Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

WHD — WHISARD — FY 2013

Overview

The Wage and Hour Division (WHD) is an agency of the U.S Department of Labor (DOL). The WHD is responsible for administering and enforcing some of our nation’s most comprehensive labor laws, including: the minimum wage, overtime, and child labor provisions of the Fair Labor Standards Act (FLSA); the Family and Medical Leave Act (FMLA); the Migrant and Seasonal Agricultural Worker Protection Act (MSPA); worker protections provided in several temporary visa programs; and the prevailing wage requirements of the Davis-Bacon Act (DBA) and the Service Contract Act (SCA). 

WHISARD is an automated data processing system that enables investigators, managers, and assistants in the Wage and Hour Division (WHD) to process complaints; assign and investigate cases; manage and close cases; assist with outreach; record and monitor investigator time; track case history through narratives and diary entries; process FOIA and publication requests; and report to management. The WHD WHISARD data is shared only with other WHD applications to include the Back Wage Financial System (BWFS) and Civil Money Penalties System (CMP-2001).

The main components of the WHISARD application are:

  • Wage and Hour Investigative Support and Reporting Database (WHISARD)
  • Certificates Processing System (CPS)

CPS enables the processing, issuing and generation of sub-minimum wage and Farm Labor Contractor certificates along with Home worker handbooks. WHD is tasked with issuing certificates and tracking registrations under certain special circumstances.  Special minimum wage certificates are issued to allow for student or disabled workers to be paid less than the applicable minimum wage under provisions of sections 14 (b) and (c) of the Fair Labor Standards Act (FLSA). Section 14 of the FLSA also requires employers in certain industries who wish to employ workers at the worker’s home to register with the WHD.  Registration certificates are issued to persons acting as Farm Labor Contractors (FLC) or Farm Labor Contractor Employees (FLCE) under the Migrant and Seasonal Agricultural Protection Act (MSPA).

CPS interfaces with the following WHD systems to determine whether outstanding violations or actions exist prior to issuance of certificates: Civil Money Penalty System (CMP - 2001), Back Wage Financial System (BWFS), and the Wage Hour Investigative Support and Reporting Database (WHISARD). CPS also provides the functionality to generate an online renewal application, to issue a certificate and then print it and send it to the employer or employee. The reporting functionality of CPS provides up-to-date data on certificates by status, issue date, region, and fiscal year.

WHISARD consists of a database and several executables that access parts of the database. WHISARD itself contains multiple tables that store information about:

  •  WHD investigations
  • WHD public outreach activities (speeches, etc.)
  • Civil Money Penalty assessments and payments
  • Back-wage collection information
  • Certificates issued by the agency (handicapped employee sheltered workshops, Farm Labor Contractors, students paid less than the minimum wage)

The WHISARD application supports the Department’s Strategic Outcomes of 1) preparing workers for good jobs and ensuring fair competition, 2) ensuring workplaces are safe and healthy, and 3) assuring fair and high quality work-life environments.  The collection and distribution of back wages through WHISARD deters future violations and furthers the WHD mission of increased compliance with the statutes the WHD is mandated to enforce particularly in low-wage industries.  The WHISARD application also helps process requests for publications and the results of FOIA requests.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.  

WHISARD does not collect personally identifiable information (PII) on DOL employees or other Federal employees.  PII is collected from members of the public (U.S citizens) contractors, minor children, and foreign citizens.

What are the sources of the PII in the information system?

The source of PII in the WHISARD system comes directly from individuals who are filling a wage and hour complaint and or from their employers

What is the PII being collected, used, disseminated, or maintained?

The collection, dissemination, and maintenance of PII in WHISARD consist of the following:

  • Name
  • Phone numbers
  • Social Security (no longer collected by the WHISARD application except in rare circumstances, 1)when the individual employer uses an SSN as the Employer or Taxpayer Identification Number 2) for cases where the outstanding balance is considered Debt Due to Government)
  • Residential address
  • Business address
  • Mailing address
  • Business phone number
  • Residential address

How is the PII collected?

PII is collected directly from the individual when a WHD investigator interviews a complainant about a possible violation to one of the laws that WHD enforces.  PII can also be collected when an investigation discovers that the violation affects additional individuals other than the complainant or as a result of a direct investigation when there is no complainant.  Though SSN information may be collected as a result of an investigation, it is not being captured using the WHISARD application except in rare circumstances when the individual employer or farm labor contractor uses an SSN as the Employer or Taxpayer Identification Number). 

How will the information be checked for accuracy?

PII collected directly from individuals involved in an investigation is assumed accurate.  Information collected on individuals who are not active participants in the investigation is not checked for accuracy unless the case is referred to BWFS and or CMP-2001

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

The WHISARD system supports the following labor laws in the work place:

  • FLSA (Fair Labor Standards Act - Section 6&7 Minimum Wage and Overtime)
  • Child Labor
  • MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
  • FMLA (Family Medical Leave Act)
  • EPPA (Employee Polygraph Protection Act)
  • H-1A (Provisions of the Immigration Nursing Relief Act)
  • H-1B (Provisions of the Immigration Naturalization Act)
  • H-2A(Provisions of the Immigration Reform Control Act of 1990)
  • Homeworker (Provisions of the Fair Labor Standards Act)
  • CREW (Longshore) (Provisions of Immigration and Naturalization Act)

Privacy Impact Analysis

While PII is collected, only the minimum information necessary to accomplish the mission is recorded and the information is collected directly from affected employees and/or employers.

Uses of the PII

Describe all the uses of the PII

The information being collected by WHISARD is used to: 

  • Report taxes owed to the Internal Revenue Service (IRS)
  • Provide information to the Social Security Administration (SSA) for reporting Social Security benefits
  • Verify the ages of minors employed by a business to ensure that Child Labor Laws are not being violated
  • Determine whether a Farm Labor Contractor will be allowed to provide transportation as part of his certificate, based on information provided by his driver’s license and vehicle
  • Collect fines from employers who violate Wage and Hour laws

The WHISARD database is used as a data repository containing information for the Major Applications (MA) BWFS and CMP-2001. The WHISARD application does not have external connections with any DOL component or other government agencies.

What types of tools are used to analyze data and what type of data may be produced?

We do use Business Objects tool to generate reports for analyzing the data on Wage and Hour cases.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No, WHISARD is not currently designed to derive new information or create previously unavailable data about individuals.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system data is not available for commercial or public use.

Privacy Impact Analysis

The PII collected is used only for a very specific and limited purpose.  It is not used for any form of analysis nor is any data derived from PII collected by investigators.

Retention

How long is information retained in the system?

In accordance with WHD record retention schedule NN-160-43, records will be retained for a minimum of 12 years.

This guidance is further enhanced by SORN DOL/ESA-36 which states:

  • Electronic records are electronically archived; data tapes are retained for 25 years. 
  • Printed information generated by this system and retained in a Wage-Hour office will be disposed of as follows:

Printed information, concerning cases where violations were found, is disposed of 12 years after the date the case is closed. For cases where no violations were found, printed information is disposed of three years after the closing date.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

WHD record retention schedule NN-160-43 has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).

It should be noted that new schedules have been submitted to NARA for approval.

Privacy Impact Analysis

Data is retained in strict accordance with the WHD record retention schedule NN-160-43 and SORN DOL/ESA-36.  Safeguards are in place for the data stored in the WHISARD database as well as the archived data which is maintained off-site in a vendor provided secure storage facility that meets or exceeds federal standards for physical access control.

Internal Sharing and Disclosure

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The WHISARD system does not share PII information with any internal organizations.

How is the PII transmitted or disclosed?

The WHISARD system does not transmit or disclose PII information with any internal organizations.

Privacy Impact Analysis

There is no Privacy Impact with the WHISARD system because it does not transmit, share or disclose PII to any internal organization.

External Sharing and Disclosure

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

WHISARD does not share PII with any external organization.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

WHISARD does not share PII with any external organization.

How is the information shared outside the Department and what security measures safeguard its transmission?

WHISARD does not share PII with any external organization so no security measures safeguarding transmission of data has been implemented.

Privacy Impact Analysis

There is no Privacy Impact with the WHISARD system because it does not transmit, share or disclose PII to any external organization.

Notice

Was notice provided to the individual prior to collection of PII?

Not always.  In some cases, PII is collected directly from the individual submitting a complaint.  In other cases, PII may be collected as a result of a direct investigation that affects one or more individuals.

Do individuals have the opportunity and/or right to decline to provide information?

Not always.  Information is collected as a result of an investigation.  In some cases, this information is collected directly from the individual who at that time has the opportunity to decline to provide information.  In other cases, information may be collected from a third party such as the employer and in such cases; the individuals do not have the opportunity to decline to provide information.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No.  Information is collected as a result of an investigation to determine if an employer has violated any of the labor laws enforced by Wage and Hour.  Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information.

Privacy Impact Analysis

PII is collected as a result of an investigation.  In some cases, this information is provided directly by the individual to whom it pertains but in all cases, individuals do not have the right to consent to its use.

Access, Redress, and Correction

What are the procedures that allow individuals to gain access to their information?

There are no procedures to allow individuals to gain access to their information.  The WHISARD application is an internal system that is accessed only by WHD employees or contractors for the purpose of conducting investigations.  Access to the public is not allowed.

What are the procedures for correcting inaccurate or erroneous information?

Most information is received directly from individuals and or employers directly involved in the investigation and to whom the information pertains.  For this reason, it is assumed that the information is correct and accurate.

How are individuals notified of the procedures for correcting their information?

Information is collected during the conduct of an investigation and is used only for investigative purposes.  The form WH-60 or WH-58 is provided to the individuals involved in the investigation in an effort to ensure that their information is complete and accurate.

If no formal redress is provided, what alternatives are available to the individual?

The publication of SORN DOL/ESA 36 addresses the procedure for correcting or updating information that is gathered. Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment.  Information about district and regional offices for Wage Hour can be found by going to http://www.dol.gov/whd/about/whdabout.htm on the internet or by contacting the disclosure officer at the following address:

Administrator, Wage and Hour Division,
Room S-3502, Frances Perkins Building
200 Constitution Avenue, NW, Washington, DC 20210

Privacy Impact Analysis

The form WH-60 or WH-58 is provided to the individuals involved in the investigation in an effort to ensure that their information is complete and accurate.  In addition, the publication of SORN DOL/ESA 36 addresses the procedure for further correction and updating of the information that is gathered.

Technical Access and Security

What procedures are in place to determine which users may access the system and are they documented?

Procedures are in place that must be followed before allowing users access to the system.  The process is designed to comply with the principles of least privilege and separation of duties as follows.

All DOL employees and contractors must undergo at a minimum a standard DOL background check.  Users of the system must first complete the process for requesting and obtaining a DOL network account.  Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges.  All requests for system access must be approved by the user’s supervisor and the System Owner (SO) or SO representative.  Separation of duties in enforced by requiring actions by both OWCP-DITMS account managers and WHD account administrators to complete the process before user access to the system is granted. 

Will Department contractors have access to the system?

Yes, WHD contractors will have access to the system if required based on their assigned duties.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found is NIST Special Publication 800-53.

WHD users must first login to the DOL/OWCP-GSS network and only then would it be possible to login to WHISARD.  A separate ID and password is required for the user to now login to WHISARD.  Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts.  These logs are reviewed monthly by management in an effort to detect any unusual or unauthorized activity.

WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities. 

OWCP-DITMS-GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.

Privacy Impact Analysis

The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII.  These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected.

Technology

What stage of development is the system in, and what project development life cycle was used?

All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM the WHISARD system is in the Operations and Maintenance Phase (Phase IV).

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

The WHISARD system utilizes only standard DOL approved technologies and protocols to allow users access to the system.  Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • Wage and Hour Division (WHD) has completed the PIA for WHISARD which is currently in operation.
  • WHD has determined that the safeguards and controls for this moderate system adequately protect the information referenced in WHISARD System Security Plan, dated February 11, 2013. 
  • Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.