shared outside the Department and what security measures safeguard its transmission?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Privacy Impact Analysis

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

The following information is provided to the public (and is included on the CC-4 Form) used to initiate complaint investigations received by the OFCCP.

Instructions - Before completing this form, please read all instructions, including the Privacy Act statement below. Use this form to file a complaint of discrimination in employment under any of the OFCCP programs. Note: Persons are not required to respond to this collection of information unless it displays a currently valid OMB control number.

Privacy Act Notice:

The authority for collecting this information is Executive Order 11246, as amended; Sec. 503 of the Rehabilitation Act of 1973, as amended; the Vietnam Era Veterans' Readjustment Assistance Act of 1974, as amended, 38 U.S.C. 4212; Title VII of the Civil Rights Act of 1964, as amended; and/or Title I of the American with Disabilities Act of 1990, as amended (ADA). This information is used to process complaints and conduct investigations of alleged violations of the above Order or Acts. We will provide a copy of this complaint to the employer against whom it is filed and, when matters alleged are covered by Title VII and/or ADA, to the U.S. Equal Employment Opportunity Commission (EEOC). The information collected may be verified with others who may have knowledge relevant to the complaint. It may be used in settlement negotiations with the employer or in the course of presenting evidence at a hearing, or may be disclosed to other agencies with jurisdiction over the complaint. Providing this information is voluntary; however, failure to provide the information will restrict the action that the Department of Labor can take on your behalf and, for matters covered by Title VII or the ADA, may affect your rights to sue under those laws.

Do individuals have the opportunity and/or right to decline to provide information?

Yes. There is no regulatory requirement which mandates the collection of the identified PII, either for compliance evaluations or complaint investigations conducted by the OFCCP.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

An individual has the right to consent to the collection of data (since this data collection is a voluntary component of the compliance evaluation and/or complaint investigation process, but there is no process/procedure currently in place within the OFCCP which defines a "consent requirement" for a particular use of the PII collected.

Privacy Impact Analysis

This Notice is provided to either the POC for the Federal Contractor and/or the Complainant during direct contact with the OFCCP Compliance Officer responsible for conducting the compliance evaluation/complaint investigation. Submission of the identified PII by representatives/parties as a part of either investigative process is voluntary and this information is communicated by the compliance officer assigned to the investigation and also is provided in writing prior to the collection of PII.

Access, Redress and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

For the PII related to compliance evaluation case record, the requestor is to inquire to the compliance officer(s) assigned to conduct the compliance evaluation of the federal contractor.

For the PII related to the complaint investigation case record, the respondent is provided with a copy of the CC-4 form during the initial meeting with the compliance officer(s) assigned to conduct the complaint investigation of the Federal Contractor Facility. The identified PII is entered in the OFIS from the information collected on the CC-4 Form.

What are the procedures for correcting inaccurate or erroneous information?

Upon identification/notification of the identified PII, whether associated with a compliance evaluation or a complaint investigation case record, the assigned compliance officer is responsible for correcting inaccuracies with the identified PII prior to the completion of the compliance evaluation or complaint investigation.

How are individuals notified of the procedures for correcting their information?

This process is currently provided to individuals verbally, by the compliance officer(s) assigned to conduct the evaluation/investigation under which the identified PII is collected.

If no formal redress is provided, what alternatives are available to the individual?

Please see above statement.

Privacy Impact Analysis

Currently, there is only one known privacy risk associated to individuals with respect to the redress processes described above. This risk is not directly related to the OFIS, but rather, to the "Ethical Standard" under which OFCCP employees perform their duties. To mitigate this risk, the OFCCP continues to provide the appropriate training to all employees regarding their conduct while in the federal service and their obligation to protect all information collected by the federal government, as mandated.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

There are Access Control/Account Management procedures which are currently in place that describe the technical safeguards and security measures for ensuring access to the OFIS is managed and monitored.

Will Department contractors have access to the system?

IT Contractor Support personnel have access only to the development and testing and production OFIS environments.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

All OFCCP Employees must complete the mandatory Privacy Act training annually. This training is required for all OFCCP management. In addition, all OFCCP IT employees must complete the on-line training course "Records Management for Everyone" which is provided by the NARA and available from their internet web site. OFCCP Employees are also encouraged to attend other records management training courses provided by the NARA.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Auditing is provided by DITMS as well as other technical safeguards to prevent the misuse of data.

Privacy Impact Analysis

The risks that identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The primary OFCCP user community that has direct access to this information are the Compliance Officer Community. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  • Inappropriate use of the PII collected
  • Failure to secure hardcopy documentation on which the PII appears
  • The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

    • Establish and provide secure access to the OFCCP Information System (OFIS)
    • Establish and provide secure access to all OFCCP office locations
    • Establish and provide secure storage of hardcopy documentation in OFCCP offices
    • Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
    • Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.

While there are no auditing measures in place to protect the PII in the system, there are technical safeguards that restrict access to the system as previously mentioned. In addition, users of the systems have been adequately trained in the use and administration of privacy information.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

OFIS is currently operating in the "Steady State" phase of its System Development Life Cycle. This information system was development and is currently operated in compliance with the Department's SDLC methodology.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No. This Information System does not employ any technology which may raise privacy concerns.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

The Office of Federal Contract Compliance Programs (OFCCP) has completed the PIA for the OFCCP Information System (OFIS) which is currently in operation. The OFCCP has determined that the safeguards and controls for this moderate system adequately protect the information.

The Office of Federal Contract Compliance Programs (OFCCP) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.