Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

DOL — Social Media Services (SMS) — FY 2014

Overview

Analysis performed in this Privacy Impact Assessment (PIA) focuses on Personally Identifiable Information (PII) collected via Department of Labor (DOL) branded functionality within Social Media Services such as Facebook and YouTube (hereafter collectively referred to as "Social Media Services").

Social Media Services represent a new medium in which DOL can communicate, collaborate, and exchange information with colleagues in other Federal agencies, state and local governments, and the public. These services are publicly available and provide DOL with a means to quickly engage and interact with a large and diverse audience of participants.

Based on the results of a PII screening process for the Social Media Services, it was determined PII exists and that a PIA be performed to identify privacy risks associated with operating the third-party sites. DOL Social Media Services, managed by the Office of Public Affairs, are provided by third-party service providers and have been approved by GSA. Social Media Services analyzed for the purposes of this PIA are as follows:

DOL has outlined processes for the dissemination of information to the public via the Social Media Services in the DOL Social Media Handbook (DLMS 5-600). Processes detailed within the handbook include that all content posted on behalf of DOL undergo a review. In addition, an official within DOL's Office of Public Affairs Division of Enterprise Communications (OPA DEC), known as the DOL Social Media Coordinator, be the primary resource for managing the DOL branded social media functionalities.

Access to manage and/or post content to DOL managed Social Media Services is restricted to the DOL Social Media Coordinator; a designated official within DOL's Office of Public Affairs Division of Enterprise Communications (OPA DEC).

Introduction

DOL utilizes Social Media Services to enhance communication, collaboration, and information exchange between other Federal agencies, state and local government partners and with the public as part of agency's larger communication and outreach strategy. In reading this analysis, it is important to keep in mind the following assumptions and constraints:

  • DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. The Social Media Service Provider is responsible for the maintenance and implementation of the security controls within their respective services.
  • DOL access to the services is that of a typical user and is restricted to the administration of content for Department branded functionalities.
  • DOL has not procured services, nor entered into any contractual agreements with any of the Social Media Service Providers.
  • PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL and is done so at the discretion of the Social Media Service Providers, and without the Department's knowledge or counsel.
  • All interactions and disclosure of PII within these services (by DOL and users engaging the Department) is voluntary and subject to the terms and conditions stipulated by the service's respective providers.
  • Federal guidelines and mandates that typically impact the confidentiality, integrity and availability for Federal agency owned or operated system do not apply to the Social Media Service sites.
  • Findings within the PIA are based on visible implementations of security within each service (via the User Interface (UI) and/or online documentation).

Characterization of the Information

What are the sources of the PII in the information system?

Sources of PII within the Social Media Services include (hereafter referred to as "users"):

  • Members of the public
  • State and local governments
  • Federal agencies

What is the PII being collected, used, disseminated, or maintained?

Typical interactions within the DOL branded Social Media Services include the posting of comments by users to DOL published content. Information shared within these comments is done voluntarily and at the user's discretion. PII may include first and last name, personal/business email addresses, and other types of PII specific in the PII Screening Form.

How is the PII collected?

PII posted to DOL Social Media branded functionality is done so voluntarily and at the user's discretion and collected through the comments section.

How will the information be checked for accuracy?

Not applicable.

What specific legal authorities, arrangements, and/or agreements define the collection of information?

DOL has established a SORN (DOL/OSEC-2) for the collection of information.

Privacy Impact Analysis

Risks pertaining to the disclosure of PII data are transferred to the Social Media Service Providers and to the users who voluntarily subscribe to these services. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protection of the PII contained within each service. PII collected, retained and disseminated by the Social Media Services is not for the specific purposes of DOL nor is PII used by DOL for purposes other than the communication with others within the service. The Department's use of these services is voluntary and is subject to the terms and conditions stipulated by the Social Media Service Providers.

DOL has implemented the following safeguards within the Department to assist with the management of Department's Social Media branded functionality:

  • DOL Social Media Handbook (DLMS 5-600) - outlines processes for the dissemination of information to the public when using Social Media Services
  • Designated resources (DOL Social Media Coordinator) to maintain department's presence within these Social Media Services.
  • Provided the DOL Social Media Coordinator with annual security awareness and privacy training.
  • DOL privacy policy on DOL.gov provides disclaimers on the use of Social Media Services.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

PII is not specifically collected nor disseminated by DOL for its own purposes. The Department utilizes Social Media Services to enhance communication, collaboration, and information exchange between other Federal agencies, state and local government partners, and with the public as part of the agency's larger communication and outreach strategy.

What types of tools are used to analyze data and what type of data may be produced?

PII is not specifically collected nor disseminated by DOL for its own purposes. The Department utilizes Social Media Services to enhance communication, collaboration, and information exchange between other Federal agencies, state and local government partners, and with the public as part of the agency's larger communication and outreach strategy.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

PII is not specifically collected nor disseminated by DOL for its own purposes. The Department utilizes Social Media Services to enhance communication, collaboration, and information exchange between other Federal agencies, state and local government partners, and with the public as part of the agency's larger communication and outreach strategy.

If the system uses commercial or publicly available data, please explain why and how it is used.

Not applicable.

Privacy Impact Analysis

Risks pertaining to the handling and maintenance of PII data are transferred to the Social Media Service Providers and to the users who voluntarily subscribe to these services. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protections of the PII contained within each service. PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL nor is PII used by DOL for purposes other than the communication with others within the service. The Department's use of these services is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

DOL has implemented the following safeguards within the Department to assist with the management of the Department's Social Media branded functionality:

  • DOL Social Media Handbook (DLMS 5-600) - outlines processes for the dissemination of information to the public when using Social Media Services
  • Designated resources (DOL Social Media Coordinator) to maintain department's presence within these Social Media Services.
  • Provided the DOL Social Media Coordinator with annual security awareness and privacy training.
  • DOL privacy policy on DOL.gov provides disclaimers on the use of Social Media Services.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

DOL does not delete any social media content unless it violates the posted comment policy (usually for threats or foul language). A spreadsheet documenting items that violate such policy is maintained by the DOL Social Media Coordinator. This spreadsheet includes what the comment was, who/when posted, when it was removed, and why.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

No.

Privacy Impact Analysis

Risks pertaining to the retention of PII data are transferred to the Social Media Service Providers and to the users who voluntarily subscribe to these services. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protections of the PII contained within each service. PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL nor is PII used by DOL for purposes other than the communication with others within the service. The Department's use of these services voluntary and is subject to the terms and conditions stipulated by the service's respective providers.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

None.

How is the PII transmitted or disclosed?

Not Applicable.

Privacy Impact Analysis

Not Applicable.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL and is done so at the discretion of the Social Media Service Providers without the Department's knowledge or counsel.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. All interactions and disclosure of PII within these services (by DOL and users engaging the Department) is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

How is the information shared outside the Department and what security measures safeguard its transmission?

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. PII collected, retained, and disseminated by the Social Media Services, is not for the specific purposes of DOL and is done so at the discretion of the Social Media Service Providers without the Department's knowledge or counsel. Information obtained within the Social Media Services is not shared with external entities.

Privacy Impact Analysis

Risks pertaining to the external sharing of PII data are transferred to the Social Media Service Providers and to the users who voluntarily subscribe to these services. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protections of the PII contained within each service. PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL nor is PII used by DOL for purposes other than the communication with others within the service. The Department's use of these services is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

Information obtained within the Social Media Services is not shared with external entities. In the event of a threat or suspicious comment posted on DOL Social Media pages, DOL OPA will follow current incident response processes in coordination with DOLCSIRC for the notification of law enforcement and/or emergency service providers.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. All interactions and disclosure of PII within these services (by DOL and users engaging the Department) is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

DOL privacy policy on DOL.gov provides disclaimers on the use of Social Media Services.

Do individuals have the opportunity and/or right to decline to provide information?

Yes.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. All interactions and disclosure of PII within these services (by DOL and users engaging the Department) is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

DOL privacy policy on DOL.gov provides disclaimers on the use of Social Media Services.

Privacy Impact Analysis

Risks related to the collection of PII within Social Media Services are the responsibility of the service's provider. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protections of the PII contained within each service. PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL nor is PII used by DOL for purposes other than the communication with others within the service. The Department's use of these services is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

Not Applicable. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. All interactions and disclosure of PII within these services (by DOL and users engaging the Department) is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

Users who subscribe to the Social Media Services within this analysis can view and modify their information via functionality within each service.

What are the procedures for correcting inaccurate or erroneous information?

Users who subscribe to the Social Media Services within this analysis can modify or edit their personal information via their "Account" information page.

How are individuals notified of the procedures for correcting their information?

Not Applicable.

If no formal redress is provided, what alternatives are available to the individual?

Not applicable.

Privacy Impact Analysis

Risks pertaining to the redress of PII data are transferred to the Social Media Service Providers and to the users who voluntarily subscribe to these services. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protections of the PII contained within each service.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

DOL has outlined processes for the dissemination of information to the public via the Social Media Services in the DOL Social Media Handbook (DLMS 5-600). Processes detailed within the handbook specify that all content posted on behalf of DOL undergo a review. In addition, an official within DOL's Office of Public Affairs Division of Enterprise Communications (OPA DEC), known as the DOL Social Media Coordinator, be the primary resource for managing the DOL branded Social Media functionalities.

Access to manage and/or post content to DOL managed Social Media Service is restricted to the DOL Social Media Coordinator; a designated official within DOL Office of Public Affairs Division of Enterprise Communications (OPA DEC).

Will Department contractors have access to the system?

No. A designated official within DOL Office of Public Affairs Division of Enterprise Communications (OPA DEC), known as the DOL Social Media Coordinator, be the primary resource for managing the DOL branded Social Media functionalities.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. The DOL Social Media Coordinator, who is the primary resource for managing the DOL branded Social Media functionalities, receives annual security awareness and privacy training.

What auditing measures and technical safeguards are in place to prevent misuse of data?

DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA. The Social Media Service Provider is responsible for the maintenance and implementation of the security controls within their respective services.

Privacy Impact Analysis

Risks pertaining to the handling, maintenance and sharing of PII data are transferred to the Social Media Service Providers and to the users who voluntarily subscribe to these services. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and therefore, assumes no responsibility for the maintenance or protections of the PII contained within each service. PII collected, retained, and disseminated by the Social Media Services is not for the specific purposes of DOL nor is PII used by DOL for purposes other than the communication with others within the service. The Department's use of these services is voluntary and subject to the terms and conditions stipulated by the service's respective providers.

DOL has implemented the following safeguards within the Department to assist with the management of the Department's Social Media branded functionality:

  • DOL Social Media Handbook (DLMS 5-600) - outlines processes for the dissemination of information to the public when using Social Media Services
  • Designated resources (DOL Social Media Coordinator) to maintain department's presence within these Social Media Services.
  • Provided the DOL Social Media Coordinator with annual security awareness and privacy training.
  • DOL privacy policy on DOL.gov provides disclaimers on the use of Social Media Services.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

Not applicable. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA.

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

Not applicable. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

OPA DEC has completed the PIA for DOL's use of Social Media Services (currently in use). Safeguards implemented by the service's providers to protect user PII cannot be determined based on the perspective performed within this analysis. DOL neither owns nor operates the systems that comprise the Social Media Services analyzed in this PIA and is therefore unaware of the all safeguards implemented by the service's provider to protect PII.

DOL has implemented the following safeguards within the Department to assist with the management of the Department's Social Media branded functionality:

  • DOL Social Media Handbook (DLMS 5-600) - outlines processes for the dissemination of information to the public when using Social Media Services
  • Designated resources (DOL Social Media Coordinator) to maintain department's presence within these Social Media Services.
  • Provided the DOL Social Media Coordinator with annual security awareness and privacy training.
  • DOL privacy policy on DOL.gov provides disclaimers on the use of Social Media Services.