Foreign Labor Certification (FLC) System 

Overview

The FLCS application allows DOL to process Labor Certification Applications (LCA’s) for H-1B. The Online System allows two types of users to submit online applications—namely, registered users (employers and/or their attorneys) and non-registered users. Employers seeking to hire temporary professional workers must obtain H-1B specialty (professional) workers certification. Use of the system allows for the online submission of applications to DOL.

Employers or their agents can track and view the status of Web-submitted LCAs. The OFLC One-Stop Portal (“iCert”) provides: (a) a single “entry point” for the entire FLC application suite, (b) a central repository for FLC content, including FAQs, forms, news, alerts, and other information, (c) a single search engine through which any submitted FLC application can be queried and its status reviewed, (d) a single location from which the public, with one unique account, can submit applications for foreign labor certification.

The Administrator of Office of Foreign Labor Certification owns the system or Major application. The system is operated by the Office of Information Systems and Technology (OIST), and has been granted an Authority to Operate (ATO) until June 2017.

Introduction

The FLCS runs on ETA’s Local Area Network/Wide Area Network (ETA LAN/WAN) General Support System (GSS), which is currently managed by OASAM. The servers, network and security devices are stored within the building in a secured Data Center.

The system must be available for users during normal business hours for the following modules:

  • H-1B Labor Condition Application Online and Administration Systems
  • Permanent Online and Case Management Systems
  • iCERT

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

  • Foreign Citizens

What are the sources of the PII in the information system?

Visa applicants provide their non-sensitive information directly or through their companies

What is the PII being collected, used, disseminated, or maintained?

PII collected includes name, date of birth, mailing address, phone number, and education records.

How is the PII collected?

Employers seeking to hire temporary professional workers use the system for online submission of applications to DOL FLCS application.

How will the information be checked for accuracy?

The information is not checked for accuracy because that is not required.

What specific legal authorities, arrangements, and/or agreements define the collection of information?

The Privacy Act of 1974.

Information submission is voluntary.

Privacy Impact Analysis

ETA collects information via SSL enabled websites and has implemented controls to mitigate the risk of data being compromised

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The information is used to the determination of the eligibility of the applicant for a given visa category.

What types of tools are used to analyze data and what type of data may be produced?

Not applicable. Tools are not used to analyze the data.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

FLCS does not derive new data through aggregation of collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

FLCS does not use publicly available data.

Privacy Impact Analysis

FLCS allows for the online submission of applications to DOL. Employers or their agents can track and view the status of Web-submitted LCAs. The OFLC One-Stop Portal (“iCert”) provides: (a) a single “entry point” for the entire FLC application suite, (b) a central repository for FLC content, including FAQs, forms, news, alerts, and other information.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

Records are maintained indefinitely.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

The retention schedule is approved by the DOL records officer. OFLC periodically submits requests (for records destruction) to National Archives and Records Administration (NARA).

Privacy Impact Analysis

  • Data is encrypted in the database
  • An audit trail is kept of attempts to access and decrypt the data

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII is not shared with internal organizations.

How is the PII transmitted or disclosed?

Not applicable.

Privacy Impact Analysis

Not applicable. There is no internal sharing of PII data.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Not applicable. There is no external sharing of PII data.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not applicable.

How is the information shared outside the Department and what security measures safeguard its transmission?

Not applicable. There is no external sharing of PII data.

Privacy Impact Analysis

Not applicable. There is no internal sharing of PII data.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes; notice was provided to individuals (participants).

Do individuals have the opportunity and/or right to decline to provide information?

Yes.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Yes.

Privacy Impact Analysis

Individuals are informed that providing information is voluntary.

Access, Redress, and Correction

The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

Each user is identified by a case number and restricted via user id and password.

What are the procedures for correcting inaccurate or erroneous information?

Users can update only their own information.

How are individuals notified of the procedures for correcting their information?

Through mail, email/alerts

If no formal redress is provided, what alternatives are available to the individual?

Not applicable

Privacy Impact Analysis

Applicants have the right to withdraw from the program.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

Applicants can access, view and update their own information only.

Will Department contractors have access to the system?

Yes.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

ETA offers security training to all users. ETA users must acknowledge reading the Rules of Behavior document before accounts are provisioned.

What auditing measures and technical safeguards are in place to prevent misuse of data?

ETA encrypts the data and maintains an audit trail of user activities.

Privacy Impact Analysis

The privacy risks identified include inadvertent disclosure and misuse of confidential information. ETA mitigates this risk by implementing adequate access controls, solid encryption, and assigning users with least privileges.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

FLCS is operational; the system development conforms to computer security lifecycle defined in the DOL System Development Lifecycle Management Manual (SDLCMM). Based on the SDLCMM the system is in the ‘Operations and Maintenance’ phase.

Does the project employ technologies which may raise privacy concerns? If so please discuss their implementation?

FLCS does not employ technologies that may raise privacy concerns.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • ETA has completed the PIA for FLCS and determined that existing safeguards and controls adequately protect the information system.
  • ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.