OITSS (OSHA Information Technology Support System)

Overview

The OSHA Information Technology Support System (OITSS) is a consolidated Major Information System (MIS) that is comprised of minor applications for processing and supporting business functions in OSHA. OITSS is hosted in a virtualized environment in a secure data center located in Kansas City, MO.

OITSS is one of the OSHA umbrella systems that consolidates and migrate key business applications hosted within the United States Department of Agriculture (USDA) National Information technology Center (NITC) Virtual Government Fedramp certified Cloud infrastructure. OITSS is currently under development and will consist of key OSHA business support applications that will support the agency's mission.

The initial deployment of OITSS includes OSHA's Legacy Data (OLD) application. OLD utilizes OITSS' server infrastructure, multitier system architecture design and is subject to all applicable OITSS security controls. The OLD application includes a Web based interface developed using Oracle Jdeveloper 12c Application Development Framework (ADF) and Java Server Face (JSF) - deployed on Oracle WebLogic 12c server. It also uses Oracle Fusion Middleware (FMW) technologies and Oracle Enterprise Database 12c.

The details of the other minor applications under the OITSS will be added in the future as appendices to this document as they are deployed. Future OITSS minor applications include, but not limited to the following:

  • Whistleblower
  • Voluntary Protection Plan Automated Data System
  • OSHA Strategic Partnership
  • Activity and Hours
  • Maritime Crane
  • Web Services
  • Injury Tracking Application

OLD allows OSHA enforcement and consultation users access pertaining OSHA legacy data. It will provide limited functions for designated enforcement users to continue to update existing open case information until closure. This includes debt collection, abatement status, etc. In addition, OLD include legacy data limited search interface and report generation capabilities.

A Privacy Impact Assessment (PIA) is being conducted because of collection of non-sensitive PII by the minor applications hosted on OITSS.

Characterization of the Information

From who is information to be collected?
  • Obtained from individuals or business entities.
  • Complainant provides information by filing a complaint.
  • Users submit non-sensitive PII in order to use specific services.
 

Why is the Information being collected?
  • To help OSHA enforcement and consultation officials contact individuals and companies for investigation and necessary follow-ups.
 

What is the PII being collected, used, disseminated, or maintained?
  • Collected PII may include name, home address, work address, phone number(s) and email address.
 

How is the PII collected?
  • System updates by CSHO from inspections and investigations.
  • Complainants provide the information either orally or in writing, and then the information is entered into the OITSS Application(s).
  • Web-based forms.
 

How will the information collected from individuals or derived from the system be checked for accuracy?
  • Edit checks are in place within the application to ensure accuracy of data input. In addition, information may be verified by the investigator of the case.
  • Technical controls are in place as data is checked during submission on the form. The contact information is verified or rejected as the minor applications attempt to provide the requested services, some applications use automated means and some require human intervention.
 

What specific legal authorities, arrangements, and/or agreements defined allow the collection of information?
  • Occupational Safety and Health Act of 1970, 29 U.S.C. 651, et seq.
  • Surface Transportation Assistance Act of 1982, 49 U.S.C. 31105
  • Asbestos Hazard Emergency Response Act of 1986, 15 U.S.C. 2651
  • International Safe Container Act, 46 U.S.C. 80507
  • Safe Drinking Water Act, 42 U.S.C. 300j — 9(i)
  • Energy Reorganization Act of 1974, as amended, 42 U.S.C. 5851 Comprehensive Environmental Response, Compensation and Liability Act of 1980, 42 U.S.C. 9610(a) — (d)
  • Federal Water Pollution Control Act, 33 U.S.C. 1367
  • Toxic Substances Control Act, 15 U.S.C. 2622
  • Solid Waste Disposal Act, 42 U.S.C. 6971
  • Clean Air Act, 42 U.S.C. 7622
  • Wendell H. Ford Aviation Investment and Reform Act for the 21st Century, 49 U.S.C. 42121
  • Sarbanes-Oxley Act of 2002, 18 U.S.C. 1514A
  • Pipeline Safety Improvement Act of 2002, 49 U.S.C. 60129
  • Federal Rail Safety Act, as amended by §1521 of the 9/11 Act of 2007, 49 USC §20109
  • National Transit Security Systems Act, §1413 of the 9/11 Act of 2007, 6 USC §1142
 

Privacy Impact Analysis
  • Privacy risks are low because of access, physical and logical security controls that are implemented.
 

Describe the Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII
  • Used for OSHA investigations, inspections, accidents and fatality reporting.
  • Requires contact with complainants and responders during the course of investigations.
  • Non-sensitive PII is used for contacting users for mailing of OSHA publications and responding to online complaints.
  • Any PII data is redacted prior to sharing in public facing websites or in FOIA request responses
 

What types of tools are used to analyze data and what type of data may be produced?
  • Basic automated data checking during submission. No data is reused, produced in another form, or displayed.
 

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No
 

If the system uses commercial or publicly available data, please explain why and how it is used.
  • Postal Zip Code data; A table is used to validate all zip codes that are entered.
  • Data is used only for the purpose of contacting the requesting web users.
 

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

No
 

Privacy Impact Analysis
  • Adheres to all federally mandated, DOL, and OSHA controls. Access, authentication and authorization controls are built into the applications.
 

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?
  • Indefinitely. Information and emails are retained in accordance with OSHA and Minor application owner policies.
 

Is a retention period established to minimize privacy risk?

No
 

Has the retention schedule been approved by National Archives and Records Administration (NARA)?

No
 

Per M-O7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
  • Review business retention requirements.
 

Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

Yes
 

How is it determined that PII is no longer required?
  • Business Functionality determines when PII is no longer required.
 

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.
  • The PII data is used by authorized OSHA area, regional and national office employees. Applications use SSL for encryption, LDAP for user authentication and application authorization through database roles and privileges
 

Privacy Impact Analysis
  • There is a low level of risk with misuse of private data, primarily due to inadvertent use of protocol sharing of the data that does not conform to the standards.
 

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
  • The PII data is used by authorized OSHA area, regional and national office employees.
  • Information is shared within OSHA and other internal agencies as required.
 

How is the PII transmitted or disclosed?
  • Transmitted via network resources.
  • Applications use SSL for encryption, Oracle LDAP/Identity Management for user authentication and application authorization through database roles and privileges.
  • Automated emails are directed only to system owners or a gatekeeper.
 

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

Yes
 

Privacy Impact Analysis
  • If information is provided under FOIA, critical data is redacted in the data file; data is encrypted. Possible low level risk include emails which are not encrypted could be intercepted; however these are only sent to specific system owners or gatekeepers all internal to DOL. Exception to this process is the online complaint form in which emails are sent externally to OSHA state gatekeepers. PII contained in these emails are non-sensitive and publicly available.
  • Additionally, a database administrator, (DBA) could access the information using SQL statements. However, DBAs are governed by DOL and OSHA policy regarding disclosure and separation of duties.
 

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?
  • PII information is occasionally shared with other government agencies, on a need-to-know basis, with adequate safeguards against public disclosure. The cases which include the PII data may be reported to Congress. Aggregated data such as numbers of complaints received annually under each of the laws, the number of complaints dismissed or found in favor of complainants, etc., are publicly disclosed in a variety of ways.
  • Complaints submitted in the jurisdiction of a state Occupational Safety and Health (OSH) plan are sent to the state's gatekeeper via email.
 

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
  • Yes. This system is not covered by SORN. Individuals are protected under the Privacy Act. The data is used only as part of an investigation and individuals waive the right to consent to particular uses of the information, once they submit a complaint. An individual has the right not to provide PII and by submitting their information they automatically consent to its use according to the Privacy and Security Statement.
 

How is the information shared outside the Department and what security measures safeguard its transmission?
  • External information requests are processed by the department and transmission modes are compliant with the request securely. OITSS system employs NIST 800-53 Security Controls for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.
 

How is the PII transmitted or disclosed?
  • Transmitted via network resources.
  • Collection of the data is encrypted at the Application server
  • PII data is redacted prior to transmitting to or disclosed to anyone except for the specified OSHA application users/case managers. Any needed transmission of the PII data within internal organization is either encrypted before transmission or in password protected files
  • Automated emails are directed only to system owners or a gatekeeper.
 

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If yes, include who the agreement is with and the duration of the agreement.
  • This is not applicable to this system.
 

How is the shared information secured by the recipient?
  • Recipients are bound to adhere to established laws and regulations governing PII.
 

What type of training is required for users from agencies outside DOL prior to receiving access to the information?
  • Recipients are bound to adhere to established laws and regulations governing PII, to include training.
 

Privacy Impact Analysis
  • PII information is occasionally shared with other government agencies, on a need-to-know basis. NIST 800-53 Security Controls are implemented for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.
 

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes
 

Do individuals have the opportunity and/or right to decline to provide information?

Yes
 

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
  • The individual is protected under the Privacy Act. The data is used only as part of an investigation and individuals waive the right to consent to particular uses of the information, once they submit a complaint. An individual has the right not to provide PII and by submitting their information they automatically consent to its use according to the DOL web Privacy and Security Statement.
 

Privacy Impact Analysis
  • Individuals are notified of the fact that OSHA electronically manages the data they have voluntarily submitted; however, as this data is for internal and exclusively government use, and very limited disclosures (to respondents, other agencies, and Congress) are mandated by law, there is minimal risk. This risk is mitigated by controlling access to the system.
  • The "Privacy and Security Statement" link is on the bottom of all webpages. It's possible that users won't click on the link and view the policy. However, the individuals are fully aware of the information collection since they are specifically entering their information in the minor applications.
 

Individual Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?
  • Any request for a record of the Department of Labor must conform with the DOL's Freedom of Information Act (29 CFR Part 70) or Privacy Act (29 CFR Part 71) regulations. Such a request must be in writing and sent by mail, delivery service or facsimile or by email to foiarequest@dol.gov.
  • OSHA application support is available by contacting the OSHA Application Support team at OSHAapplications@dol.gov.
 

What are the procedures for correcting inaccurate or erroneous information?
  • In the case of inspections and investigations, the user notifies the Regional Office that performed the inspection or investigation.
  • For some minor applications, if an individual enters incorrect information they will not receive the services of the minor application collecting it. They will have to reenter their information again to obtain access to those services.
 

How are individuals notified of the procedures for correcting their information?
  • Individuals are notified verbally and are provided a written statement for their review. If their contact information is entered incorrectly there is no way to contact them.
 

If no formal redress is provided, what alternatives are available to the individual?
  • The user may contact an OSHA office.
  • User will have to re-enter their information again to obtain access to services.
 

Privacy Impact Analysis
  • There are no risks associated with the redress information.
  • Correction is accomplished by the individual submitting correct information to access the specific service.
 

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (for example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)
  • Only pre-approved OSHA users have access to the system based on their approved profile and associated rights.
 

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.
  • No. Only pre-approved OSHA users with have access to the system based on their approved profile and associated rights.
 

 

Does the system use "role" to assign privileges to users of the system? If yes, describe the roles.
  • System is hosted at NITC. NITC utilizes an Identity Manager System where only approved Agency Role Membership Managers (ARMM) can create users and assign privileges for the system.
  • In addition, each application has built in role based access to the application data
 

What procedures are in place to determine which users may access the system and are they documented?
  • Users are granted access only after completing and signing an account request form and it is received from an authorizing security manager indicating the user's role and assigned reporting office(s); OITSS Access Control Policies and Procedures
 

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.
  • Users are granted access only after completing and signing an account request form and it is received from an authorizing security manager indicating the user's role and assigned reporting office(s); OITSS Access Control Policies and Procedures. They are required to review and sign the ROBs. Training is conducted in accordance with the Department CSH Volume 2.
 

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
  • DOL-wide Information Systems Security and Privacy Awareness Training is mandatory for all personnel connecting to the network or has access to OSHA data. Additionally, personnel with security responsibilities are required to complete role-based training.
 

What auditing measures and technical safeguards are in place to prevent misuse of data
  • All user accounts are reviewed and recertified twice a year to ensure only active users have appropriate privileges to the system.
  • Application and system users are required to have prescribed training on handling of PII data prior to gaining access to the DOL/OSHA systems and refresher training every year.
 

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?
  • Yes. OITSS is undergoing the initial Security Assessment and Authorization due to be completed by September 15, 2016.
 

Privacy Impact Analysis
  • OSHA Controlled Unclassified Information (CUI) is protected utilizing best security practices and redaction is employed for hard copies. NIST 800-53 Security Controls are implemented for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.
 

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?
  • The system is built from ground up
 

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.
  • There are specific vetting process to include OMB approved forms to collect data
  • Database and application design process includes insuring data integrity, privacy and security. This includes role based user accounts to limit only appropriate users to have access to specific data
 

What design choices were made to enhance privacy?
  • Role based user accounts to limit only appropriate users to have access to specific data
 

For systems in development, what stage of development is the system in, and what project development life cycle was used?
  • One of the minor applications under the OITSS MA umbrella is currently being assessed for ATO. Others in iterative development
  • Iterative agile development life cycle is used
 

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No
 

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No
 

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • OSHA has completed the PIA for OSHA IT Support System (OITSS) which is currently in development. OSHA has determined that the safeguards and controls for this moderate system will adequately protect the information and will be referenced in OSHA IT Support System (OITSS) System Security Plan to be completed by September 15, 2016.
  • OSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.