Privacy Impact Assessment Questionnaire
OSHA – Integrated Mangement Information System (IMIS Legacy) FY 2011
Overview
The IMIS HOST Computer Facility supports a National consolidated database system for collecting, manipulating, maintaining and retrieving enforcement, consultation and discrimination data. There are 3 minor applications, PC CSHO, Accident Investigation Summary Report (AISR) Application and Safety & Health Achievement Recognition Program (SHARP)
Legacy IMIS contains Personally Identifiable Information (PII) and a PIA review is performed annually.
This is the PIA for the Legacy IMIS Application as required by section 208 of the E-Government Act of 2002.
The Integrated Management Information System also referred to as IMIS, is a OSHA Major Information System (MIS). IMIS was developed in 1983 and has been operational since 1984. IMIS is an OSHA Automated Information System that is used for planning, managing, tracking and reporting on its programs, services and assistance.
Characterization of the Information
The IMIS collects a variety of information, including inspection history for specific establishments, citations issued, penalties assessed and paid, accidents and injuries, standards cited, complaints received and investigated, referrals, cases contested, State Programs Activities, Federal Agency Programs Activities, consultation visits and discrimination investigations.
IMIS security requirements for confidentiality are minimal since most information processed and stored in IMIS is releasable under the Freedom of Information Act (FOIA). Only the following IMIS data elements are subject to the Privacy Act:
- Name of surviving accident victim(s)
- Names of Whistleblower Complainants/Representatives
- Consultation data
- Names of OSHA-7 Complainants
- Compliance Officer (CSHO) IDs
- Number of employees
- OSHA-170 Abstracts before review
- OSHA-200/300 data
- Debt collection
- Site specific employee counts
- Site specific sampling information
- What are the sources of the PII in the information system?
Obtained from individuals or business entities.
- What is the PII being collected, used, disseminated, or maintained?
Name, Business Address, Business Telephone Number
- How is the PII collected?
Entered through screens by CSHO from inspections and investigations.
- How will the information be checked for accuracy?
SIC codes are verified for accuracy.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The OSHA Act of 1970
- Privacy Impact Analysis
Privacy risks are low because access controls, physical and logical security controls are implemented throughout the IMIS.
All personnel with access to PII are cleared as required by the Homeland Security Presidential Directive 12 (HSPD-12)
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
- Describe all the uses of the PII
Used for investigation, inspections, accident and fatality reporting
- What types of tools are used to analyze data and what type of data may be produced?
COBOL, Natural, and interactive custom built applications. Reports are produced that describe historical trending to date.
- Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No.
- If the system uses commercial or publicly available data, please explain why and how it is used.
Postal Zip Code data. A table is used to validate all zip codes that are entered.
- Privacy Impact Analysis
OSHA leverages the IBM flagship security product RACF (Resource Access Control Facility) RACF is an approved Common Criteria product and is B1 certified by the Federal Government.
IMIS adheres to all federally mandated controls
Access control, authentication & authorization controls are built into the application.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
- How long is information retained in the system?
Indefinitely
- Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
No.
- How is it determined that PII is no longer required?
{Include answer here}
- What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
All data is retained indefinitely.
- Privacy Impact Analysis
No appreciable increase in risk with the passage of time.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
- With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
No direct sharing of IMIS information is authorized for any other systems.
- How is the PII transmitted or disclosed?
PII data does no leave the OSHA premises..
- Privacy Impact Analysis
If information is provided under FOIA, then PII is removed from or masked in the data file. Data is encrypted.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
None
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
N/A
- How is the information shared outside the Department and what security measures safeguard its transmission?
PII data is not shared outside the department
- Privacy Impact Analysis
No risk
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
- Was notice provided to the individual prior to collection of PII?
No. PII dat is collected as part of an investigation or inspection.
- Do individuals have the opportunity and/or right to decline to provide information?
Yes.
- Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
The individual is protected under the Privacy Act. The data is used only as part of an investigation. The individual has the right not to provide PII.
- Privacy Impact Analysis
N/A
Access, Redress, and Correction
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
- What are the procedures that allow individuals to gain access to their information?
The individual submits a signed statement asking for their data under the Freedom of Information Act (FOIA)
- What are the procedures for correcting inaccurate or erroneous information?
The user notifies the Regional Office that performed the inspection or investigation.
- How are individuals notified of the procedures for correcting their information?
Individuals are notified verbally and are provided a written statement for their review.
- If no formal redress is provided, what alternatives are available to the individual?
The user contacts an OSHA office.
- Privacy Impact Analysis
There are no appreciable risks associated with the redress information.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
- What procedures are in place to determine which users may access the system and are they documented?
OSHA leverages COTS products to enforce authentication and authorization software. Procedures are documented in SOP and security documents that adhere to National Institute of Standards and Testing (NIST) Special Publication (SP) 800-53. The following products are used for each layer of IMIS:
| Device | Product |
|---|---|
| PC | MS/Active Directory |
| Operating System | RACF for Mainframe and internal for systems |
| Network | MS/Active Directory |
| Application | Internal Security |
| Database | RACF for ADABAS and internal for Oracle and Informix |
- Will Department contractors have access to the system?
Yes
- Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
DOL wide Computer Security Awareness Training and Information System Security Awareness training is required for all personnel connecting to the network or that will have access to OSHA data and Role Based when necessary.
- What auditing measures and technical safeguards are in place to prevent misuse of data?
IMIS adhere to NIST 800-53 Security Controls. HSPD-12 (Homeland Security Presidential Directive-12 and Identity Verification is also used for personnel Security.
- Privacy Impact Analysis
OSHA sensitive data is not shared with any system and PII data is redacted.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
- What stage of development is the system in, and what project development life cycle was used?
The system is in a operational mode of operation.
- Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
No.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
OSHA has completed the PIA for Integrated Management Information System (IMIS) which is currently in operation. OSHA has determined that the safeguards and controls for this MODERATE system adequately protect the information.
OSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.