OIG Teammate
Overview
OIG TeamMate system was developed by the Office of Inspector General, Office of Audit, for the purpose of managing OIG audit functions by tracking audit job assignments and schedules and by collecting and storing auditor reports with associated work products. The information consists of individual audit reports and associated auditor notes. Audit managers enter job tasks and schedules into the system, where it is stored in a database.
Characterization of the Information
The system does not directly collect PII. However, supporting documents needed for individual audits could contain PII on all of the above as related to the audit objective.
What are the sources of the PII in the information system?
The audited person or persons.
What is the PII being collected, used, disseminated, or maintained?
The PII includes the individual's Social Security Number (SSN); date and place of birth; addresses (personal and business); telephone numbers (personal and business); and other reference information.
How is the PII collected?
The auditor scans hard copy documents into an image format. The hard copy documents are the auditor notes and related evidence collected from individuals during the audit as supporting evidence.
How will the information be checked for accuracy?
Audit reports and associated auditor notes are reviewed by a manager.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
Inspector General Act of 1978, (Pub. L. 95-452, § 1, Oct. 12, 1978, 92 Stat. 1101), as amended by Section 812 of the Homeland Security Act of 2002 (Pub. L. No. 107-296), provides all Inspector General criminal investigators with statutory law enforcement powers.
Privacy Impact Analysis
All data collected is protected by system security settings. The data is reviewed by Audit managers and only the information necessary to support the audit findings is maintained within the system.
- Risks are mitigated through the general support system (GSS) for eOIG. Individual TeamMate Electronic Work Paper audit project data is only accessible to specified team members. None of the Teammate sub-modules contain PII.
- Individual TeamMate EWP audit projects containing PII are titled accordingly as well as noted in the TeamMate System database.
- Any collected PII information is recorded in the PII Logging System, based on OMB-06-16.
- Minimum collection of PII is recommended.
- All TeamMate EWP audit projects are encrypted.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
Any PII collected is used to support the audit report, but is not contained within the audit report itself.
What types of tools are used to analyze data and what type of data may be produced?
The audit report is reviewed for its content and findings based on the stated purpose of the audit and is not analyzed by any specialized tools.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No.
If the system uses commercial or publicly available data, please explain why and how it is used.
No.
Privacy Impact Analysis
Individual TeamMate EWP audit project data is only accessible to specified team members. When possible, the Audit team will redact PII from supporting audit documentation prior to scanning – depending on the nature of the document.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
3 years after the audit is issued.
Privacy Impact Analysis
The risk to any audit file is considered in the annual risk assessment.
How is it determined that PII is no longer required?
Once the Audit Managers determine the documents are not needed following the three year life of the archived audit record and the audit file retention is not needed to document other OIG actions, then entire file is purged.
What efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?
Only those files necessary to support the audit findings are maintained.
Privacy Impact Analysis
Risks are mitigated by compliance with the records schedules and limited access to restricted electronic files. All OIG employees are given instructions on the sensitivity of the files and the restrictions on disclosure. Access within the DOL/OIG is strictly limited to employees on a need-to-know basis.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
PII is not shared outside the Office of Audit. Only under a Freedom of Information Act (FOIA) request would an audit project and its supporting documentation be available to the OIG Legal department. Such requests occur infrequently.
How is the PII transmitted or disclosed?
The FOIA officer is given a duplicate of the audit in a PDF file and releases documents in accordance with FOIA guidelines.
Privacy Impact Analysis
All OIG employees are given instructions on the sensitivity of the files and the restrictions on disclosure. Access within the DOL/OIG is strictly limited to employees on a need-to-know basis.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
An external peer review of audits occurs once every three years. These reviews are handled by other Federal agencies. Audit reports are selected at random and audits containing PII could be selected.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Yes, the sharing of the PII is within the scope of the SORN due to OIG peer audits requirements.
How is the information shared outside the Department and what security measures safeguard its transmission?
There is no transmission. Data will be supplied on a "stand alone and read only" computer with secured sign-in and disabled network access.
Privacy Impact Analysis
A peer reviewer is given only Read Only access to selected audit files. The selected project files are reviewed by DOL for PII, and the peer review team is notified of PII content prior to receipt of audit data.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
The person or persons being audited provides the required records.
Do individuals have the opportunity and/or right to decline to provide information?
No.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No.
Privacy Impact Analysis
Individuals know this information is collected, since they provide the data. Only the minimum information is collected to support audit findings.
Access , Redress and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
The users access the email properties to verify the information.
None.
What are the procedures for correcting inaccurate or erroneous information?
To correct any erroneous information, the user is to notify the Branch of Information Technology (BIT).
None.
How are individuals notified of the procedures for correcting their information?
The user is notified via email or phone.
None.
If no formal redress is provided, what alternatives are available to the individual?
None.
Privacy Impact Analysis
Not Appplicable.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
Only those users identified as having a need to know are allowed access to the Teammate system and are then given access to particular file folders.
Will Department contractors have access to the system?
No, the Database Administrator has access. Teammate data is encrypted by the application, which prevents the Database Administrator from viewing information.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
All users given access are given instruction on Teammate and its use. In addition, all DOL users are required to complete annual privacy awareness training. This training discusses ways to protect PII and the requirements for doing so.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Rule of engagement and non-disclosure agreements are used to provide assurances of the controls in place to protect this information.
Privacy Impact Analysis
There is some risk that a person's information could be read, but the scope of information collected on an individual is narrow, since the individual is not the subject of the audit and is included in the auditor's notes only to support any audit findings. The system has access and operational controls in place that protect against unauthorized access.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
Operations and Maintenance Phase
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
No.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
The OIG has completed the PIA for the TeamMate system which is currently in operation. The OIG has determined that the safeguards and controls for this moderate system adequately protect the information.
The OIG has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.