OSHA — Business Information Systems (OBIS)

1.1 Overview

The OSHA Business Information System (OBIS) is a consolidated major application (MA) system that is comprised of three minor applications (MI) for processing and supporting business functions in OSHA. The function of this system is to collect and process data from the different MIs. OBIS is hosted in a physical server and virtualized environment in a secure data center located in Sandy, Utah and Washington, D.C. The alternate site for Sandy, Utah is located at the Frances Perkins Building (FPB) in Washington, D.C and the alternate for FPB is located at Sandy, Utah. Access to the data centers is controlled through physical and logical security controls, which includes video surveillance, security guards, and an access control system.

OBIS accreditation logical boundaries include web applications, databases, web services, web content, and application development. The major application's legacy component is connected to the SunGard mainframe and Bank of America's LockBox. An interconnection agreement exists in support of the connection with LockBox. Infrastructure lines of demarcation are directly connected and managed via a memorandum of understanding.

The subsystems functionality is supplied via web-services located on intranet and extranet sites. OBIS includes web page development services, including dynamic database driven content and database management, and application development.

OBIS major application is comprised of the following MIs: Legacy Integrated Management Information System (Legacy-IMIS), Web Integrated Management Information System (WebIMIS), and OSHA Web Services (OWS).

  • Legacy IMIS provides planning, managing, tracking, and reporting functionality for its programs and services. The IMIS Host Computer Facility supports a National consolidated database system for collecting, manipulating, maintaining, and retrieving enforcement, consultation, and discrimination data. The National database contains a variety of information, including inspection history for specific establishments, citations issued, penalties assessed and paid, accidents and injuries, standards cited, complaints received and investigated, referrals, cases contested, State Programs activities, Federal Agency Programs activities, consultation visits, and discrimination investigations.

WebIMIS applications are Web-based systems enabling users to access and manipulate IMIS data. The system is developed using Oracle 10g Technologies and offers a high assurance, scalable and redundant infrastructure for high system availability. The system is accessible over the Internet or ECN/DCN GSS. WebIMIS is comprised of 6 sub-components:

  1. Whistleblower application: supports the Directorate of Whistleblower Protection Programs for case lifecycle management.
  2. Consultation Form 33, Safety and Health Assessment: supports the Directorate of Cooperative and State Programs (DCSP) in providing a tool for analyzing a company's safety and health program.
  3. OSHA's Voluntary Protection Plan Automated Data System (VADS): supports tracking of OSHA's program to promote effective worksite-based safety and health. Voluntary Protection Program (VPP) sets performance-based criteria for a managed safety and health system, invites sites to apply, and then assesses applicants against these criteria
  4. OSHA's Partnership (OSPADS): integrates partnership evaluations with other IMIS activities in the consultation and enforcement portions of the OSHA program.
  5. Activity and Hours (A&H): provides tracking for Compliance Assistance activities, and recording Activity Hours related to Consultation, Enforcement, Whistleblower, Voluntary Protection Program (VPP), OSHA Strategic Partnerships Program (OSPP), and Alliance Program.
  6. OSHA Maritime and Crane: allows the Directorate of Enforcement Programs (DEP) to issue, track, and renew Maritime Crane Certification related to OSHA-71 and OSHA-72 forms. The system also allows accredited employers to fill in the forms online.
  • OSHA Web Services (OWS): provides webpage development services including, dynamic database driven content and database management, application development, operating system management, and server hardware management. OWS provides hosting services to the OBIS Minor Applications, the OSHA public website, the OSHA intranet/extranet internal website, the joint US / European Union website, the joint Tri-National website, the whistleblowers website, and several applications.

1.2 Characterization of the Information

What are the sources of the PII in the information system?

  • Obtained from individuals or business entities.
  • Complainant provides information by filing a complaint.
  • Users voluntarily submit non-sensitive PII in order to use specific services.

What PII is Collected?

  • Non-Sensitive PII — First and/or Last Name; Business Address, Telephone Number, Email Address; Home Address, Telephone Number, Email Address; DOL Employee Name, Work Contact Telephone Number, and Work Email Address.

How is the PII collected?

  • System updates by CSHO from inspections and investigations.
  • Complainants provide the information either orally or in writing, and then the information is entered into the OBIS Application.
  • Web-based forms.

How will the information be checked for accuracy?

  • Edit checks are in place within the application to ensure accuracy of data input. In addition, information may be verified by the investigator of the case.
  • Technical controls are in place as data is checked during submission on the form. The contact information is verified or rejected as the minor applications attempt to provide the requested services, some applications use automated means and some require human intervention.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

  • Occupational Safety and Health Act of 1970, 29 U.S.C. 651, et seq.
  • Surface Transportation Assistance Act of 1982, 49 U.S.C. 31105
  • Asbestos Hazard Emergency
    Response Act of 1986, 15 U.S.C. 2651
  • International Safe Container Act, 46 U.S.C. 80507
  • Safe Drinking Water Act, 42 U.S.C. 300j — 9(i)
  • Energy Reorganization Act of 1974, as amended, 42 U.S.C. 5851 Comprehensive Environmental Response, Compensation and Liability Act of 1980, 42 U.S.C. 9610(a) — (d)
  • Federal Water Pollution Control Act, 33 U.S.C. 1367
  • Toxic Substances Control Act, 15 U.S.C. 2622
  • Solid Waste Disposal Act, 42 U.S.C. 6971
  • Clean Air Act, 42 U.S.C. 7622
  • Wendell H. Ford Aviation Investment and Reform Act for the 21st Century, 49 U.S.C. 42121
  • Sarbanes-Oxley Act of 2002, 18 U.S.C. 1514A
  • Pipeline Safety Improvement Act of 2002, 49 U.S.C. 60129
  • Federal Rail Safety Act, as amended by §1521 of the 9/11 Act of 2007, 49 USC §20109
  • National Transit Security Systems Act, §1413 of the 9/11 Act of 2007, 6 USC §1142
  • The standard DOL web privacy policy is posted on the OSHA.gov website; users of OSHA Web Services voluntarily submit non-sensitive PII in order to use specific services.

Privacy Impact Analysis

  • Privacy risks are low because of access, physical and logical security controls that are implemented throughout OBIS.

1.3 Uses of the PII

Describe all the uses of the PII

  • Used for OSHA investigations, inspections, accidents and fatality reporting.
  • Requires contact with complainants and responders during the course of investigations.
  • Non-sensitive PII is used for contacting users for mailing of OSHA publications and responding to online complaints.

What types of tools are used to analyze data and what type of data may be produced?

  • Basic automated data checking during submission. No data is reused, produced in another form, or displayed.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?



If the system uses commercial or publicly available data, please explain why and how it is used.

  • Postal Zip Code data; A table is used to validate all zip codes that are entered.
  • Data is used only for the purpose of contacting the requesting web users.

Will the use of PII create or modify a “system of records notification” under the Privacy Act?



Is the agency's use of PII regarding third-party website or application consistent with all applicable laws, regulations and policies?




Privacy Impact Analysis

  • Adheres to all federally mandated, DOL, and OSHA controls. Access, authentication and authorization controls are built into the applications.

1.4 Retention

How long is information retained in the system?

  • Indefinitely. Information and emails are retained in accordance with OSHA and Minor application owner policies.

Is a retention period established to minimize privacy risk?



Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?



What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

  • Review business retention requirements

How is it determined that PII is no longer required?

  • Business Functionality determines when PII is no longer required.

Privacy Impact Analysis

  • There is a low level of risk with misuse of private data, primarily due to inadvertent use of protocol sharing of the data that does not conform to the standards.

1.5 Internal Sharing and Disclosure

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

  • The PII data is used by authorized OSHA area, regional and national office employees.
  • Information is shared within OSHA and other internal agencies as required.

How is the PII transmitted or disclosed?

  • Transmitted via network resources.
  • OBIS applications use SSL for encryption, LDAP for user authentication and application authorization through database roles and privileges.
  • Automated emails are directed only to system owners or a gatekeeper.

Privacy Impact Analysis

  • If information is provided under FOIA, critical data is redacted in the data file; data is encrypted. Possible low level risk include emails which are not encrypted could be intercepted; however these are only sent to specific system owners or gatekeepers all internal to DOL. Exception to this process is the online complaint form in which emails are sent externally to OSHA state gatekeepers. PII contained in these emails are non-sensitive and publicly available.
  • Additionally, a database administrator, (DBA) could access the information using SQL statements. However, DBAs are governed by DOL and OSHA policy regarding disclosure and separation of duties.

1.6 External Sharing and Disclousre

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

  • PII information is occasionally shared with other government agencies, on a need-to-know basis, with adequate safeguards against public disclosure. The cases which include the PII data may be reported to Congress. Aggregated data such as numbers of complaints received annually under each of the laws, the number of complaints dismissed or found in favor of complainants, etc., are publicly disclosed in a variety of ways.
  • Complaints submitted in the jurisdiction of a state Occupational Safety and Health ( OSH) plan are sent to the state's gatekeeper via email.

Is the sharing of PII outside the Department compatible with the original collection?



How is the information shared outside the Department and what security measures safeguard its transmission?

  • External information requests are processed by the department and transmission modes are compliant with the request securely. OBIS system employs NIST 800-53 Security Controls for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.

Privacy Impact Analysis

  • PII information is occasionally shared with other government agencies, on a need-to-know basis. NIST 800-53 Security Controls are implemented for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.

1.7 Notice

Was notice provided to the individual prior to collection of PII?



Do individuals have the opportunity and/or right to decline to provide information?



Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

  • The individual is protected under the Privacy Act. The data is used only as part of an investigation and individuals waive the right to consent to particular uses of the information, once they submit a complaint. An individual has the right not to provide PII and by submitting their information they automatically consent to its use according to the DOL web Privacy and Security Statement.

Privacy Impact Analysis

  • Individuals are notified of the fact that OSHA electronically manages the data they have voluntarily submitted; however, as this data is for internal and exclusively government use, and very limited disclosures (to respondents, other agencies, and Congress) are mandated by law, there is minimal risk. This risk is mitigated by controlling access to the system.
  • The "Privacy and Security Statement" link is on the bottom of all OWS pages. It's possible that users won't click on the link and view the policy. However, the individuals are fully aware of the information collection since they are specifically entering their information in the minor applications.

1.8 Access, Redress, and Correction

What are the procedures that allow individuals to gain access to their information?

  • Requests may be submitted by fax, courier services, mail, or to foiarequest@dol.gov. In order to protect your privacy, when you make a written request for information about yourself you must provide either a notarized statement or a statement signed under penalty of perjury stating that you are the person you claim to be. You may fulfill this requirement by: (1) having your signature on your request letter witnessed by a notary, or (2) pursuant to 29 U.S.C. 1746 (2) including the following statement just before the signature on your request letter: "I declare under penalty of perjury that the foregoing is true and correct. Executed on [date]." If you request information about yourself and do not provide one of these statements, your request cannot be processed under the Privacy Act.
  • OSHA application support is available by contacting the OSHA Application Support team at OSHAapplications@dol.gov.

What are the procedures for correcting inaccurate or erroneous information?

  • In the case of inspections and investigations, the user notifies the Regional Office that performed the inspection or investigation.
  • For some minor applications, if an individual enters incorrect information they will not receive the services of the minor application collecting it. They will have to reenter their information again to obtain access to those services.

How are individuals notified of the procedures for correcting their information?

  • Individuals are notified verbally and are provided a written statement for their review. If their contact information is entered incorrectly there is no way to contact them.

If no formal redress is provided, what alternatives are available to the individual?

  • The user may contact an OSHA office.
  • User will have to re-enter their information again to obtain access to services.

Privacy Impact Analysis

  • There are no risks associated with the redress information.
  • Correction is accomplished by the individual submitting correct information to access the specific service.

1.9 Technical Access and Security

What procedures are in place to determine which users may access the system and are they documented?

  • Users are granted access only after completing and signing an account request form and it is received from an authorizing security manager indicating the user's role and assigned reporting office(s).
  • System administrators and database administrators are required to sign Rules of Behavior and are officially appointed with a Letter of Appointment. This process is documented in an OWS Standard Operating Procedure.
  • Authorization Procedures are outlined in the OBIS SOPs and SSP.

Will Department contractors have access to the system?


Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

  • DOL-wide Information Systems Security and Privacy Awareness Training is mandatory for all personnel connecting to the network or has access to OSHA data. Additionally, personnel with security responsibilities are required to complete role-based training.

What auditing measures and technical safeguards are in place to prevent misuse of data?

  • NIST 800-53 Security Controls, Homeland Security Presidential Directive 12 (HSPD-12) and Identity Verification which is used for personnel security.
  • Database auditing is implemented.

Privacy Impact Analysis

  • OSHA Controlled Unclassified Information (CUI) are protected utilizing best security practices and redaction is employed for hard copies. NIST 800-53 Security Controls are implemented for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.

1.10 Technology

What stage of development is the system in, and what project development life cycle was used?

  • Operations and Maintenance Phase per the DOL System Development Life Cycle Manual (SDLCM).

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?



1.11 Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • OSHA has completed the PIA for OSHA Business Information System (OBIS), which is currently in operation. OSHA has determined that the safeguards and controls for this MODERATE system adequately protect the information.
  • OSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.