BLS — LABSTAT
Overview
LABSTAT is the central repository of data for the Bureau of Labor Statistics and is considered the agency's database of record. The data collected and made available to the public via the agency website is gathered from various surveys. Some of the most popular being the Consumer Price Index, National Employment Hours and Earnings, and Labor Force Statistics. Users access the database and web pages from various points through the World Wide Web (WWW) and File Transfer Protocol (FTP). The system supports the DOL Strategic Goal 5, and Outcome 1--"Provide sound and impartial information on labor market activity, working conditions, and price changes in the economy for decision making, including support for the formulation of economic and social policy affecting virtually all Americans."
Department of Labor, BLS, Division of Enterprise Web Systems, within the Office of Technology and Survey Processing (OTSP/DEWS), provides primary Automated Information System (AIS) support for LABSTAT which is located at 2 Massachusetts Ave. NE, Rm. 5110, Washington D.C. 20212
A PIA is being necessitated for the reason that information subscribers provide their name and email address (and optionally phone number) for receiving automated news releases.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
System collects name, email address and optionally a phone number when members of the public choose to be contacted by BLS staff for receiving statistical data, analysis and administrative data if appropriate.
What are the sources of the PII in the information system?
Public provides BLS staff contact information should they wish to be contacted by BLS staff in the future. For example, to furnish an information request that cannot be completed immediately.
What is the PII being collected, used,disseminated, or maintained?
Name, email and optionally phone and business address.
How is the PII collected?
Public contacting BLS staff are offered the opportunity to provide return contact information (name, email, phone) if they wish to be contacted in the future to receive related statistical data or analyses similar to present reason they contacted BLS.
How will the information be checked for accuracy?
The information is not checked for accuracy.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
29 U.S.C. § 2, Collection, Collation, and Reports of Labor Statistics
Privacy Impact Analysis
The PII is stored in a database behind the BLS public firewall. Individuals may request to see their contact information by contacting BLS staff. No further action needs to be taken to ensure PII security.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
The information collected is used as necessary to respond to customer inquiries. If the customer requests to be placed on an email notification list, the email address will be used for that purpose.
What types of tools are used to analyze data and what type of data may be produced?
BLS uses standard reports that analyze information requests available in the Customer Information System. Reports contain aggregated information, not PII data.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No.
If the system uses commercial or publicly available data, please explain why and how it is used.
Not applicable.
Privacy Impact Analysis
No further action needs to be taken to ensure PII security.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
Email addresses remain on mailing lists until the customer requests to be removed, or when the email bounces back. Other PII is deleted from the database 90 days after the customer's last date of inquiry.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
Yes.
What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
Please see answer above.
How is it determined that PII is no longer required?
Please see answer above.
Privacy Impact Analysis
There are no risks associated with having name, email address and, optionally, phone number stored in the systems being retained as long as the associated email is a valid entry. Once the email becomes invalid, the system will purge the information according to system rules. There is a moderate risk of unauthorized disclosure due to failure to encrypt backup data / media. The system uses an external storage device that is backed up for disaster recovery purposes. The backups contain the PII stored on the system in an unencrypted format that makes the PII vulnerable to unauthorized access if the backup media is not properly safeguarded.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
PII is not shared outside the agency except for aggregated metrics (e.g., number of inquirers).
How is the PII transmitted or disclosed?
Not applicable -- PII is neither disclosed nor transmitted
Privacy Impact Analysis
Not applicable and hence no further action needs to be taken to ensure PII security.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
PII is not shared outside the agency except for aggregated metrics (e.g., number of inquirers).
How is the PII transmitted or disclosed?
Not applicable -- PII is neither disclosed nor transmitted
Privacy Impact Analysis
Not applicable and hence no further action needs to be taken to ensure PII security.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
Disclosure may also be necessary with the Department of Justice (DOJ) and the Office of Special Counsel (OSC) when complaints have proceeded to an advanced stage. Both agencies are responsible for the litigation of meritorious claims. Also, disclosure is necessary with the Employer Support of the Guard and Reserve (ESGR) for verifying claimants/claims processed within their system.
Is the sharing of PII outside the Department compatible with the original collection?
If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
System of Records Notice (Privacy Act Systems - DOL/VETS-1 and DOL/VETS-2)
How is the information shared outside the Department and what security measures safeguard its transmission?
DOJ and OSC receive only hardcopy case records. Both agencies have electronic access to VIPER for documenting case status and to review electronic records. ESGR access the information electronically through VIPERS.
Privacy Impact Analysis
Sharing of information outside of DOL can potentially expose PII to unauthorized individuals. To prevent risk, all non-DOL users of VIPERS must request VETS' Chief of Investigations approval for application access; annually agree to the Rules of Behavior, maintain an active account, and have a strong password. Non-DOL Federal employees are required to advise the Chief of Investigations when an authorized user is not assigned investigative responsibilities or no longer employed.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
Yes, privacy notice is provided verbally to customers who inquire by telephone or in email for those who inquire by email.
Do individuals have the opportunity and/or right to decline to provide information?
Yes
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. The posted privacy policy stipulates that BLS is authorized to request this information under 5 United States Code (USC) section 301. Furnishing the information on this form is voluntary; however, BLS may not be able to register you for the subscription service if you fail to do so. Any disclosure of the information on this form is in accordance with the routine uses found in the Privacy Act System of Records Notice (SORN) DOL/BLS-19.
Privacy Impact Analysis
LABSTAT (and BLS) provide both privacy notice and privacy and security statement directly to the individual. No further action needs to be taken to ensure PII security.
Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
Individuals would need to contact BLS to gain access to their information.
What are the procedures for correcting inaccurate or erroneous information?
There is no process to determine whether the name or email address is correct or inaccurate.
How are individuals notified of the procedures for correcting their information?
There is no mechanism of notification.
If no formal redress is provided, what alternatives are available to the individual?
Individuals seeking to change their information such as email address contact the office that manages the email lists to which they subscribe.
Privacy Impact Analysis
LABSTAT (and BLS) provide both privacy notice and privacy and security statement verbally and/or in email communications. No further action needs to be taken to ensure PII security.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
Only persons with significant information services responsibilities have access to PII stored by the system.
Will Department contractors have access to the system?
Yes, contractors that have successfully passed background investigations.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
All BLS persons with the ability to access the PII, including contractors, are required to complete annual mandatory Security and Confidentiality training. These persons are also required to complete additional security training in their capacity as persons with significant security responsibilities.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Systems logs are reviewed periodically to ensure only authorized persons access information.
Privacy Impact Analysis
PII is available to System Administrators. Review of system logs (that which audit the auditors) can be used to mitigate this risk.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
System is in maintenance phase. Standard Software development methodology was employed in introducing the system for use.
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
Yes
The system is connected to network attached storage that is backed up on a regular schedule for disaster recovery purposes. The backup data is stored on media in an unencrypted state. OMB 06-16 requires PII stored remotely or on removal media be encrypted. The PII data is at moderate risk of unauthorized disclosure if backup media is not properly safeguarded.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
Bureau of Labor Statistics (BLS) has completed the PIA for LABSTAT which is currently in operation. BLS has determined that the safeguards and controls for this Moderate system adequately protect the information.
BLS has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.