Privacy Impact Assessment - ETA - Workforce Integrated Performance System (WIPS)

OVERVIEW

The system name and the name of The Department of Labor (DOL) component(s) which own(s) the system.

The Workforce Integrated Performance System (WIPS), owned by DOL ETA - OPDR

The purpose/function of the program, system, or technology and how it relates to the component's and DOL mission

WIPS is the performance reporting system used by 15 ETA programs, it is housed within the Business Process Management Platform System (BPMP) which is the Employment and Training Administration (ETA) Appian Platform. The reports collected in this system are used by the ETA for performance accountability purposes.

A general description of the information in the system.

The system contains both individual participant records and aggregate data relating to service provision, demographics, and outcomes of the ETA programs in the workforce system, including information related to if participants received training, obtained employment, retained employment, attained credentials, and their earnings.

A description of a typical transaction conducted on the system.

Most transactions in the system occur when a grantee uploads a csv or txt file that WIPS runs data validation checks and then (if the checks are passed) aggregates into a report (e.g. Quarterly Performance Report (QPR), Annual Performance Report (APR), or Eligible Training Provider (ETP) Report). The grantee then reviews each report for accuracy and certifies the report once they are satisfied it is accurate.

Any information sharing conducted by the program or system.

WIPS receives data from the Grants Management Performance System (GPMS), but it does not send data back.

A general description of the modules and subsystems, where relevant, and their functions.

WIPS has multiple modules. The modules include the WIPS Program User, WIPS Grantee, ETP, WIB Code Management, and WIPS Technical Assistance.  

Where appropriate, a citation to the legal authority to operate the program or system.

As there are a large number of programs utilizing the system, the authority to collect this information comes from a variety of sources, which is outlined in greater detail in the Information Collection Request (ICR) collections OMB Control No. 1205-0526 and 1205-0521, that said, the specific statutory authorities include but are not limited to: WIOA section 116; WIOA section 166; WIOA sections 141-162; WIOA section 167; WIOA section 171; WIOA section 169; WIOA section 170; section 414(c) of the American Competitiveness and Workforce Improvement Act of 1998 (29 U.S.C. § 3224a); title V of the Older Americans Act of 1965 (42 U.S.C. 3056 et seq.); chapter 2 of title II of the Trade Act of 1974 (19 U.S.C. 2271 et seq.); and 38 U.S.C. chapter 41.

CHARACTERIZATION OF THE INFORMATION

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

Members of the public (U.S. Citizens) and other individuals eligible to work in the United States

From whom is information to be collected?

The system collects PII from members of the public who have received services from ETA grantees to generate reports and facilitate program monitoring and oversight, in addition to satisfying statutorily required performance accountability provisions.

Why is the Information being collected?

The PII collected by WIPS is collected in order to comply with the statutory and regulatory requirements for performance accountability.

What is the PII being collected, used, disseminated, or maintained?

• SSN (optional)
• Date of Birth
• Ethnicity (optional)
• Race (optional)
• Sex (optional)
• Veteran Status are all collected

Most are optional for the participants to provide, unless they are tied to eligibility as is sometimes the case with Date of Birth and Veteran Status. Demographic elements are used for disaggregation of outcomes. The system collects SSNs only from a subset of grantees. SSNs are necessary, for programs not administered by a public official (i.e., non-state entities), to obtain employment and earnings outcomes of program participants through the Common Reporting Information System (CRIS). CRIS is a DOL administered wage record interchange process designed to provide employment and earnings outcomes for grantees.

How is the PII collected?

PII are reported into WIPS as a part of the individual records file(s) that grantees submit as a csv, txt, or gzip file.  

How will the information collected from individuals or derived from the system be checked for accuracy?

WIPS conducts a series of validation checks on each file that is submitted to ensure it is formatted
correctly, that the values are within a valid range, that the records are not duplicates, and that the values are logical in relation to the other information provided. There are additional data validation processes and procedures that also take place outside the system by ETA and grantees.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

As there are a large number of programs utilizing the system, the authority to collect this PII comes from a variety of sources, which is outlined in greater detail in the ICR collections OMB Control No. 1205-0526 and 1205-0521, that said, the specific statutory authorities include but are not limited to: WIOA section 116; WIOA section 166; WIOA sections 141-162; WIOA section 167; WIOA section 171; WIOA section 169  ; WIOA section 170; section 414(c) of the American Competitiveness and Workforce Improvement Act of 1998 (29 U.S.C. § 3224a); title V of the Older Americans Act of 1965 (42 U.S.C. 3056 et seq.); chapter 2 of title II of the Trade Act of 1974 (19 U.S.C. 2271 et seq.); and 38 U.S.C. chapter 41.

Privacy Impact Analysis

The risk to privacy is inappropriate handling or disclosure of PII, especially SSNs. Access controls mitigate the risk that data will be compromised. In addition, the SSN column is encrypted to ensure the confidentiality of this data element.  NOTE: 99 percent of individual records submitted by grantees do not contain SSNs.  

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

Demographic elements are used for disaggregation of outcomes. The system collects SSNs only from a subset of grantees. SSNs are necessary, for programs not administered by a public official (i.e., non-state entities), to obtain employment and earnings outcomes of program participants through the Common Reporting Information System (CRIS). CRIS is a DOL administered wage record interchange process designed to provide employment and earnings outcomes for grantees.

What types of tools are used to analyze data and what type of data may be produced?

Summary reports are produced for national, regional, and initiative levels for the various programs.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

The system derives aggregate data from the collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system does not use publicly available data.

Will the use of PII create or modify a “system of records notification” under the Privacy Act?

The existing SORN – DOL/ETA-4 will have to be revised and updated, when necessary.

Privacy Impact Analysis

The following security controls have been implemented to prevent data from being compromised:

• Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains SSNs.
• The page for the file upload has Secure Socket Layer (SSL) enabled.
• Secure File Transfer protocol (S-FTP) is used to transfer files from ETA to Kansas.
• Kansas has as S-FTP server and DOL has the S-FTP client.
• Password protected zip files. Files within are also password protected.
• Data is secured in transit with TLS 1.2Data is secured at rest with AES-256-bit encryption.

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.
The BPMP team is currently working with the DOL Records Office on defining a General Records Schedule (GRS) schedule.  Until the schedule has been defined, the BPMP will continue to retain all records.

What is the retention period for the data in the system?

Indefinite

Is a retention period established to minimize privacy risk?

No

Has the retention schedule been approved National Archives and Records Administration (NARA)?

No

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?

Please see below.

How is it determined that PII is no longer required?

PII is not required anymore when a participant has fully exited the YouthBuild program.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

Please see below.

Privacy Impact Analysis

• Access to the data is strictly controlled by Role-Based Access Control through the use of Appian Groups.
• GPMS will only decrypt an encrypted text value by using a specialized Encrypted Text Field in the browser. The value remains encrypted on the server and is only decrypted when displayed in this specialized field.
• An encrypted text value remains encrypted when stored on the disk
• An encrypted key is unique to each installation of the platform
• Data is secured in transit via HTTPS (TLS 1.2)

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII is not shared with internal organizations.

How is the PII transmitted or disclosed?

N/A

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

N/A

Privacy Impact Analysis

N/A

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private
sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Information is shared with Kansas Department of Commerce under the CRIS agreement (MOU and ISA). WIPS provides data to Kansas for processing by CRIS. CRIS provides common performance measures for grant programs that do not have the ability to collect common measure outcomes i.e., Entered Employment Rate, Retention Rate, and Average Earnings. Kansas does not return SSNs but rather aggregate data that cannot be attributed to a particular individual.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes. Information collected is not altered prior to transmittal to Kansas. ETA has a Memorandum of Understanding (MOU)/Interconnection Security Agreement (ISA) with Kansas. In addition, a SORN has been published in the Federal Register.

How is the information shared outside the Department and what security measures safeguard its transmission?

The following controls are in place for submitting data to the Kansas Department of Commerce:

• Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains the PII.
• Secure File Transfer protocol (S-FTP) is used to transfer files from ETA to Kansas.        
• Kansas has an S-FTP server and DOL has the S-FTP client.
• The Kansas Local Area Network ( LAN) has an overall Security Categorization of Moderate

How is the information transmitted or disclosed?

Secure File Transfer protocol (S-FTP) is used to transfer files from ETA to Kansas. Kansas has an S-FTP server and DOL has the S-FTP client.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.

ETA has a Memorandum of Understanding (MOU) and Interconnection Security Agreement (ISA) with Kansas Department of Commerce and the Kansas Department of Commerce- America's Job Link Alliance – Technical Support (referred to collectively as Kansas).

How is the shared information secured by the recipient?

Information is stored on the Kansas System on a Nimble Network-Attached Storage (NAS) (Nimble) and managed through Microsoft SQL Server. Users connect to the network via a Cisco VPN for secure communications and to the database management server via both Windows and MS SQL Server authentication. Both the database server and Nimble devices are maintained on virtual private networks, which are isolated from public access points. All software and hardware use limited ports for internal communications. Movement of data between the Nimble and local workstations is limited, and only done when absolutely essential to completing specific tasks. All data are encrypted prior to transfer and stored on an encrypted local drive. All data files that reside on local machines are shredded in compliance with Internal Revenue Service (IRS) Publication 1075 standards.

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

• Cybersecurity and Privacy Awareness Training
• Contractor Role Based Training

Privacy Impact Analysis

Given the external sharing of data, ETA identified privacy risks to include inadvertent disclosure of confidential information. For that reason, ETA established an MOU/ISA with Kansas and implemented various security controls as mentioned above.

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal

Register Notice. If notice was not provided, please explain.

Yes, notice is provided to individuals (participants).

Do individuals have the opportunity and/or right to decline to provide information?

Yes. SSN disclosure must be voluntarily provided by the individual and cannot deny the participant access to services if the SSN is not provided.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No.

Privacy Impact Analysis

Individuals are informed that providing SSNs is voluntary.

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

Participants do not have access to WIPS.  The reporting system is not used for case management.

What are the procedures for correcting inaccurate or erroneous information?

Participants work with grantees to make update to the information in the grantees' case management system so that it is corrected when it is reported to ETA (via WIPS).

How are individuals notified of the procedures for correcting their own information?

Grantees systems for collecting this information from participants will vary, so that process will depend on what the procedures are in each state/program.

If no formal redress is provided, what alternatives are available to the individual?

N/A

Privacy Impact Analysis

Individuals have the right to withdraw from or not participate in the program.

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

Program managers, IT specialists, and Federal analysts have general access to the system, and registered users from the public have limited access.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Yes

Does the system use “roles” to assign privileges to users of the system? If yes, describe the roles.

Yes.  The System has a built-in Role-Base Access Control (RBAC) framework based around Appian Groups.  Appian Groups are used to control access to processes and interfaces within an Appian application.  At a high level, these roles include:

• Basic User roles – the least privilege role needed for a user to interact with the appropriate processes and interfaces within a specific application
• Privileged User roles – these roles are for assigning user access within an application by being able to add or remove users to Basic User roles
• System Administrator roles – uses with this role have full privileges on the platform, including updating code, monitoring processes, and changing configuration

What procedures are in place to determine which users may access the system and are they documented?

To request an account for WIPS, a user must submit a ticket to the WIPS Help Desk, stating the role being requested.  An application administrator will review the request, and if all required information and forms are provided, their account will be provisioned using the WIPS User Access control module.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Rules of Behavior forms are required to be signed before a user can have their account provisioned on WIPS.  Role assignment is verified by assigning a user to the appropriate Appian Groups, which authorize the user's access to the appropriate application-level access.  Training is required for all users annually using DOL's Cybersecurity and Privacy Awareness Training.  The last round of training was completed on 6/30/2022.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

• Cybersecurity and Privacy Awareness Training
• Contractor Role Based Training

What auditing measures and technical safeguards are in place to prevent misuse of data?

Data is encrypted in the database and an audit trail of activities performed on the database is tracked.  Data is also encrypted in transit using TLS 1.2.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes – BPMP is in Ongoing-Authorization which conducts a Security Assessment every year.

Privacy Impact Analysis

• MOU/ISA between ETA and Kansas to address key issues.
• Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains the SSNs.
• The page for the file upload has Secure Socket Layer (SSL) enabled but will not have third-party verification.
• Secure File Transfer protocol (S-FTP) is used to transfer files from ET A to Kansas. Kansas has an S-FTP server and DOL has the S-FTP client.
• Files are password protected.

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The WIPS is a custom designed application built on top of a purchased platform-as-a-service instance of Appian's low-code development software.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

The Department of Labor built WIPS on top of a Federal Risk and Authorization Management Program (FedRAMP)-compliant Appian Cloud.  This allowed for the development of applications which leverage the built-in Appian Security Framework without writing any custom code.  WIPS development was preformed followed DOL Center of Excellence guidelines utilizing an Agile development process which required consistent review of all aspects of the application development.

What design choices were made to enhance privacy?

WIPS was developed using Appian best practices making use of the built-in permissions framework using Appian Groups.  WIPS is reviewed for alignment with Center of Excellence guidance around least-privileged object configuration for supporting application operations

For systems in development, what stage of development is the system in, and what project development life cycle was used?

WIPS is in the Production environment, and in the development, maintenance, and enhancement phase of the software development life cycle.

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

N/A

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

• ETA has completed the PIA for WIPS which is currently in operation.
• ETA has determined that the safeguards and controls for this moderate system adequately protect the information.
• ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.