Unemployment Insurance Claimant Portal (UICP)

Overview

The Unemployment Insurance Claimant Portal (UICP) is a component of the Unemployment Insurance State Program American Rescue Plan Act of 2021 (ARPA) investment. The UICP is part of a wider effort to modernize unemployment insurance (UI). The UICP system provides UI applicants with the ability to file and manage UI claims, and states with an improved UI claims intake process. The UICP system will capture information about individuals that will be ultimately processed and owned by the state that will process the claim. The UICP is owned by the Office of Unemployment Insurance (OUI) within the U.S. Department of Labor Employment and Training Administration (ETA) and furthers the ETA's mission of providing leadership, direction, and assistance to state UI agencies in the implementation and administration of state UI programs.

The UICP will be used to collect data from UI claimants. The information will consist of personally identifiable information (PII) as well as employment-related data, such as dates of employment and reason for separation. The UICP has the following components:

  • A public web interface
  • A web server to provide data to and intake data from users
  • A transactional database with non-PII data, such as times that events in the system take place
  • Encrypted data storage to store claim information

At the time of its initial release in April 2022, a typical transaction in the system is as follows:

  • A UI claimant enters a state UI website to file an initial claim and is directed to the UICP, where they are presented with the public web interface by which they are connected to an identity (ID) verification provider.
  • Upon entering the UICP and providing consent for sharing information gathered through the UICP with DOL, the UICP's public web interface links the claimant to a third-party vendor. A separate privacy impact analysis (PIA) will be created for the third-party vendor.
  • The claimant completes the identity-proofing and authentication process with the third-party vendor. The information collected by the third-party vendor in order to verify the identity of the claimant may vary and is detailed more specifically in the vendor's PIA; however, additional PII that may be returned and included in the claim is listed below.
  • The vendor sends the claimant back to the UICP public web interface. The UICP web server confirms with the third-party vendor whether the claimant has successfully completed identity proofing and authentication. Some additional information used by the third-party vendor to verify their identity may also be sent back to the UICP to prepopulate fields that will be included in their claim:
    • First Name
    • Middle Initial
    • Last Name
    • Social Security Number
    • Home Address
    • Phone Number
    • Date of Birth
    • Email Address
  • The UICP web server encrypts the user's data, stores it in encrypted web storage, and notes the transaction time and status in the transactional database.
  • State IT system retrieves the user's claim data.

Future iterations of the system may include actions such as:

  • The claimant uses a form within the UICP web interface to input new or manage existing claim information
  • When the claimant is finished filling out claim information, they press a submit button.

As part of this future iteration, the user's Claim Data may be gathered from a set of questions presented through the UI application form in the UICP. Specifically, these may include the following categories:

  • US Residency Status
  • Employment Status
  • Military duty status (if applicable)
  • Claimant Identity Information.
    • First, Last, middle initial, suffix
    • Date of Birth
    • Driver's License or State ID Number
  • Claimant physical and mailing address information
  • Claimant education and training information
  • Employer Information
    • Employer Address
    • Employer EIN
    • Reason for Separation
  • Contact information (e.g., phone number, email address)
  • Claimant demographic information (Sex, Race, Ethnicity, Disability Status)
  • Claimant response to eligibility questions on the initial intake form

The states themselves are still responsible for eligibility determination, adjudication and other administration of the UI program. Therefore, claims data collected by the UICP must be shared with the states to ensure states have the information necessary for the states to administer the UI program. As determined through state agreements, data may also be shared with the UICP to convey claims status information to claimants.

A Privacy Impact Assessment (PIA) is being conducted for the UICP because PII will be collected.

Characterization of the Information

  • From whom is information to be collected?

Information is being collected from individuals filing for UI benefits (members of the public). At the time of its initial release in April 2022, individuals will need a personalized URL provided by the state agency to access the system.

For future iterations, all members of the public may be allowed to submit information to UICP. Individuals are strongly encouraged to begin the filing process through their respective state UI websites.

  • Why is the Information being collected?

Information is being collected to assist in verifying individuals' identity to determine eligibility for unemployment compensation. The minimum set of data will be collected that is required for an individual to verify their identity in accordance with NIST SP 800-63 Identity Assurance Level (IAL) 2. Information gathered for user login is in accordance with NIST SP 800-63 Authenticator Assurance Level (AAL) 2.

Future iterations may include data collected for an individual to log in to the application, and submit a UI claim. Information required for claim submission is defined by state and federal laws.

  • What is the PII being collected, used, disseminated, or maintained?

Specific PII requirements may be state-dependent and may include data elements such as first/last name, date of birth (DOB), residential address, Social Security Number (SSN), bank account number, bank routing number, residential telephone number, personal telephone number, personal email address, business address, business telephone, and employment history. At the time of its initial release in April 2022, the minimum set of data will be collected that is required for an individual to verify their identity. Future iterations may include more robust data sets to include the data described above.

  • How is the PII collected?

PII will be collected by a web application using HTML forms over secured communication channels (HTTPS) completed by the UI claimant.

  • How will the information collected from individuals or derived from the system be checked for accuracy?

State UI agencies are responsible for determining the accuracy of the information to conduct eligibility determinations, adjudications, and other administration of the UI program.

  • What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

The legal authority for collecting the PII is: Title III of the Social Security Act (SSA), 42 U.S.C. 501-503; the Federal Unemployment Tax Act (FUTA), 26 U.S.C. 3304; Section 2118 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (Pub. L. 116-136), as amended; Section 410(a) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act) (42 U.S.C. 5177(a)); The Unemployment Compensation for Ex-Service Members (UCX) law and The Unemployment Compensation for Federal Employees (UCFE) law (5 U.S.C. Chapter 85); Chapter 2 of Title II of the Trade Act of 1974 (19 U.S.C. 2271 et seq.), as amended; and 20 CFR parts 603 & 604.

  • Privacy Impact Analysis

The risk of storing and transmitting claimant PII includes unauthorized access to the data at rest or interception of the data in transit. To mitigate unauthorized access to data at rest, the system will encrypt all PII in a separate data store from transactional, non-PII data. To mitigate interception of data in transit, PII submitted by claimants as well as data shared between the DOL and the states will be encrypted using the Transport Layer Security (TLS) protocol for HTTPS communications. The UICP will largely use the DOL AWS Cloud platform which implements various security controls for access and encryption.

Describe the uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII

PII such as the claimant's name, social security number, etc., may be used by the third-party vendor for IAL2 identity verification and AAL2 authentication. PII used to verify a claimant's identity may then be returned to UICP by the third-party vendor to prepopulate claim application fields as described in Section 1.1. The UICP will transmit PII included in the claim to states for administration of the UI program (e.g., claims submission, make eligibility determinations). Not all PII used by the third-party vendor to verify identity may be included in the final claim application submitted to the state. If, for example, the individual's identity cannot be verified then the UICP will only transmit the claimant's self-reported, unverified PII.

  • What types of tools are used to analyze data and what type of data may be produced?

Data associated with claims may be analyzed in aggregate for federal reporting and analysis purposes. The data may be used to perform equity analysis on overpayments, denials, and decision timeliness using statistical analysis software.

  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

Data will not be derived for individuals, but rather will be aggregated at population levels.

  • If the system uses commercial or publicly available data, please explain why and how it is used.

Not Applicable.

  • Will the use of PII create or modify a "system of records notification" under the Privacy Act?

Yes, a system of records notification was published on March 10, 2022 at 87 Federal Register 13,762. All PII stored shall be in compliance with 20 CFR Part 603.

  • Privacy Impact Analysis

The operational storage and use of PII can create the risk of unauthorized access and disclosure. The PII stored in the Amazon Web Services (AWS) environment is subject to a moderate security risk and is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as recommended by NIST SP 800-53, Recommended Security Controls for Federal Systems. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects. Additionally, all PII stored shall be in compliance with 20 CFR Part 603.

The privacy risks identified with the storage and use of PII can be mitigated through the following FedRAMP baseline security controls:

Technical Class Controls

  • Access Control (AC):
    • Access Control Policy and Procedures
    • Account Management
    • Access Enforcement
    • Separation of Duties
    • Least Privilege
    • Unsuccessful Login Attempts
    • System Use Notification
    • Session Lock
    • Supervision and Review –Access
  • Audit and Accountability (AU):
    • Audit and Accountability Policy and Procedures
    • Auditable Events
    • Content of Audit Records
    • Audit Monitoring, Analysis, and Reporting
  • Identification and Authentication:
    • Identification and Authentication Policy and Procedures
    • Authenticator Management

Operational Class Controls

  • Awareness and Training (AT)
    • Security Awareness and Training Policy and Procedures
    • Security Awareness
    • Security Training
  • Media Protection (MP)
    • Media Protection Policy and Procedures
    • Media Access
    • Media Storage
  • Management Class Controls
    • Planning (PL) Security Planning, Policy, and Procedures
    • Rules of Behavior
  • System and Services Acquisition (SA)
    • Systems and Services Acquisition Policy and Procedures
    • Software Usage Restrictions
    • Security Design Principles

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

  • What is the retention period for the data in the system?

The Department will prepare a record retention policy for approval through the National Archives and Records Administration (NARA). Until such policy is approved, the records will be maintained indefinitely.

  • Is a retention period established to minimize privacy risk?

Yes, the selected NARA retention period for these records will help minimize privacy risks, and ensure records are not held longer than necessary, as well as to ensure compliance with federal confidentiality regulations regarding UI-related data (see 20 CFR Part 603).

  • Has the retention schedule been approved National Archives and Records Administration (NARA)?

No.

  • Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

States will have the ability to confirm that they have received a claimant's PII. After confirmation of receipt, the claim will be marked for deletion and disposed of in accordance with the NARA schedule, once approved.

  • Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

As the system routinely will transmit PII to the states, data management requirements will be established in MOUs with those states. Any data extraction requests beyond routine use will follow requirements under state law, as well as DOL requirements for retrieval and disposition as outlined in the PII Data Extract Log and Verification Guide.

  • How is it determined that PII is no longer required?

State systems will send a request to the UICP web server flagging a claim for deletion. The claim can then eventually be deleted in accordance with retention policies.

A determination as to when PII is no longer required within the system, is performed as part of periodic program reviews and data calls, annual ATO document review, including System Categorization, Privacy Threshold Analysis and Privacy Impact Assessment.

  • If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

PII will be encrypted in separate data storage from non-sensitive, transactional data. Data for claimants will be encrypted with unique keys for each state.

  • Privacy Impact Analysis

Longer data retention increases the likelihood that larger amounts of PII are exposed. To mitigate the risk of exposure, the UICP team will adhere to the pending NARA data retention requirements for UI records. While any state-bound claims data is in a UICP data store, it will be encrypted at rest using unique keys for each state.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The PII data is not shared with other internal DOL organizations, except in accordance with routine and other statutorily authorized uses. The claim data originally collected through the UI Claimant Portal will be stored with a FIPS 140-2 compliant symmetric key while the claim information is entered or in a non-completed state.

  • How is the PII transmitted or disclosed?

We are creating procedures around how data may be shared in line with the routine and other statutorily authorized uses. The PIA will be updated to reflect this in advance of such disclosure.

  • Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

We are creating procedures around how data may be shared in line with the routine and other statutorily authorized uses. The PIA will be updated to reflect this in advance of such disclosure.

  • Privacy Impact Analysis

We are creating procedures around how data may be shared in line with the routine and other statutorily authorized uses. The PIA will be updated to reflect this in advance of such disclosure.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?

No claim data is shared from UICP to the third-party vendor; however, additional PII collected by the identity provider will be transmitted to UICP in order to prepopulate claim fields when the claimant identity is verified. Specific example fields are listed in Section 1.1. All information collected through the UICP will be shared with the state in which the claimants are filing

  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, provide the SORN ID in use for this system. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes. All information collected as part of the initial release to verify identity is shared with the state in which that claimant is filing for unemployment insurance, including PII. Future iterations of the system may involve more robust gathering of data described above and this too will be shared with the state in which that claimant is filing for unemployment insurance, including PII. The legal authority for collecting the PII is: Title III of the Social Security Act (SSA), 42 U.S.C. 501-503; the Federal Unemployment Tax Act (FUTA), 26 U.S.C. 3304; Section 2118 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (Pub. L. 116-136), as amended; Section 410(a) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act) (42 USC 5177(a)); The Unemployment Compensation for Ex-Service Members (UCX) law and The Unemployment Compensation for Federal Employees (UCFE) law (5 U.S.C. Chapter 85); Chapter 2 of Title II of the Trade Act of 1974 (19 U.S.C. 2271 et. Seq.), as amended; 20 C.F.R. parts 603 & 604.

This sharing is described in the DOL/ETA – 33, Unemployment Insurance Claimant Portal SORN:

"In addition to the disclosures permitted under 5 U.S.C. 522a(b) and consistent with the requirements and limitations in 20 CFR part 603, records may be disclosed in accordance with the Department's Universal Routine Uses of Records published at 81 Fed. Reg. 25765, 25775 (April 29, 2016) and available on DOL's website at https://www.dol.gov/agencies/sol/privacy/intro. In addition, disclosures may be made:

  1. To appropriate agencies, entities, and persons when (1) the DOL suspects or confirms a breach of the System of Records; (2) the DOL determines as a result of the suspected or confirmed breach there is a risk of harm to individuals, the DOL (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the DOL’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
  2. To another Federal agency or Federal entity, when the DOL determines that information from this System of Records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”
  • How is the information shared outside the Department and what security measures safeguard its transmission?

The information is shared with states using an Application Programming Interface (API). The information is both encrypted at rest and will need to be decrypted by the states upon receipt. The information is additionally encrypted in transit using the TLS encryption protocol.

  • How is the information transmitted or disclosed?

All information collected as part of the application is sent via an Application Programming Interface (API) interface to the state in which UI is being claimed. States systems will prove their identity to UICP prior to being given access to claimant data. The data will be encrypted at rest with a token to which only the receiving state will have access to decrypt. Finally, the information will be encrypted in transit using the TLS encryption protocol.

  • Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared?

MOUs between the DOL and states will be in place with the states when the UICP is launched in production.

Contracts with third-party vendor will detail data exchange and protection mechanisms used in those relationships.

MOUs, contracts, or any agreement will reflect the scope of the information to be shared.

  • How is the shared information secured by the recipient?

The recipient states will store information as they currently store it today. The security practices will be documented in MOUs between the Department and states.

Third-party vendor will store and secure PII used in verifying identities in accordance with their Privacy Policies and Terms of Use.

  • What type of training is required for users from agencies outside DOL prior to receiving access to the information?

DOL users with access to UICP data receive annual Cybersecurity and Privacy Awareness training in addition to supplemental role-based training appropriate to their role. State UI Agencies will receive claims data; however, the confidentiality of this data will be no different from the data they handle in their current systems.

  • Privacy Impact Analysis

The risks in sharing data with the states are risks inherent within any data system: the compromise of state systems or state credentials. The former case represents the potential exposure that exists with any information system. Existing mitigations implemented by each state will be documented in MOUs between the Department and states.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix or be prepared to provide a copy of the notice during an audit request. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

A general privacy notice is available at unemployment.dol.gov and clicking on "Privacy and Security Statement."

The privacy notice will read as follows:

A customized Privacy Notice will be added to the UICP which will contain information consistent with, though not necessarily duplicative of, Appendix B: UICP Privacy Act Statement.

  • Do individuals have the opportunity and/or right to decline to provide information?

Yes, the collection of information is voluntary, and individuals have the opportunity to decline to provide the information, at which time they will be redirected to the state for proceeding with a UI claim.

  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No. There is no selective usage of claimant information. Usage of the system will result in claimant information being collected and disseminated to the states for the purpose of administering the UI program. Only information necessary for the administration of the UI program is collected.

  • Privacy Impact Analysis

Individuals may choose to voluntarily enter their PII within the UICP to apply for  UI benefits. Individuals may instead submit claims directly with the state UI agency.  State-specific information on filing a UI claim, employment assistance, or employer information is available online at https://www.careeronestop.org/localhelp/unemploymentbenefits/unemployment-benefits.aspx.  

Individual Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their own information?

While working on a claim in the UICP, individuals can access their information through the UICP web interface. Once an individual has completed entering their claim data into the UICP application, the data is sent to the state from which the individual is requesting UI benefits. The UICP web application will provide users with a link to the state UI system in which the data now resides. Individuals may gain access to their own information through the state UI agency, which may require a separate login process.

  • What are the procedures for correcting inaccurate or erroneous information?

While entering information into the UICP, individuals can correct inaccurate or erroneous information through the UICP web interface. When an individual has completed their claim, it is sent to the state from which the individual is requesting UI benefits. The UICP web application will provide users with a link to the state UI system in which the data now resides. Individuals may correct inaccurate or erroneous information through the state UI agency.

  • How are individuals notified of the procedures for correcting their own information?

While entering information into the UICP, the data is made available for updating information. If the claim has already been submitted to a state, the UICP will display a message to the user that the data is with the state and provide the user a link to contact the state UI agency.

  • If no formal redress is provided, what alternatives are available to the individual?

As states own the information after the information provided by the claimant is sent to the state, individuals must use redress options available at the state level. There are no alternatives.

  • Privacy Impact Analysis

Individuals will have the right to access, modify, and amend their information at the state level. Individuals will receive contact information for state-level-support. The states have existing processes for access, modification requests, and therefore redress-related risks are mitigated by existing procedures at the state level to ensure accurate and complete claims information.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

At the time of its initial release in April 2022, the state will provide select individuals with a personalized URL to access the system to verify their identity.

For future iterations, users from the public may have basic access to the system to file and manage their UI claims.

State UI systems will have programmatic access to retrieve claims, provide status information, and flag claims for deletion. DOL OCIO including staff and contractors operate and maintain the system. A limited subset of staff and contractors would have access to the data. OCIO and ETA may use the data generated by the system for analysis described in this PIA.

  • Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA or be prepared to provide copies during an audit request

Yes, there are a limited number of system administration professionals that may encounter protected data as necessary to execute required system maintenance functions in accordance with their federal employment or with contracted support services.

  • Does the system use “roles” to assign privileges to users of the system? If yes, describe the roles.

Access to functions and data within the system are restricted by roles as defined in the environment for claimants, state UI agencies, and DOL system administrators.

  • What procedures are in place to determine which users may access the system and are they documented?

At the time of its initial release in April 2022, the state will provide select individuals with a personalized URL to access the system to verify their identity. Future iterations may include more widely-available use for anyone in the general public to access the system as a claimant. Through messaging on the web portal, individuals are strongly encouraged to begin the filing process through their respective state UI websites rather than directly with UICP.

Procedures for states to programmatically access the UICP are documented in a GitHub repository shared with the states.

Standard operating procedures guide the methods and procedures used by DOL system administrators when accessing the system for maintenance purposes.

  • How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided. Provide date of last training.

This is a public-facing application providing access to the general public for submission of UI claims. There is no specific training for this user type as the system guides claimants in submitting their data through the user interface. However, through messaging on the web portal, individuals are strongly encouraged to begin the filing process through their respective state UI websites rather than directly with UICP.

State IT personnel work directly with OCIO personnel to establish programmatic connections with the UICP web server. Since this is a limited number of programmatic connections, OCIO personnel and state IT personnel work together in an ongoing basis to maintain awareness of roles and Rules of Behavior as outlined in MOUs with each state.

DOL system administrators receive access in accordance with DOL policies and procedures governing IT support including roles, Rules of Behavior, and ongoing cybersecurity, privacy, and role-based training.

  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

DOL users will be required to take the annual Information Systems Security and Privacy Awareness (ISSPA) training. A privacy notice will be provided to all external users.

Additionally, any DOL employees or contractors with access to the UICP system will also receive training on handling confidential UC Information in line DOL's agreements with its contractor(s) and DOL's agreements with states to participate in the system.

  • What auditing measures and technical safeguards are in place to prevent misuse of data?

All sensitive user data is encrypted at rest and in transit. The UICP system employs a zero-trust architecture that prevents access to PII, and the data is encrypted so any party that does not explicitly require access or have a token to decrypt the data cannot access the data. In addition, the system is monitored specifically for data exfiltration events.

  • Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Data is secured in accordance with FISMA requirements. The ATO authorization is currently in process and a Security Assessment and Authorization has yet to be performed.

  • Privacy Impact Analysis

The risk associated with collecting sensitive PII is exposure of that information. This risk is mitigated by implementing access controls (least privilege access and zero-trust), technical controls (encryption at rest and transit), and physical controls (security).

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

  • Was the system built from the ground up or purchased and installed?

The system is built from the ground up on the DOL AWS cloud platform. DOL's AWS cloud has received an ATO. The third-party vendor is a purchased software-as-a-service. The web interface and web server are custom-built.

  • Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

Privacy, and security considerations were utilized to make architectural and other technical decisions for the application. The application uses systems that have gone through the ATO process to ensure vetted controls could be inherited. As little data as possible to perform the system's function are collected. The PII and non-PII data are encrypted in transit and at rest with the minimum number of users or systems having the ability to decrypt the data as possible. Data integrity is considered through the implementation of rigorous data checks using data schemas.

  • What design choices were made to enhance privacy?

The UICP is using the DOL's AWS cloud to leverage controls from this system that has received an ATO. The system is designed to encrypt information at every step of the process and minimizes the number of people and systems able to decrypt the information. Encrypted PII is stored is a different data store from non-PII in the system.

  • For systems in development, what stage of development is the system in, and what project development life cycle was used?

The system uses an agile software development process and is currently in the development phase in accordance with the DOL System Development Life Cycle Management Manual.

  • For systems in development, does the project employ technology that may raise privacy concerns? If so, please discuss their implementation?

The UICP itself does not include technology that may raise privacy concerns. In its current iteration, identity verification is performed in coordination with login.gov, which has its own Privacy Impact Assessment.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • ETA has completed the PIA for UICP which is currently in development. ETA has determined that the safeguards and controls for this moderate system will adequately protect the information and will be referenced in the UICP System Security Plan.
  • ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.