Skip to page content
Office of the Chief Information Officer
Bookmark and Share
DOL Home > CIO > Privacy Impact Assessments

Privacy Impact Assessment

OIG teammate 2011

Overview

System Name: OIG TeamMate

Agency Name and Office/Center Name: Office of Inspector General/Office of Management and Policy/Division of Audit

  • The purpose of the program, system, or technology and how it relates to the component's and DOL mission:
    The system is used for managing OIG audit functions by tracking audit job assignments and schedules and by collecting and storing auditor reports with associated work products.

  • A general description of the information in the system:
    The information consists of individual audit reports and associated auditor notes.

  • A description of a typical transaction conducted on the system:
    Audit managers enter job tasks and schedules into the system, where it is stored in a database.

  • Any information sharing conducted by the program or system:
    No.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The system does not directly collect PII. However, supporting documents needed for individual audits could contain PII on all of the above as related to the audit objective.

  • What are the sources of the PII in the information system?
    The auditee
  • What is the PII being collected, used, disseminated, or maintained?
    The PII includes the individual's Social Security Number (SSN); date and place of birth; addresses (personal and business); telephone numbers (personal and business); and other reference information.
  • How is the PII collected?
    The auditor scans hard copy documents into an image format. The hard copy documents are the auditor notes and related evidence collected from individuals during the audit as supporting evidence.
  • How will the information be checked for accuracy?
    Audit reports and associated auditor notes are reviewed by a manager.
  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?
    Inspector General Act of 1978, (Pub. L. 95-452, §1, Oct. 12, 1978, 92 Stat. 1101), as amended by Section 812 of the Homeland Security Act of 2002 (Pub. L. No. 107-296), provides all Inspector General criminal investigators with statutory law enforcement powers.
  • Privacy Impact Analysis
    All data collected is protected by system security settings. The data is reviewed by Audit managers and only the information necessary to support the audit findings is maintained within the system.

    Risks are mitigated through the general support system (GSS) for eOIG. Individual TeamMate Electronic Work Paper (EWP) audit project data is only accessible to specified team members. Neither TeamRisk, TeamSchedule, or TeamCentral contains PII.

    Individual TeamMate EWP audit projects containing PII are titled accordingly as well as noted in the TeamMate System database.

    All TeamMate EWP audit projects are encrypted.
 Back to Top

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII
    Any PII collected is used to support the audit report, but is not contained within the audit report itself.
  • What types of tools are used to analyze data and what type of data may be produced?
    The audit report is reviewed for its content and findings based on the stated purpose of the audit and is not analyzed by any specialized tools.
  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
    No.
  • If the system uses commercial or publicly available data, please explain why and how it is used.
    N/A
  • Privacy Impact Analysis
    Individual TeamMate EWP audit project data is only accessible to specified team members. When possible, the Audit team will redact PII from supporting audit documentation prior to scanning – depending on the nature of the document.
 Back to Top

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • How long is information retained in the system?
    3 years after the audit is issued.
  • Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
    Yes.
  • How is it determined that PII is no longer required?
    Once the Audit Managers determine the documents are not needed following the three year life of the archived audit record and the audit file retention is not needed to document other OIG actions, then entire file is purged.
  • What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
    Only those files necessary to support the audit findings are maintained.

  • Privacy Impact Analysis
    The risk to any audit file is considered in the annual risk assessment.
 Back to Top

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
    PII is not shared outside the Office of Audit. Only under a Freedom of Information Act (FOIA) request would an audit project and its supporting documentation be available to the OIG Legal department. Such requests occur infrequently.
  • How is the PII transmitted or disclosed?
    The FOIA officer is given a duplicate of the audit in a PDF file.
  • Privacy Impact Analysis
    There are no risks beyond those identified for the system in the annual risk assessment.
 Back to Top

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    An external peer review of audits occurs once every three years. These reviews are handled by other Federal agencies. Audit reports are selected at random and audits containing PII could be selected.
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
    Yes, the sharing of the PII is within the scope of the SORN due to OIG peer audits requirements.
  • How is the information shared outside the Department and what security measures safeguard its transmission?
    There is no transmission. Data will be supplied on a “stand alone and read only” computer with secured sign-in and disabled network access.
  • Privacy Impact Analysis
    A peer reviewer is given only Read Only access to selected audit files. The selected project files are reviewed by DOL for PII, and the peer review team is notified of PII content prior to receipt of audit data.
 Back to Top

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII?
    The auditee provides the required records.
  • Do individuals have the opportunity and/or right to decline to provide information?
    No.
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
    No.
  • Privacy Impact Analysis
    Individuals know this information is collected, since they provide the data. Only the minimum information is collected to support audit findings.
 Back to Top

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?
    None.
  • What are the procedures for correcting inaccurate or erroneous information?
    None.
  • How are individuals notified of the procedures for correcting their information?
    None.
  • If no formal redress is provided, what alternatives are available to the individual?
    None.
  • Privacy Impact Analysis
    None.
 Back to Top

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?
    Only those users identified as having a need to know are allowed access to the Teammate system and are then given access to particular file folders.
  • Will Department contractors have access to the system?
    Yes, contractors only have access to TeamMate EWP. The application is partitioned to only allow contractors access to their specific audit projects.
  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
    All users given access are given instruction on Teammate and its use. In addition, all DOL users are required to complete annual privacy awareness training. This training discusses ways to protect PII and the requirements for doing so.
  • What auditing measures and technical safeguards are in place to prevent misuse of data?
    Rule of engagement and non-disclosure agreements are used to provide assurances of the controls in place to protect this information.
  • Privacy Impact Analysis
    There is some risk that a person's information could be read, but the scope of information collected on an individual is narrow, since the individual is not the subject of the audit and is included in the auditor's notes only to support any audit findings. The system has access and operational controls in place that protect against unauthorized access.
 Back to Top

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?
    Operations and Maintenance Phase
  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
    No.
 Back to Top

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

The OIG has completed the PIA for the TeamMate system which is currently in operation. The OIG has determined that the safeguards and controls for this moderate system adequately protect the information.

The OIG has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.

 Back to Top