Privacy Impact Assessment Questionnaire

Veterans' Data Exchange Initiative (VDEI) - FY 2018

Overview

The Veterans' Data Exchange Initiative (VDEI) system provides up-to-date Exiting Service Member (ESM) information to the Department of Labor (DOL) agencies in order to serve veterans more efficiently. The system will securely receive, store, and display the ESM data from the Department of Defense (DOD's) Defense Manpower Data Center (DMDC).

The number of ESMs in the DOD will increase significantly in the next few years. This increase will place significant stress on the programs and agencies that provide assistance to the ESMs. Timely ESM profile information can provide insight into where ESMs are going to live and subsequently find employment, and thus enable DOL to provide more targeted services. However, the DOL does not possess ESM profile information. The lack of ESM information obstructs DOL's ability to serve veterans and hampers its ability to plan for future programs and resources.

To address this problem, the VDEI program led by the Veterans' Employment and Training Services (VETS) was established with other DOL agencies: Employment & Training Administration (ETA), Women's Bureau (WB), and Office of Disability Employment Policy
(ODEP), and Office of the Assistant Secretary for Policy (OASP). The goal of this program is to create a single system to acquire and store the ESM data from the DOD, and provide access to the ESM data to the consuming agencies.

Questions and Answers

Characterization of the Information

The following questions and corresponding answers are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

  • Specify whether the system, VDEI, collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
    VDEI collects PII on service members.
  • What are the sources of the PII in the information system?
    The PII on ESM is transferred from DOD/DMDC.
  • What is the PII being collected, used, disseminated, or maintained?
    The PII being collected, used, disseminated, or maintained are as follows:
    • First and/or last name;
    • Date of birth;
    • Social Security Number (SSN);
    • Military, immigration, or other government-issued identifier;
    • Residential address;
    • Personal phone numbers (e.g., phone, fax, cell);
    • Mailing address (e.g., P.O. Box);
    • Personal e-mail address;
    • Medical information including physician's notes;
    • Medical record number;
    • Rank;
    • Gender, Race;
    • Level of Education, Civilian Education;
    • Basic Active Service Date, Expiration Service Date;
    • Medical Discharge;
    • Disability Rating Percentage;
    • Marital Status;
    • Number of Dependents Under Eighteen;
    • Military Occupational Specialty;
    • Clearance;
    • Date Began DOL EW During TAP, Date End DOL EW During TAP, Location DOL EW During TAP;
    • Citizenship;
    • Guard/Reserve Status;
    • Type of Discharge;
    • ASVAB/AFQT Score; and
    • DOD Electronic Data Interchange Person Identifier (EDIPI).
  • How is the PII collected?
    The PII on ESM is collected by DOD and the information is shared with DOL through secure electronic transmission from DOD/DMDC.
  • How will the information be checked for accuracy?
    The information received is vetted and verified by DOD/DMDC for accuracy; DOL uses the data in the form that it is received from the DOD/DMDC.
  • What specific legal authorities, arrangements, and/or agreements defined the collection of information?
    Data collection is based on 10 U.S.C. 1142, Pre-separation Counselling; E.O. 9397 and participation of ESM in Department of Labor TAP employment Workshop.
  • Privacy Impact Analysis: Given the amount and type of data collected, discuss the privacy risks identified and how they were mitigated.
    The privacy risk of the data being collected is security impact of Moderate (National Institute of Standards and Technology (NIST) 800-60 recommended impact level for Employment and Training Services is Low). This increase in the risk impact requires VDEI which will have PII data to provide additional security controls to assure data protection. The controls for a moderate impact information system have been provided by NIST 800-53 R3 publication.

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

  • Describe all the uses of the PII?
    PII is used solely for the purpose of providing timely services to ESM in areas of employment and training.
  • What types of tools are used to analyze data and what type of data may be produced?
    Microsoft (MS) Excel is the primary tool used to analyze the data. Reports are normally produced that shows statistical information.
  • Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
    Previously unavailable data may be derived through aggregation of the collected information.
  • If the system uses commercial or publicly available data, please explain why and how it is used?
    Users are not precluded from using commercial or publicly available data to conduct research or verify information in order to provide required services, however, the data transmitted from DOD/DMDC will only be available to verified DOL employees.
  • Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that the PII is handled in accordance with the above described uses.
    Based on Federal requirements and mandates, the DOL VETS is responsible for ensuring that VDEI meets the minimum security requirements defined in the Federal Information Processing Standards (FIPS) Publication (PUB) 200, Minimum SecurityRequirements for Federal Information andInformation Systems. The Agency has developed access control procedures to ensure the integrity, confidentiality, and availability of its information and information systems.

The access control policy and procedures are consistent with applicable laws, Executive
Orders, directives, policies, regulations, standards, and guidance.

Retention

The following questions and corresponding answers are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

  • How long is the information retained in the system?
    Per the VETS policy, electronic data is maintained as long as the system is operational.
  • Has the retention schedule been approved by the DOL agency records officer and the
    National Archives and Records Administration (NARA)?
  • Yes, the retention schedule has been approved by the DOL agency records officer and NARA.
  • What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
    The DOL will periodically review the PII data collected from DMDC to determine if it is still required and essential to achieving the objectives. Data usefulness will be evaluated on a semiannual basis.
  • How is it determined that PII is no longer required?
    The PII data will be required until VETS Executive Management and VDEI system owner determine required services have been delivered and goals of data sharing have been met. Data sharing goals will be evaluated as necessary.
  • Privacy Impact Analysis:Discuss the risks associated with the length of time data is retained and how those risks are mitigated.
    There is a possibility that the length of time data is retained in VDEI could lead to unauthorized access or the release of PII information. To prevent this risk, all VDEI users must fill out the System Access Request form used for the request and approval process for VDEI access. A supervisor's approval is needed for access. The user must agree to VDEI Rules of Behavior, maintain an active account, and have a strong password to access the system. Supervisors are also required to advise the VDEI System Owner when a user is no longer assigned responsibilities or no longer employed with the Agency or Federal Government.

The VDEI user has the responsibility to protect data to which they are given access. Users must adhere to the Rules of Behavior as defined in the VDEI System Security Plans, DOL and agency guidance. In addition, DOL conducts mandatory annual training with regards to Intonation Systems Security, Privacy Awareness and Personal Identifiable Information, ensuring that all Department of Labor staff members are educated regarding the proper methods for handling privacy information.

The VDEI system owner review and analyze the audit logs on a monthly basis for any trends or anomalies in the system, any indication of suspicious activity is escalated in accordance with VETS incident handling procedures.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the DOL.

  • With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
    PII is shared with the DOL's Office of Assistant Secretary for Policy I Chief Evaluation Office (OASP/CEO), Employment Training and Administration, Women's Bureau, and ODEP. The main purpose of sharing ESM data with mentioned internal organizations is that each provides unique services that can assist training and job placement of ESM.
  • How is the PII transmitted or disclosed?
    PII is transmitted through secure channel using Transport Layer Security (TLS) for data encryption. Memorandum of Understanding (MOU) and Interconnection Security Agreement (ISA) have been established between DOL/Employee Computer Network (ECN) and DOD/DMDC General Support System (GSS to GSS) to indicate shared responsibilities and security controls in place for protection of PII.
    All SSNs within the system will be suppressed; all other PII data will follow DOL guidance; and there is no plan for external sharing of any PII data. Sharing PII internally among DOL agencies require signing an internal MOU.
  • Privacy Impact Analysis: Considering the extent of internal information sharing, discuss the privacy risks associated with the sharing and how they were mitigated?
    Any additional PII data sharing expose additional privacy risks. These risks are mitigated by reducing type of media for transmission, using encryption during transmission, sign of internal MOUs, taking mandatory DOL annual training courses for Information Security and Privacy Awareness and adherence to DOL guidelines for protecting PII data.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

  • With which external organization(s) is the PII shared, what information is shared, and for what purpose?
    Within VDEI, there is no plan for external sharing of PII data.
  • Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a System of Records Notice (SORN)? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
    Within VDEI, there is no plan for external sharing of PII data.
  • How is the information shared outside the Department and what security measures safeguard its transmission?
    Within VDEI, there is no plan for external sharing of PII data.
  • Privacy Impact Analysis: Given the external sharing, explain the privacy risks identified and describe how they were mitigated.
    Within VDEI, there is no plan for external sharing of PII data.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII? The data is collected by DOD/DMDC.
    DOD is authoritative source of data as well as the responsible party for notifying individuals of the collection of PII data?
  • Do individuals have the opportunity and/or right to decline to provide information?
    VDEI is not the authoritative source of the data. Therefore right of refusal is not applicable for VDEI. DOD/DMDC is the authoritative source and provides users with this information.
  • Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
    As part of pre-separation counseling and completion of Form 2958, 2648, ESMs have provided the right to consent and agreed that their data can be shared with specific agencies providing them specific benefits.
  • Privacy Impact Analysis: Describe how notice is provided to individuals, and how the risks associated with individuals being unaware of the collection, are mitigated?
    DOD is the authoritative source of data and providing required notices to individuals prior to collection of PII data remains DOD responsibility.

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

  • What are the procedures that allow individuals to gain access to their information?
    The authoritative source of record is DOD/DMDC which shares ESM records with DOL for providing employment and training services. The VDEI does not allow any modification to the ESM record within the system. Any request for access should be
    Submitted to DOD personnel office for access, processing and correction. In VDEI the individual data will be refreshed and updated by subsequent data transmissions from DOD/DMDC.
  • What are the procedures for correcting inaccurate or erroneous information?
    The authoritative source of record is DOD/DMDC which shares ESM records with DOL for providing employment and training services. The VDEI does not allow correction or deletion to the data within the system. Any change or request for deletion should be submitted to DOD personnel office for processing and correction. In VDEI the individual data will be refreshed and updated by subsequent data transmissions from DOD/DMDC.
  • How are individuals notified of the procedures for correcting their information?
    The authoritative source of record is DOD/DMDC which shares ESM records with DOL for providing employment and training services. The VDEI does not allow correction or deletion to the data within the system. Any change or request for deletion should be submitted to DOD personnel office for processing and correction. In VDEI the individual data will be refreshed and updated by subsequent data transmissions from DOD/DMDC.
  • If no formal redress is provided, what alternatives are available to the individual?
    The authoritative source of record is DOD/DMDC which shares ESM records with DOL for providing employment and training services. The VDEI does not allow correction or deletion to the data within the system. Any change or request for deletion should be submitted to DOD personnel office for processing and correction. In VDEI the individual data will be refreshed and updated by subsequent data transmissions from DOD/DMDC.
  • Privacy Impact Analysis: Address the privacy risks associated with the redress available to individuals and how those risks are mitigated?
    DOD should follow their current process for notifying individuals whenever individuals' data need to be corrected. VDEI cannot make changes to data. VDEI will use the latest data provided and transmitted by DOD and any changes to the information will be updated in subsequent transmission.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

  • What procedures are in place to determine which users may access the system and are they documented?
    VDEI utilizes an access request form to verify users' identity, what type of access is required, and who is authorizing access to the VDEI system. Users' supervisor must verify and approve account requests, including access rights and privileges. Account requests (user authorization forms), are then forwarded to System Owner for final approval. The VDEI System owner or delegated representatives are responsible for user account management.
  • Will Department contractors have access to the system?
    Department contractors may be granted access to the VDEI application upon completion of a Nondisclosure Agreement and documented need from the supervisor/Contracting Officer Representative as it relates to completing their day-to-day workload.
  • Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
    Users must complete the computer security awareness prior to receiving access to the system. While those with security functions must complete annual security role based training. When access is granted an unauthorized use banner on the VDEI login page warns the user of legal repercussions for illegal use activities. Users must also review and acknowledge the Rules of Behavior (ROB) before accessing the system.
  • What auditing measures and technical safeguards are in place to prevent misuse of data?
    All access (who, what, when and where) to VDEI data is monitored and recorded by the system owner or her representatives. When access is granted an unauthorized use banner on the VDEI login page warns the user of legal repercussions for illegal use activities and misuse of data. Users must also review and acknowledge the ROB before accessing the system.
  • Privacy Impact Analysis: Given the sensitivity and scope of the information collected, as well as any information sharing conducted on the system, what privacy risks were identified and how do the security controls mitigate them?

Access to VDEI is based on a "need-to-know/need-to-share" basis. Only limited users in DOL will have access to this data. To prevent or minimize risk, all users of VDEI must have a supervisor's approved application for access, agree to the system's Rules of Behavior, maintain an active account, and have a strong password. Supervisors are required to advise the VDEI System Owner when a user is no longer need access to the system or no longer employed with the Federal government. Data transmissions are encrypted in both directions using Secure Socket Layer/Transport Layer Security (SSL/TLS) data encryption. VDEI also receives protection from the ECN GSS which is composed of Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Anti­ Virus systems and data encryption. Also, the Data Center implements multi-level pedestrian traffic safeguards to protected areas. Physical access controls restrict the entry and exit of personnel (and often equipment and media) via card key only from all areas, such as an office building, suite, or data center.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, Radio-Frequency Identification (RFID), biometrics, and other technology.

  • What stage of development is the system in, and what project development life cycle was used?
    The system is in the Development stage and it is using System Development Lifecycle
    Management (SDLCM).
  • Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
    The technology currently used does not raise any known privacy concerns. VDEI is based on the evaluation of the applicable laws and provides a framework by which individuals can ensure that they have complied with all relevant privacy policies, regulations, and guidance, both internal and external to DOL.

Determination

As a result of performing the Privacy Impact Assessment (PIA), what choices has the agency made regarding the information technology system and collection of information?

  • The Project Management Office (PMO) Security in collaboration with VETS' System Owner and Information System Security Officer has completed the PIA for the VDEI System currently in operation. VETS have determined that the safeguards and controls currently in place for this moderate system effectively protects the information.
  • VETS have determined that it is collecting the necessary information for the proper performance of a documented agency function.