Overview
Job Corps Applicant Check System (JACS) is an application that electronically accepts prospective student data from the Job Corps Outreach & Admissions Student Input System (OASIS) system, provides that data to the Defense Counterintelligence and Security Agency (DCSA) for the background check, and adjudicates the background findings and admission decision. The application includes a user interface that allows Division of Personnel Security and Suitability (DPSS) staff in Office of the Assistant Secretary for Administration and Management (OASAM) to add findings relevant to a prospective student's background, transmits those findings to a Job Corps security analyst who will then enter an admission decision, then electronically transmits that decision to the admissions counselor.
The JACS application modernizes and integrates the Job Corps student background check and admission decision process into a single application. The application will:
- Facilitate a daily electronic file transfer from the Job Corps Data Center OASIS system to the JACS application. The JACS application will serve as the system of record for the background investigation.
- Facilitate a daily electronic file transfer between the JACS application and the DCSA portal.
- Permit DPSS staff to upload documents, record relevant data, and add a color-code signifying the risk of accepting a student.
- Permit Job Corps staff to review the risk assessment and make an admission decision.
- Transmit a courtesy notification to the Job Corps admissions counselor with the admit decision.
- Permit reporting on workload statistics, cycle time, admissions by color-code, etc.
- Accept a file upload capability to manually add prospective students without an OASIS record.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
JACS does not collect personally identifiable information (PII) on DOL employees or other Federal employees. PII is collected from members of the public (U.S citizens), minor children (16 and older), and foreign citizens.
- From whom is information to be collected?
The information is collected from prospective Job Corps students.
- Why is the Information being collected?
The information is collected in order to conduct background investigations on the Job Corps applicants.
- What is the PII being collected, used, disseminated, or maintained?
The collection, dissemination, and maintenance of PII in JACS consist of Name, Social Security Number, Date of Birth, City of Birth, State of Birth, County of Birth, Country of Birth, and gender.
- How is the PII collected?
The PII is collected from prospective Job Corps students' inputs on an interest form on the Job Corps Student Enrollment website. Job Corps analysts can also directly enter applicants PII in JACS. - How will the information collected from individuals or derived from the system be checked for accuracy?
The applicants are responsible for verifying their data is correct. There is no penalty for incorrect data, although it could result in delay of the background investigation.
- What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?
The DPSS EOD/Investigations team conducts pre-screening activities and initiates background investigations to evaluate the character and conduct of applicants, appointees, and contractors for the purpose of the adjudications team making suitability/fitness determinations under 5 CFR 731 (or equivalent), determines the eligibility of employees for national security positions under EO 13764, Amending the Civil Service Rules, EO 13488, and EO 13467 to Modernize the Executive Branch-wide Governance Structure and Process for Security Clearance, Suitability and Fitness for Employment, and Credentialing, and Related Matters, the eligibility for access to classified information under EO 12968, as amended, Access to Classified Information; EO 13526, as amended, National Security Information, and 5 CFR Part 1400, Designation of National Security Positions. - Privacy Impact Analysis
Risks identified are directly related to the collection and use of the PII by designated Job Corps and DPSS personnel.
Possible risks include the following:
- Inappropriate use of the PII collected
- Malicious theft of data by a motivated outside attacker.
The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:
- Minimize all data collection to the minimum necessary.
- Establish and provide secure access to JACS. The only users that have direct access to this information are the designated Job Corps and DPSS staff.
- Encrypt PII data during file transitions to and from other systems (OASIS and DCSA portal).
Describe the Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
- Describe all the uses of the PII
The PII is collected to conduct background investigations on the Job Corps applicants.
- What types of tools are used to analyze data and what type of data may be produced?
There are no analytical tools used for the purpose of performing analysis related to the identified PII. No qualitative or quantitative data is generated from the identified PII collected.
- Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No
- If the system uses commercial or publicly available data, please explain why and how it is used.
The system data is not available for commercial or public use.
- Will the use of PII create or modify a “system of records notification” under the Privacy Act?
No, the use of PII will not create or modify a “system of records notification” under the Privacy Act.
- Privacy Impact Analysis
The PII collected is used only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
- What is the retention period for the data in the system?
3 Years
- Is a retention period established to minimize privacy risk?
Yes
Has the retention schedule been approved National Archives and Records Administration (NARA)?
Yes, disposal authority- NC 369-76-2, item 59.
- Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
PII is eliminated from the systems in accordance with Job Corps Privacy Act Systems SORN(DOL/GOVT-2). We have reduced PII as much as possible, all PII collected is needed for this background check process.
- Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?
Yes. JACS implements processes consistent with the DOL PII Data Extract Guide by implementing requirements to collect, use, and retain only PII that is relevant and necessary for the purpose for which it was originally collected. The process ensures PII is retained for only if necessary to fulfill the purpose(s) of the application and in accordance with Job Corps Privacy Act Systems SORN.
- How is it determined that PII is no longer required?
Per Privacy Act Systems SORN: Job Corps centers will maintain records of terminated students for a period of 3 years unless custodianship is extended or terminated, for administrative reasons, by the regional office.
- If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.
PII is eliminated from the system in accordance with the Job corps record retention schedule.
- Privacy Impact Analysis
Data can only be accessed by authorized personnel. Implementation of PII data encryption during data transition and at rest - in database as well as other documents storage sites like SFTP and S3 buckets.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
- With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
The PII is shared between Job Corps OASIS system and OASAM DPSS. The data shared are listed below:
- Full name
- Date of Birth
- Place of Birth (US state or territory) if born in US
- Place of Birth if foreign
- SSN
- Gender
The purpose of this information sharing is to conduct background checks on the applicants of the Job Corps student program. These records are maintained to ensure that they are only available to those officials who have a legitimate need for the information in performing their duties and to serve the interests and needs of the students in accordance with 29 U.S.C. 2881 et seq.
- How is the PII transmitted or disclosed?
DOL Secure File Transfer Protocol (SFTP) will be used with Federal Information Processing Standards (FIPS) compliant encrypted zip files.
- Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?
Yes, Job Corps reviews the information when the sharing of personal information is no longer required- after determining the student is no longer with the student program.
- Privacy Impact Analysis
Yes. Privacy Impact Analysis is conducted every 3 years for JACS.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
Defense, Counterintelligence and Security Agency (DCSA) shares Name, Social Security Number, Date of Birth, City of Birth, State of Birth, County of Birth, Country of Birth, and gender. The PII is shared in order for DCSA to conduct background check.
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Yes, Job Corps Privacy Act Systems SORN (DOL/GOVT-2)
- How is the information shared outside the Department and what security measures safeguard its transmission?
FTP+, Secure+, and ODS software are used to ensure confidentiality and integrity of the data being transmitted. eDelivery packages the contents of an investigative file in a 256-bit encrypted ZIP file, the Distributed Investigative File (DIF).
- How is the information transmitted or disclosed?
The file transfer will occur either by DCSA pushing the files to DOL's server (Secure+), or by DOL pulling the files from a DCSA server (FTS+ and ODS).
- Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared?
Yes
- How is the shared information secured by the recipient?
DCSA is designated as a Non-Criminal Justice Agency and has been informed by the Federal Bureau of Investigation (FBI) of the responsibility for ensuring that PII data is protected while in the DCSA's possession.
- What type of training is required for users from agencies outside DOL prior to receiving access to the information?
Only DCSA staff who passed security background check can access.
- Privacy Impact Analysis
Possible privacy risks include the following:
- Inappropriate use of the PII collected
- Malicious theft of data by a motivated outside attacker.
The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:
- Minimize all data collection to the minimum necessary.
- The only users that have direct access to this information are the designated DCSA staff.
- Encrypt PII data during file transitions to and from DCSA portal.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
- Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.
No. The collection of the PII from individuals is outside of JACS. When Job Corps analysts enters PII on behalf of applicants in JACS, there is not possible to provide notice to the applicants. The student information is collected when an applicant applies for the Job Corps student program via an online student's application system.
- Do individuals have the opportunity and/or right to decline to provide information?
Yes. There is no regulatory requirement which mandates the collection of the identified PII. Applicants can choose to decline to provide information by not signing the release form.
- Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
An individual has the right to consent to the collection of data since this data collection is a voluntary component of filling online interest form.
- Privacy Impact Analysis
This Notice is provided through the external website in Job Corps at the time of filling of online form. It is visible through the user information page.
Individual Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
- What are the procedures that allow individuals to gain access to their own information?
Outside of JACS. An external website in Job Corps for applicants to fill an online form.
- What are the procedures for correcting inaccurate or erroneous information?
Job Corps analysts or DPSS analysts of JACS.
- How are individuals notified of the procedures for correcting their own information?
Outside of JACS. Job Corps analysts will inform the admission counselor of the applicant, who will then contact the applicant.
- If no formal redress is provided, what alternatives are available to the individual?
Outside of JACS. Job Corps analysts will inform the admission counselor of the applicant, who will then contact the applicant.
- Privacy Impact Analysis
Not applicable.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
- Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)
Approved Job corps Security Analyst and OASAM DPSS Security Specialist.
- Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.
Yes, contractors will have access to the system if required based on their assigned duties. See Appendix B for a copy of the contract describing their role to privacy requirements.
- Does the system use “roles” to assign privileges to users of the system? If yes, describe the roles.
Yes, Job Corps Security Analyst Role, DPSS Specialist Role
Job Corps Security Analyst Role: create, update and review applicant information; submit applicant information to DPSS specialist for background check; review background check findings; enter an admission decision; then electronically transmits that decision to the Admissions Counselor.
DPSS Specialist Role: review applicant info; review background check results and add findings relevant to a prospective student's background; transmits those findings to a Job Corps Security Analyst.
- What procedures are in place to determine which users may access the system and are they documented?
User roles are determined and documented by Job Corps and DPSS for their staff.
- How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.
All staff should sign the rules of behavior prior to being granted access.
- Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
Employees participate in mandatory annual Cybersecurity and Privacy Awareness Training. This is provided by Learning Link, and so no single hard date is available.
- What auditing measures and technical safeguards are in place to prevent misuse of data?
Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found is NIST Special Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations.
JACS users must first login to the DOL network and only then would it be possible to login to the application. Event logs are designed to capture detailed information pertaining to this account activity as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are reviewed monthly by management to detect any unusual or unauthorized activity.
DOL has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.
- Establish and provide secure access to JACS
- Minimize all data collection to the minimum necessary to conduct background checks.
- Only authorized users can have access to the information
- Encrypt PII data during file transitions and at storage.
- Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?
The system is still in development. It is expected to undergo an ATO in 2022 as a Moderate system.
Yes, data is secured in accordance with FISMA requirements. The system is expected to undergo a Security Assessment and Authorization to Operate in June, 2022.
Data is secured by the following measures
- Establish and provide secure access to JACS
- Minimize all data collection to the minimum necessary to conduct background checks.
- Only authorized users can have access to the information
- Encrypt PII data during file transitions and at storage.
- Privacy Impact Analysis
The risks identified are directly related to the collection and use of the PII by designated JACS analysts. Access is limited to Job Corps and DPSS staff. Possible risks include the following:
- Inappropriate use of the PII collected
- Malicious theft of data by a motivated outside attacker.
The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:
- Establish and provide secure access to JACS.
- Users participate in mandatory Privacy Act and Records Management training annually. This is provided by Learning Link.
- Minimize all data collection to the minimum necessary to conduct investigations.
- Encrypt PII data during file transitions to and from other systems (OASIS and DCSA portal).
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.
- Was the system built from the ground up or purchased and installed?
The system was custom-designed and built.
- Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system?
Data integrity, privacy and security were analyzed as part of the decisions for the JACS system to ensure the system's objectives of complying with FISMA and building on existing secured infrastructure.
- What design choices were made to enhance privacy?
The following design choices were made to enhance privacy:
- JACS was not designed to derive new information or create previously unavailable data about individuals.
- The system is not available for commercial or public use.
- Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found in NIST Special Publication 800-53.
- Job Corps and DPSS users must first login to the DOL/OWCP-GSS network and only then would it be possible to login to JACS.
- A separate ID and password is required for the user to now login to JACS.
- OWCP-DOL-GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.
- For systems in development, what stage of development is the system in, and what project development life cycle was used?
JACS is to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM the JACS system is in the Development and Test Phase.
- For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
JACS utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- OCIO has completed the PIA for JACS which is currently in development. OCIO has determined that the safeguards and controls for this LOW system will adequately protect the information and will be referenced in JACS System Security Plan to be completed by July.