Privacy Impact Assessment Questionnaire
SOL – Evidence Management System (EMS) – FY2014
What are the system name and the name of the DOL component(s) which own(s) the system?
The Evidence Management System (EMS) and is owned by the Office of the Solicitor.
What is the purpose/function of the program, system, or technology and how it relates to the component's and DOL mission?
The mission of the Office of the Solicitor (SOL) is to provide legal advice and representation to the Secretary of Labor and client agencies in broad range of matters including affirmative and defensive litigation, and to ensure that legal staff has the tools needed to accomplish their critical mission effectively. The EMS delivers tools, capabilities and related services that significantly advance SOL's Mission. The EMS is comprised of distinct components used to provide on-demand, scalable litigation and document production support services to the diverse, geographically dispersed agencies of DOL.
Provide a general description of the information in the system.
The EMS is a secure, web-enabled, centrally-hosted "cloud" environment that provides litigation support tools for the DOL. The EMS delivers state-of-the-art capabilities including text analytics, advanced concept-based searching tools, structured data pattern recognition, computer-assisted document review, and data visualization that will enable attorneys and experts to easily collaborate and rapidly analyze large document collections resulting in reliable and defensible decisions as early as possible in the life of the matter. As the matter proceeds, the legal team has access to an array of additional relevant tools and support services allowing them to focus on the legal issues and case strategy, not document processing. The EMS consists of one system with several components. The system includes a web application COTS product, known as Relativity. Additionally, the system is supported by the IPRO tools suite that processes ESI and converts it into a format that can be loaded to Relativity, sent back to SOL or the opposing counsel.
Provide a description of a typical transaction conducted on the system.
A typical transaction of the EMS system begins by receiving an electronic document from an SOL office. IE Discovery performs an inventory of the document, uploads the document into the IPRO, the processing component, to retrieve metadata about the document and prepare the document to be loaded into Relativity. Relativity is the core component of EMS consisting of a database, storage area network to store files and images, and several servers to allow for administration of the application, searching, and analytics in a cloud environment. Once the document is formatted, it is ready to be loaded into Relativity. The document is then available and viewable to SOL users through the Relativity Web interface. SOL users will access Relativity by logging into the Relativity Web interface via a DOL-provided web address. This provides users the ability to search for a document and make certain legal determinations as needed. SOL users are given the ability to mark the document privileged, not responsive, could redact certain terms, or add bates numbers, or otherwise comment on the document. Once the document has been reviewed, and marked to be produced, the document is then stored in Relativity and processed by IPRO to be used by SOL or opposing counsel. The end product of this process will result in a portable document format (.pdf), paper documents, or other electronic formats requested to be produced from other legal technology applications.
Is there any information sharing conducted by the program or system?
No. See section 4.6 External Sharing and Disclosure.
Provide a general description of the modules and subsystems, where relevant, and their functions.
- Web Interface – manages user access to the system
- Pre-processor – converts evidence documents into the proper file format and uploads documents to document management component
- Document Management – stores evidence documents for searching and legal analysis
Where appropriate, what is the citation to the legal authority to operate the program or system?
5 U.S.C. § 301
Provide a description of why the PIA is being conducted.
The EMS contains PII on Federal employees, DOL contractors and members of the public and therefore a Privacy Impact Assessment is required. A Privacy Act System of Record Notice (SORN) will be published in the Federal Register. The Privacy Act requires that a SORN be published in the Federal Register when PII is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
PII is collected in the system from DOL client agencies and other parties to pending or active litigation cases (e.g. opposing counsel).
What are the sources of the PII in the information system?
- Business records (including mine safety & health, occupational safety and health, black lung benefit statements, etc.
- Business Confidential Information including trade secrets and other proprietary information
- Investigation findings records
- Medical records
- Payroll records
- Financial records
- Internal audit records
- Personal records including correspondence records e.g. email, letters, etc.
What is the PII being collected, used, disseminated, or maintained?
- First and/or last name
- Date of birth
- Place of birth
- Mother's maiden name
- SSN (truncated)
- SSN (elongated)
- Military, immigration, or other government-issued identifier
- Photographic identifiers (i.e., photograph image, x-rays, video)
- Biometric identifier (i.e., fingerprint, voiceprint, iris)
- Other physical identifying information (e.g., tattoo, birthmark)
- Vehicle identifier (e.g., license place, VIN)
- Driver's license number
- Residential address
- Personal phone numbers (e.g., phone, fax, cell)
- Mailing address (e.g., P.O. Box)
- Personal e-mail address
- Business address
- Business phone number (e.g., phone, fax, cell)
- Business e-mail address
- Business records custodian
- Medical information including physician's notes
- Medical record number
- Device identifiers (e.g., pacemaker, hearing aid)
- Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
- Financial account information and/or number (e.g., checking account number, PIN, retirement, investment account)
- Certificates (e.g., birth, death, marriage)
- Legal documents or notes (e.g., divorce decree, criminal records)
- Educational records
- Network logon credentials (e.g., username and password)
How is the PII collected?
Evidence documents containing PII are collected as part of investigations and the discovery and trial litigation process including depositions, interrogations, interviews, and court ordered exchange of information.
How will the information be checked for accuracy?
In some instances the accuracy of the PII contained within the evidence document is validated as part of the litigation process and sometimes attested under oath as accurate by a party to the case.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The Federal Rules of Civil Procedures and Federal Rules of Evidence.
Provide a Privacy Impact Analysis.
The PII stored in the EMS is subject to minimal risk because it is hosted in a cloud environment with implementation of the baseline controls for a Moderate system as defined by NIST SP 800-53, Recommended Security Controls for Federal Systems and enhancements that are FedRAMP requirements above the moderate baseline. Privacy awareness is administered annually through the Information System Security Privacy and Awareness Training (ISSPAT). This required training is provided to all DOL employees and contractors. Even without specific training, the risk of unauthorized disclosure and unauthorized access to the EMS data is minimal due to the existing security controls in place at the hosting platform, infrastructure and application level and the limited use of PII.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
The PII is used for any purpose permissible under DOL authorizing statutes and court orders.
What types of tools are used to analyze data and what type of data may be produced?
The EMS application/system uses Relativity COTS tool to analyze and produce data.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No. The EMS does not generate new or unavailable data.
If the system uses commercial or publicly available data, please explain why and how it is used.
The system uses commercial or publicly available data for any purpose permissible under DOL authorizing statutes and court orders.
Provide a Privacy Impact Analysis.
The operational storage and use of PII can create the risk of unauthorized access and disclosure. The PII stored in the EMS is subject to minimal risk because it is hosted in a cloud environment with implementation of the baseline controls for a Moderate system as defined by NIST SP 800-53, Recommended Security Controls for Federal Systems and enhancements that are FedRAMP requirements above the moderate baselines. Privacy data is also protected by ensuring that privacy awareness training is provided based on the privacy of the cloud environment.
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
Information is retained in accordance with the SOL Records Schedule.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
Disposition of the Evidence Management System (EMS) records are under consideration. Accordingly, the records generated cannot be destroyed until a records schedule is approved by the Archivist of the United States. Once the disposition is determined, retention and disposal of the records will be governed in accordance with the applicable disposition instruction in the DOL/SOL records schedule.
How is it determined that PII is no longer required?
A determination as to when PII is no longer required within the system is performed as part of the annual Privacy Impact Assessment. Specifically, the MALS Legal Technology Unit will make recommendations for approval by the System Owner. Also SOL addresses all federal mandates to reduce the use of PII and specific identifiers where possible in its information collection processes.
What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
PII contained information will only be stored on the system during active litigation. When the litigation matter is completed or the need for the EMS evidence database has been satisfied, the information is removed from the system.
Provide a Privacy Impact Analysis.
Whenever large amounts of personal data are stored for an extended period of time, there is a significant privacy risk. This risk is proportionally increased by the length of time in which the data is retained. F or EMS SOL ensures the use of NIST SP 800-53 Rev 3 control families that mitigate the risks associated with PII retention.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
DOL agencies, as necessary to the handling of the investigation, facilitated resolution or litigation matter.
How is the PII transmitted or disclosed?
PII is transmitted or disclosed through operational reporting, online queries, and online screen displays, and hard copies and electronic copies.
Provide a Privacy Impact Analysis.
The privacy risk lies in unauthorized disclosure based on methods of sharing.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
Other federal agencies, courts and administrative bodies, arbitrators and mediators, and opposing counsel and parties to an investigation or litigation matter.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Yes, the sharing of PII outside the Department is compatible with the original collection,
Yes, see description of "Routine uses of records maintained in the system" in the SORN.
How is the information shared outside the Department and what security measures safeguard its transmission?
Evidence documents that may contain PII are shared with the federal court system, administrative tribunals, and other parties to the case through document filings that are made via email or through the court's electronic filing system.
Provide a Privacy Impact Analysis.
The privacy risk is unauthorized disclosure of PII through transmission of information or through theft or loss of portable media (CD, DVD, flash drive, external drive) or portable devices (laptop).
E-mails used to transmit evidence documents are subject to network infrastructure security controls, and the DOL OCIO Appropriate Use: A Guide for Use of Personal Computers and Government Equipment Including E-mail and the Internet, June 2000, v1.0.
The security of the court's electronic filing systems has not been assessed. It is assumed that adequate security protections are in place. Protections may vary by court location.
SOL has unique requirements to communicate with legal parties outside of DOL. As indicated in the DLMS 9-1202, DOL Safeguarding Sensitive Data Including Personally Identifiable Information, SOL users are not required to encrypt portable media containing DOL sensitive information in support of litigation activities, under various statutes, or in response to court/tribunal requirements or orders, or congressional requests. All other SOL information must be encrypted. SOL computers have Roxio software in addition to the PointSec for PC software. Roxio software allows SOL users to create CD/DVDs that are not encrypted. The encryption exemption increases exposure to unauthorized disclosure of PII.
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
Yes. The Privacy Act requires that a SORN be published in the Federal Register when PII on members of the public is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier.
Do individuals have the opportunity and/or right to decline to provide information?
Yes, individuals have the right to decline to provide information based on the invocation of the Privacy Act of 1974. Individuals would have addressed this opportunity or right with the DOL agency prior to SOL's use of the information. SOL does not collect this information directly from members of the public but rather extracts the information from records collected by the DOL agencies.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No, as there are only routine uses of the information, and no particular uses that would require consent under the Privacy Act of 1974.
Provide a Privacy Impact Analysis.
The predominant privacy risk lies in improper disclosure. DOL shall not disclose, nor make available, any personal data except with the consent of the individual concerned or by authority of law. DOL shall, when appropriate and required by law, provide access to, and a process for amending, personal information in accordance with the Privacy Act of 1974. Also, all SOL Federal and contractor support staff are made aware of penalties regarding improper use of SOL information via notifications and confidentiality agreements (e.g., system access notification, computer security awareness training Contractor Confidentiality/Non-Disclosure Agreement, Contractor Access Request Forms and Rules of Behavior).
Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
An individual, or legal representative acting on his behalf, may request access to a record about himself by appearing in person or by writing to the Office of the Solicitor of Labor (SOL), Deputy Solicitor, 200 Constitution Avenue, NW, Washington, DC 20210. A requester in need of guidance in defining his request may write to the Assistant Secretary for Administration and Management, U.S. Department of Labor, 200 Constitution Avenue, NW, Washington, DC 20210–0002.
The specific procedures for allowing an individual to gain access to their information are provided in Title 29 CFR Part 71.2.
What are the procedures for correcting inaccurate or erroneous information?
An individual may submit a request for correction or amendment of a record pertaining to him. The request must be in writing and must be addressed to the Office of the Solicitor of Labor (SOL), Deputy Solicitor, 200 Constitution Avenue, NW, Washington, DC 20210. The request must identify the particular record in question, state the correction or amendment sought, and set forth the justification for the change. Both the envelope and the request itself must be clearly marked: "Privacy Act Amendment Request."
The specific procedures for correcting inaccurate or erroneous information are provided in Title 29 CFR 71.9.
How are individuals notified of the procedures for correcting their information?
This information is published in the Federal Register entry for the system. Also, www.dol.gov provides "Important Web Site Notices" which contains the department's Privacy and Security Policies. This is found on the initial page of the website or directly at http://www.dol.gov/dol/aboutdol/website-policies.htm .
If no formal redress is provided, what alternatives are available to the individual?
When a request for correction or amendment is denied in whole or in part, the requester may appeal the denial to the Solicitor of Labor within 90 days of his receipt of the notice denying his request.
Provide a Privacy Impact Analysis.
There is minimal risk to the data integrity of PII stored in the EMS because it is well protected by numerous security controls. Data integrity is primarily accomplished because access to data is restricted to authorized personnel within SOL and information is only shared internally for the purpose of opening, updating, or closing a case file. Privacy data is also protected by ensuring that privacy and security awareness training is provided annually by DOL. Specifically, DOL Information Systems Security Awareness and Privacy Training are provided to all employees and contractors of SOL. Even without specific training, however, the risk of unauthorized access to the EMS data is minimal due to the existing security controls in place and the limited use of PII.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
SOL has documented Access Control procedures in place which ensures the access to the EMS is established in compliance with the DOL policies. Highlights of the SOL procedures include:
- SOL General User Rules of Behavior and External Systems Rules of Behavior
- two-factor authentication using Cloud Service Provider (CSP) supplied RSA tokens
- login via Citrix Frontend and Windows Active Directory Services
- access provided strictly on the basis of approved authorizations
- automatic removal of inactive accounts
Will Department contractors have access to the system?
Yes, the EMS is accessed by CSP developers and system administrators, for the purpose of developing, testing, administering and operating and hosting the cloud implementation.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
Mandatory DOL Information Systems Security Privacy and Awareness Training are provided to all employees and contractors of SOL.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Within the EMS there are specific user roles (groups) defined which provide varying levels of access to data stored in the EMS. Critical functions are divided among different individuals based on their security group/role assignment. Users will be allowed to view and annotate evidence only for cases to which they are assigned.
Auditing functionality exists within the EMS to allow for user, account management, and privileged user actions to be recorded in an audit log and backed up for a specified period of time. Audit information stored includes: type of audit event, date and time audit event occurred, User ID, command used to initiate the audit event, success or failure of audit event and event result.
All audited transactions within the EMS are written to a separate audit log table within the EMS database. The electronic audit log is protected from viewing by unauthorized users.
Provide a Privacy Impact Analysis.
The PII stored within the EMS is limited to information necessary for the Agency to carry out its duties. It is well protected in a cloud environment with implementation of the baseline controls for a Moderate system as defined by NIST SP 800-53, Recommended Security Controls for Federal Systems and enhancements that are FedRAMP requirements above the moderate baseline. The EMS does not interface with any other systems except its hosting platform/infrastructure. PII may be shared with DOL agencies through reporting.
Privacy risks associated with the technical access safeguards for information are mitigated through NIST SP 800-53 controls:
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
The EMS is in the Development and Testing Phase with system implementation scheduled for November 2012. Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
Yes. The system uses the Software as a Service (SaaS) cloud deployment model in a Federal community environment (Legal).
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
SOL has completed the initial PIA for the Evidence Management System. SOL has determined that the safeguards and controls for this moderate system will adequately protect the information and will be referenced in Evidence Management System Security Plan to be completed by August/September 2012.
SOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.