OPA — Department of Labor Web Production Environment System

Abstract

  • The Department of Labor (DOL) Web Production Environment System (WPES) is used to publish information to DOL Internet (DOL.gov), Intranet (LaborNet), and associated web applications / sites.
  • DOL.gov provides resource assistance to the public with questions about DOL resources, services, and programs. LaborNet supports the DOL goal of improving its management of resources, and promoting the availability of information to its employees and contractors.
  • This PIA is being conducted on the DOL-WPES as part of the FY14 annual review and update as required by the DOL Computer Security Handbook.

Overview

  • System Name: Department of Labor Web Production Environment System (DOL-WPES)
  • Owner Agency: Office of Public Affairs Division of Enterprise Communications (OPA DEC)
  • The DOL-WPES consists of DOL.gov, LaborNet, and associated web applications / sites. DOL.gov is the agency's primary website and means of communication with the public via the Internet. LaborNet is an Intranet website used by the agency to communicate with internal DOL users.
  • OPA DEC manages the WPES at the application layer and above. OCIO Operations is responsible for maintaining the system's hardware and network infrastructure.
  • The PIA ensures the confidentiality, integrity, and availability of the information contained within the system. This assessment aims to determine what types of data are collected, stored, or shared and by its nature, whether that data will cause an invocation of the Privacy Act of 1974.

Introduction

The DOL-WPES is the Major Application that consists of DOL.gov, LaborNet, and associated web applications supported by the Employee Computer Network / Departmental Computer Network (ECN/DCN) at the Frances Perkins Building in Washington, DC.

The DOL- WPES supports the OPA business objective of improving the efficiency of information to the public and the DOL strategic plan to transform into a digital Department, and improve service delivery to citizens.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The system contains PII from Federal employees, Contractor staff, and members of the public.

What are the sources of the PII in the information system?

The sources of the PII are from Federal employees, Contractor staff, and members of the public.

What is the PII being collected, used, disseminated, or maintained?

  • First and/or Last Name
  • Business and/or Personal Phone Number
  • Business, Mailing, and/or Residential Address
  • Business and/or Personal E-mail Address
  • Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
  • Network Logon Credentials
  • DUNS Number

How is the PII collected?

PII is collected through various application web forms on DOL.gov and LaborNet.

How will the information be checked for accuracy?

All PII is submitted via web-based forms within applications. Validation techniques are implemented within the forms to verify data accuracy before it is captured (i.e. input/form field validation).

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

Collection of PII varies depending on the applications and associated owners/agencies. Each application collects PII based on owner agencies' legal authorities. OPA DEC is only the custodian of the applications. Information requested is the minimum information necessary to support the DOL mission. For more information, please refer to the Privacy and Security Statement.

Privacy Impact Analysis

Types of PII are limited to general business related information and are managed via administrative interfaces that can only be accessed via the DOL internal network.

Unauthorized Data Access (Confidentiality):
DOL-WPES data is secured and access is limited to authorized administrators.

Data Integrity:
Restrictive account permissions control access to the data. Validation techniques are implemented within the forms to verify data accuracy before it is captured (i.e. input/form field validation).

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

PII is collected primarily for various DOL agencies to fulfill agency missions. Uses of PII include website feedback, form submissions, carpool coordination, and the planning and organizing of conference registrations, meetings, mailing lists.

What types of tools are used to analyze data and what type of data may be produced?

Excel spreadsheets are used to analyze the data for reporting purposes.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

Various application web forms derive new data from DOL employees and members of the public, but will not create previously unavailable data through aggregation of the collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system does not use commercial or publicly available data.

Privacy Impact Analysis

Various application web forms are transmitted through secured channels protecting confidentiality and integrity. In addition, the administrative interfaces can only be accessed via the DOL internal network.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

PII collection varies and depends on application owner agencies. Each application retains PII per each owner agency records management policy. OPA DEC is only the custodian of the applications.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

PII collection varies and depends on application owner agencies. Each application retains PII per each owner agency records management policy. OPA DEC is only the custodian of the applications.

How is it determined that PII is no longer required?

PII collection varies and depends on application owner agencies. Each application retains PII per each owner agency records management policy. OPA DEC is only the custodian of the applications.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

PII collection varies and depends on application owner agencies. Each application retains PII per each owner agency records management policy. OPA DEC is only the custodian of the applications.

Privacy Impact Analysis

PII collection varies and depends on application owner agencies. Each application retains PII per each owner agency records management policy. OPA DEC is only the custodian of the applications. The data is of low sensitivity and only collected to support agency missions. Risk is mitigated by minimizing, controlling, and limiting access to the data over the DOL internal network.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII is shared with the DOL application owner agencies for the purpose of resolving inquiries or improving agency websites and web applications. Information may also be shared as needed to fulfill DOL agency missions.

How is the PII transmitted or disclosed?

PII is accessible only by authorized administrators on the DOL internal network. In some cases, PII is transmitted and disclosed electronically via email or telephone to authorized DOL agency personnel (if necessary).

Privacy Impact Analysis

PII is only shared within DOL agencies for the purpose of resolving inquiries, or improving agency websites and web applications. PII that is shared is limited to the minimum information needed. Privacy risks associated with sharing of this information is mitigated by providing application owner agency administrative users the access to the PII after successful identification and authentication.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

None.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not Applicable.

How is the information shared outside the Department and what security measures safeguard its transmission?

Not Applicable.

Privacy Impact Analysis

Not Applicable.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes. For more information, please refer to the Privacy and Security Statement.

Do individuals have the opportunity and/or right to decline to provide information?

Yes.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Yes. Individuals have the right to consent to particular use of the information as stated in the Privacy and Security Statement on DOL.gov and various application web forms that collect the PII. These privacy statements clearly explain the purpose for which the collected PII will be used and describes the procedures to follow in order opt-out of information retention.

Privacy Impact Analysis

The Privacy and Security Statement is displayed on DOL.gov describing the collection and use of PII. Privacy risks associated with individuals being unaware of the PII collection is mitigated.

Access, Redress and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

Most applications do not allow individuals to gain access to their information. In the event that an application requires a username and password, users can request that this information be sent to them via email (forgot username/password functionality).

What are the procedures for correcting inaccurate or erroneous information?

Instructions are provided within the applications for the data owners. Validation techniques are implemented within the web forms (i.e. input/form field validation) verifies the data's accuracy before it is captured.

How are individuals notified of the procedures for correcting their information?

Not Applicable.

If no formal redress is provided, what alternatives are available to the individual?

An alternative for redress is to use the application owner agency's contact information to contact them directly.

Privacy Impact Analysis

No risks have been identified.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

DOL.gov is publicly accessible via the Internet. LaborNet resides within the DOL internal network and is only accessible to authorized DOL personnel.

Will Department contractors have access to the system?

Yes.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

All DOL employees and contractors receive initial and annual training: Department of Labor Information Systems Security and Privacy Awareness (ISSPA) Training.

What auditing measures and technical safeguards are in place to prevent misuse of data?

OCIO Operations is responsible for the hardware and infrastructure that supports the DOL.gov and LaborNet systems. OPA is responsible for the application layer and above. Technical safeguards are implemented with a defense in-depth strategy to prevent misuse of data. Access is limited based on least privilege and separation of duties. DOL.gov is publicly accessible, but LaborNet can only be accessed within the DOL internal network by authorized personnel. Administrative access is further limited and only granted to authorized personnel based on job functions.

Privacy Impact Analysis

OPA and OCIO Operations mitigate potential risks by adhering to established DOL policies, procedures, and guidelines. Technical safeguards are in place to protect confidentiality and integrity of collected PII. Access controls are implemented to restrict access to only authorized DOL personnel.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

DOL-WPES is in the Operations and Maintenance stage of the DOL System Development and Lifecycle Management (SDLCM).

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

Not Applicable.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

OPA has completed the PIA for the DOL-WPES, which is currently in operation. OPA has determined that the safeguards and controls for this moderate system adequately protect the information that the system collects, processes, stores, or transmits.