DOL — National Contact Center (DOL-NCC) 2
Overview
The Department of Labor (DOL) National Contact Center (NCC) supports the mission and goals of the Department by providing the public with consistent, accurate, and understandable information services covering a wide range of Departmental programs and initiatives. Currently, DOL-NCC directly supports multiple DOL agency citizen-centric information service programs, with the capability to support additional programs and lines of business as needed by the Department. Currently supported programs include:
- Office of Public Affairs (OPA) General Purpose inquiries
- Employment and Training Administration (ETA)
- Job Corps (JC)
- Mine Safety and Health Administration (MSHA)
- Occupational Safety and Health Administration (OSHA)
- Office of Disability Employment Policy (ODEP)
- Office of Small Disadvantaged Business Utilization (OSDBU)
- Veterans Employment and Training Service (VETS)
- Wage and Hour Division (WHD)
- Women's Bureau (WB)
Introduction
The DOL-NCC delivers its services via an enterprise knowledge base managed within a Customer Relationship Management (CRM) system and telecommunications services infrastructure. DOL-NCC is currently located at three (3) sites across the country that include the NCC National Office in Washington, D.C. at the Frances Perkins Building (FPB) and two contractor-operated locations. Multiple site locations are necessary because DOL-NCC is an integral part of the DOL Continuity of Operations Plan (COOP), which may be activated to respond to emergencies. In addition, there are home-based staff located across the country.
The DOL-NCC directly supports all of the Department's strategic goals by providing American public customers across the nation with timely, accurate, and understandable information for a wide range of Departmental programs and services. To accomplish this, the DOL-NCC interacts with customers through the communication vehicle of their choice including telephones, self-service on the web, texting, email, U.S. mail, and chat. The DOL-NCC is a "multi-channel contact center" that supports public communications by providing live customer service support for telephone, voice mail, texting, faxing, chat, U.S. mail, and email communication methods. In addition, DOL-NCC provides self-service communications on the web, Interactive Voice Response (IVR), web-enabled calling Voice over Internet Protocol (VoIP), voice recognition, and text-to-speech technologies.
To deliver the set of services provided by the NCC, the DOL has engaged in a collaborative relationship with a contractor that provides a fully integrated Tier 0 (self-service), Tier 1 (first contact), Tier 2 (program escalation support), and Information Technology (IT) systems (service desk customer support) solutions to support the Department. The scope of services for DOL-NCC provides the Department with a flexible yet uniform multi-channel contact center vehicle through which component agencies will participate in the DOL-NCC and secure contact center services. The centralized contact center approach presents an integrated front to the customer, creates economies of scale, and provides the ability to leverage capabilities for all customer services from all communication channels offered through the DOL-NCC. Any DOL agency may participate in the DOL-NCC. Additional agencies that choose to leverage the NCC will furnish to the contractor their contact center mission, objectives, program-specific requirement objectives, performance metrics, and any other specific information for incorporation into the contact center's systems, staffing configurations, and operational flows.
The system name and the name of the DOL component(s) which own(s) the system.
This privacy impact assessment is for the Department of Labor National Contact Center (DOL-NCC) system. The DOL Office of Public Affairs is the system owner for DOL-NCC.
The purpose/function of the program, system, or technology and how it relates to the component's and DOL mission
The Department of Labor originally established the National Contact Center (NCC) in September 2001 to support the mission and goals of the U.S. Department of Labor by providing the public with consistent, accurate, and understandable information services covering a wide range of Departmental programs and initiatives through nationwide toll-free, e-mail, and texting services. DOL-NCC delivers this service as the answers to frequently asked questions (FAQs), referral information, fulfillment of product and service requests, and compliant intake. The DOL-NCC's main toll-free help line, 1-866-4-USA-DOL, is the universal access point to all of DOL.
The Department of Labor (DOL) National Contact Center (NCC) supports the mission and goals of the Department by providing the public with consistent, accurate, and understandable information services covering a wide range of Departmental programs and initiatives. Currently, DOL-NCC directly supports multiple DOL agency citizen-centric information service programs, with the capability to support additional programs and lines of business as needed by the Department.
A general description of the information in the system.
The DOL-NCC system stores and uses information describing contacts (customer interactions) with the contact center such as questions about DOL programs, requests for assistance, or other service requests. The system employs audio recording capabilities to create and store audio of telephone calls answered by contact center agents. The system also stores incoming and outgoing messages received by the contact center through channels other than telephony, such as email, web chat, or text messaging.
A description of a typical transaction conducted on the system.
Typical DOL-NCC transactions are incoming telephone calls, emails, or other electronic inquiries by employers or individuals asking questions about or requesting assistance with various DOL programs and services. A single transaction comprises the entire telephone call and any information captured by contact center agents to document the purpose of the call, details of any information or service requests, and actions taken to respond to, resolve, or handling those requests.
Any information sharing conducted by the program or system.
The DOL-NCC system does not share any information outside the Department other than public program information or program information communicated by NCC staff specifically pertaining to an individual or employer who contacts the NCC. Information sharing is limited to information received from or transmitted to the programs and lines of business the contact center serves.
A general description of the modules and subsystems, where relevant, and their functions.
The DOL-NCC system comprises a customer relationship management (CRM) application (Salesforce), a telephony and multi-channel communication application (NICE inContact), and a secure file sharing application (Box). The CRM application is used to record information about calls or other contacts received by the NCC. The telephony application is used by NCC agents to receive calls or other types of contacts from NCC customers, and to create and store recordings of those calls. The file sharing application is used to provide a secure mechanism for OPA and other program stakeholders to transmit files to the DOL-NCC contractor and vice versa.
Where appropriate, a citation to the legal authority to operate the program or system.
The DOL National Contact Center supports at least 10 different programs/business areas across the Department. Each of these programs or lines of business operates under legislative and/or executive authority. The legal authority to operate the NCC derives from the DOL programs and business functions the contact center serves.
A description of why the PIA is being conducted.
A privacy impact assessment is being conducted for DOL-NCC as part of the artifacts and information required to be included in the system's request for an authorization to operate, and because the operational scope of the system – and the project the system supports – includes the collection and storage of PII.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
The DOL-NCC system collects PII from members of the public who call or otherwise contact the NCC.
From whom is information to be collected?
PII is collected from individuals who call, email, or otherwise initiate contact with the NCC, including employers and individual members of the public who may be beneficiaries of DOL programs or who may be seeking information about DOL programs or services.
Why is the Information being collected?
PII is collected from callers to the NCC to enable contact center staff to handle requests efficiently and effectively, including referring requests to DOL program personnel for responses or resolution.
What is the PII being collected, used, disseminated, or maintained?
PII collected by DOL-NCC includes individual contact information (e.g., name, mailing addresses, telephone numbers, and email addresses.
How is the PII collected?
PII is collected by telephone, email, web chat, or online requests submitted through the DOL website.
How will the information collected from individuals or derived from the system be checked for accuracy?
PII collected from an individual over the phone is verbally repeated back to the individual to verify that the collected information is accurate as provided by the individual. PII collected via email or submitted through the DOL website is assumed to be accurate because the information is provided in written form by the individual.
What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?
The NCC supports at least 10 different programs/business areas across the Department. Each of these programs or lines of business operates under legislative and/or executive authority. The legal authority to operate the NCC derives from the DOL programs and business functions the contact center serves.
Privacy Impact Analysis
PII collected by the NCC is the minimum necessary information to effectively answer questions and respond to service requests submitted by individuals contacting DOL via the contact center. The PII used by DOL-NCC is primary contact information, so the primary risk related to this data is unauthorized disclosure of names or contact information about individuals who engage in interactions with the contact center. These privacy risks are mitigated through a layered set of security and privacy mechanisms that restrict access to PII, protect the confidentiality and integrity of PII stored within the system, and continuously collect activity logs and monitor the system to detect and prevent unauthorized intrusions of the system or modification of the data maintained within the system.
Describe the Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
PII is collected by DOL-NCC to enable NCC and DOL staff to accurately and expediently respond to requests received via the contact center. Collected PII enables designated and authorized NCC staff and DOL program personnel or subject-matter to follow-up with individuals who have contacted the NCC. For some programs NCC supports, PII is collected to provide a point of contact for issuing or communicating notices in compliance with regulatory requirements. PII is also collected to allow requested materials (brochures, posters, etc.) to be sent to individuals / businesses requesting the materials.
What types of tools are used to analyze data and what type of data may be produced?
A CRM application is used to maintain records of inquiries and requests handled by the contact center, which can produce summary reports by DOL program, type of request, etc. The telephony application enables call recording and playback of audio files to conduct quality assurance activities and help ensure agents provide the appropriate responses to callers.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No new data is derived or created about individuals; only records of existing PII are stored within the system.
If the system uses commercial or publicly available data, please explain why and how it is used.
Some of the information requested by or provided to customers of the contact center is publicly available through other DOL channels, including the Department's website (www.dol.gov). Information about DOL programs served by the NCC is stored within the CRM knowledge base so that it is accessible to contact center agents to help them respond efficiently and effectively to customer requests.
Will the use of PII create or modify a "system of records notification" under the Privacy Act?
No. The DOL-NCC system is not a system of records under Privacy Act regulations and there is no separate system of records notice for the system.
Privacy Impact Analysis
PII collected and stored by the DOL-NCC system is protected using a layered set of security and privacy mechanisms to safeguard the confidentiality and integrity of information. These mechanisms include perimeter network security protections, intrusion detection and prevention, user authentication and authorization, and logging and monitoring of activity within the system. NCC staff attend security and privacy awareness training as well as job-specific training specific to their roles on the project.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
What is the retention period for the data in the system?
Contact center records associated with most DOL programs are typically retained for 30 days within NICE InContact. Each program/line of business establishes its own records schedule so in some cases the retention period for contact center records could be longer than 30 days to comply with regulations or requirements applicable to those programs.
Is a retention period established to minimize privacy risk?
Yes. PII collected by DOL-NCC is the minimum necessary to respond to requests from contact center customers, and in general is limited to names and contact information (mailing addresses, phone numbers, email addresses).
Has the retention schedule been approved National Archives and Records Administration (NARA)?
Yes. The record retention requirements for DOL-NCC have been specified by OPA. Each program/line of business served by the contact center has established its own NARA-approved records schedule.
Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
PII collected by DOL-NCC is the minimum necessary to respond to requests from contact center customers, and in general is limited to names and contact information (mailing addresses, phone numbers, email addresses). PII is collected and used to respond to specific customer requests, so this information is not maintained any longer than necessary and records are removed after 30 days. All call recordings are configured in NICE InContact to be deleted automatically after 30 days. Voicemail backup is removed manually on a monthly cadence. Any voicemail older than 30 days is deleted during the first week of each month.
Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?
PII collected, used, and stored by DOL-NCC includes names and contact information and is limited to the minimum necessary to enable effective responses to inquiries and requests received by individuals through the contact center.
How is it determined that PII is no longer required?
PII is collected and used to respond to specific customer requests received through the contact center, so this information is not required after responses to requests are completed.
If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.
PII is routinely eliminated from the system once it is no longer needed. All call recordings are configured in NICE InContact to be deleted automatically after 30. Voicemail backup is removed manually on a monthly cadence. Any voicemail older than 30 days is deleted during the first week of each month.
Privacy Impact Analysis
Risk associated with collecting and storing PII within the DOL-NCC system is mitigated by collecting the minimum necessary information, retaining the information for as short a time as possible, and protecting the information using a layered set of security and privacy mechanisms to safeguard the confidentiality and integrity of information.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
PII (names and contact information for individuals who engaged with the NCC) is shared within DOL with programs and lines of business served by the contact center for the purpose of responding to customer requests.
How is the PII transmitted or disclosed?
PII is transmitted electronically (via telephone, email, or file sharing) to authorized DOL personnel.
Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?
DOL programs and lines of business served by the contact center determine what types of requests will be handled and what PII must be collected to ensure those requests can be handled properly. Each program makes its own determination regarding when any type of personally identifiable information is no longer needed.
Privacy Impact Analysis
The scope of internal information sharing by the DOL-NCC system is limited to authorized transmission or disclosure of information to DOL programs that need the information to accurately respond to inquiries or requests submitted through the contact center. The risk associated with internal information sharing is mitigated by ensuring that only secure transmission channels are used to communicate PII and that information is shared only with authorized DOL personnel.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
There is no external information sharing by the DOL-NCC system.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Not applicable. There is no sharing of PII outside the Department.
How is the information shared outside the Department and what security measures safeguard its transmission?
Not applicable. There is no sharing of PII outside the Department.
How is the information transmitted or disclosed?
Not applicable. There is no sharing of PII outside the Department.
Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared?
Not applicable. There is no sharing of PII outside the Department and no MOUs are in place.
How is the shared information secured by the recipient?
Not applicable. There is no sharing of PII outside the Department.
What type of training is required for users from agencies outside DOL prior to receiving access to the information?
Not applicable. There is no sharing of PII outside the Department.
Privacy Impact Analysis
Not applicable. There is no sharing of PII outside the Department.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.
PII is only collected from individuals when the customer chooses to share PII for further resolution of their issue. Verbal notice is provided to individuals prior to collecting PII, and such collection only occurs when the customer consents to provide it. DOL Privacy Program information is publicly available from the Department's website, including the web page for the National Contact Center (https://www.dol.gov/general/contact/contact-phone-call-center). Call center scripts include pre-recorded messages that callers hear from the NCC's integrated voice response (IVR) tool and general NCC and line-of-business specific scripts used by agents when interacting with callers/consumers.
Do individuals have the opportunity and/or right to decline to provide information?
Individuals are not required to provide personal information, although they are informed by NCC staff that if they choose not to provide contact information there are some requests that cannot be fulfilled. For example, DOL cannot mail information to customers if the customers refuse to provide a mailing address.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
Collection of PII from individuals only occurs for a specific purpose, that is, in order to respond to a specific inquiry or request from the individual. Consent to collect personal information is associated with each specific request from an individual.
Privacy Impact Analysis
Contact center staff inform customers about what personal information will be collected and how it will be sued. This notice may be provided verbally (over the phone) or in written form. Notice about collection and use of personal information are also maintained on the DOL website (www.dol.gov/general/privacynotice) and all collection and use of PII by NCC complies with that published notice. If individuals do not consent to provide personal information, no personal information is collected.
Individual Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their own information?
Individuals may contact the NCC and request details about an inquiry or request they have previously submitted to the contact center, including the information collected as part of that previous interaction.
What are the procedures for correcting inaccurate or erroneous information?
Information associated with an inquiry or request is stored in the CRM application. Changes to existing records require escalation to or approval by contact center supervisors or content specialists.
How are individuals notified of the procedures for correcting their own information?
Where applicable, individuals are notified of the need to collect and use their information at the time they make an inquiry or request through the NCC. NCC staff rely on individuals to provide accurate contact information for themselves so any correction to this information must be initiated by the individual.
If no formal redress is provided, what alternatives are available to the individual?
There is no formal redress related to collection and use of the PII collected by the contact center. If applicable, redress for use of PII would be handled through the program associated with the inquiry or request.
Privacy Impact Analysis
PII collected by the NCC is limited to name and contact information, so the privacy risk is relatively low. Privacy risk is mitigated by ensuring that consent is obtained before collecting PII and by safeguarding the confidentiality and integrity of PII once stored in the system.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)
Only NCC staff have access to the system. This includes contact center agents and supervisors, operations and program managers, and IT administrators. There is no public access to the system, or the information stored within the system.
Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.
Yes. DOL-NCC staff are contractors working on behalf of DOL.
Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.
Yes, access to the system is role-based. There are application administrators for each application within the system who configure the CRM, telephony, and file sharing applications and provision authorized end users with access to those applications. Non-administrators (call center agents, supervisors, and operations and program managers) have the same access rights to information in the applications they use.
What procedures are in place to determine which users may access the system and are they documented?
All authorized users of the DOL-NCC system are contractors staffed explicitly to work on the NCC project. These users must undergo security and privacy awareness training and multiple job-specific training courses before being granted access to the system. Training and access procedures are fully documented as part of overall program management.
How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.
Training for all DOL-NCC staff is performed within the first two weeks after hire and before staff are given access to the system or begin handling customer interactions. Security and privacy refresher training is administered at least one per year. Upon successful completion of training, including acknowledgement of applicable acceptable use policy and rules of behavior, staff members are provisioned access to DOL-NCC applications based on the needs associated with the role for which they were staffed on the project. Last training was conducted on 03/08/2022
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
All DOL-NCC staff receive privacy awareness training within the first two weeks of hire and at least annually thereafter. Privacy training includes content on legal and regulatory drivers for privacy (such as the Privacy Act), privacy principles and practices, and safeguarding personally identifiable information, company or DOL-confidential information, and other types of sensitive data.
What auditing measures and technical safeguards are in place to prevent misuse of data?
All system users are limited to using NCC applications and information for which they are explicitly authorized. User activity monitoring is implemented through audit logging, endpoint detection and response agents, web content filtering, and Internet/web proxy infrastructure.
Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?
All DOL-NCC data is stored and used within an environment that meets FISMA requirements as implemented through NIST Special Publication 800-53 Revision 4 and the Federal Risk and Authorization Management Program (FedRAMP). The DOL-NCC system received conditional approval to operate in November 2020 and has undergone a full security assessment and authorization process in August 2022.
Privacy Impact Analysis
The DOL-NCC system collects, uses, and stores only names and contact information, which constitute PII of relatively low sensitivity. All NCC applications and information are operated within cloud computing environments that are FedRAMP-authorized at the Moderate impact level. The security controls implemented by the application cloud service providers, the NCC contractor, and DOL collectively provide adequate protection for the confidentiality, integrity, and availability of the system and the information it contains.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.
Was the system built from the ground up or purchased and installed?
The DOL-NCC system comprises multiple commercial off-the-shelf software products delivered in a cloud-based software-as-a-service model. The system implements purchased software applications and pre-built integration interfaces provided by the application vendors.
Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.
All system applications used by DOL-NCC are FedRAMP-authorized at the Moderate impact level and already authorized to operate by multiple federal civilian agencies. This authorization status indicates that the applications the system comprises implement security and privacy controls adequate to protect the confidentiality, integrity, and availability of the system and the information it contains, including PII.
What design choices were made to enhance privacy?
The DOL-NCC system reflects privacy-enhancing design decisions by implementing strict role-based access control and an underlying data model that limits the collection and use of PII to the minimum necessary to deliver contact center services. The system also implements encryption of data in transit and data at rest across the authorization boundary, continuous monitoring of system activity and end-user behavior, and processes to remove PII from the system when it is no longer being used.
For systems in development, what stage of development is the system in, and what project development life cycle was used?
DOL-NCC is in the Operations and Maintenance stage of the DOL System Development and Lifecycle Management (SDLCM).
For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
The system implements call recording for all NCC calls. The collection and storage of unstructured data in recorded audio files potentially raises privacy concerns due to the possibility that sensitive PII beyond the name and contact information typically needed to respond to customer requests will be shared by callers to the contact center and subsequently recorded and stored. The contact center project minimizes this risk by routinely removing stored audio files after they have been subject to quality assurance auditing or other intended purposes.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- Cognosante has completed the PIA for DOL-NCC, which is currently in operation. Cognosante has determined that the safeguards and controls for this moderate system will adequately protect the information.
- Cognosante has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.