Privacy Impact Assessment - ETA - Business Process Management Platform

BPMP (Business Process Management Platform)

OVERVIEW

Business Process Management Platform (BPMP) is the Employment and Training Administration (ETA) Appian Platform that serves as a key modernization component that provides the following capabilities:

• Hosted within a secure, Federal Risk and Authorization Management Program (FedRAMP) compliant cloud environment
• Configurable workflows and reporting
• Scalable to needed capacity
• Easy for all users (administrators, designers, users, etc.) to use
• Ability to integrate with existing ETA systems and data

BPMP hosts 7 applications that vary in purpose and information types. Many of the applications collect and use various PII data elements. These data elements are identified in the CSAM entries for each application. The Platform does not collect, store or process PII as it is hosting the applications. The only sections the Platform can answer are sections 1.9 Technical Access and Security and 1.10 Technology. Otherwise, this PIA is to identify those applications and point to their respective PIA.

1. Office of Apprenticeship (OA)
   1. Registered Apprenticeship Partners Information Data System (RAPIDS) 2.0
      1. Standards Builder Tool is a component of RAPIDS 2.0
   2. Quarterly Performance Reporting Tool
   3. National Industry Program Reporting System (NIPRS) – CSAM ID 2771
2. Grants Performance Management System (GPMS)
   1. Youthbuild
   2. Division of Indian and Native American Programs (DINAP)
3. Workforce Integrated Performance System (WIPS)
4. Petition Automated Workflow System (PAWS)

CHARACTERIZATION OF THE INFORMATION

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

Refer to system/application specific Privacy Impact Assessment (PIA)s for the Characterization of the Information.

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Refer to system/application specific Privacy Impact Assessment (PIA)s for the Description of the Use of the PII.

Describe all the uses of the PII

N/A

What types of tools are used to analyze data and what type of data may be produced?

N/A

Will the system derive new data, or create previously unavailable data, about an individua l through aggregation of the collected information?

N/A

If the system uses commercial or publicly available data, please explain why and how it is used.

N/A

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

N/A

Privacy Impact Analysis

N/A

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

Refer to system/application specific Privacy Impact Assessment (PIA) for PII Retention.  While the BPMP platform includes the underlying Databases for the tenant applications, the retention policies for those applications are defined by the tenants/applications.

What is the retention period for the data in the system?

N/A

Is a retention period established to minimize privacy risk?

N/A

Has the retention schedule been approved National Archives and Records Administration (NARA)?

N/A

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminateor reduce PII that is collected, stored, or maintained by the system if it is no longer required?

N/A

How is it determined that PII is no longer required?

N/A

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

Privacy Impact Analysis

N/A

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

Refer to system/application specific Privacy Impact Assessment (PIA)s for Internal Sharing and Disclosure information.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

N/A

How is the PII transmitted or disclosed?

N/A

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

N/A

Privacy Impact Analysis

N/A

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private sector.

Refer to system/application specific Privacy Impact Assessment (PIA)s for External Sharing and Disclosure information.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

N/A

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

N/A

How is the information shared outside the Department and what security measures safeguard its transmission?

N/A

How is the information transmitted or disclosed?

N/A

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.

N/A

How is the shared information secured by the recipient?

N/A

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

N/A

Privacy Impact Analysis

N/A

NOTICE

The following questions are directed at notice to the individua l of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Refer to system/application specific Privacy Impact Assessment (PIA)s for Notice information.

Was notice provided to the individua l prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal

Register Notice. If notice was not provided, please explain.

N/A

Do individuals have the opportunity and/or right to decline to provide information?

N/A

Do individuals have the right to consent to particular uses of the information? If so, how does the individua l exercise the right?

N/A

Privacy Impact Analysis

N/A

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individua l's ability to ensure the accuracy of the information collected about them.

Refer to system/application specific Privacy Impact Assessment (PIA)s for Individual Access, Redress and Correction information.

What are the procedures that allow individua ls to gain access to their own information?

N/A

What are the procedures for correcting inaccurate or erroneous information?

N/A

How are individua ls notified of the procedures for correcting their own information?

N/A

If no formal redress is provided, what alternatives are available to the individua l?

N/A

Privacy Impact Analysis

N/A

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

Program managers, IT specialists, and analysts have general access to the system, and registered users from the public have limited access.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Yes – Please see system/application specific Privacy Impact Assessment (PIA)s for role descriptions.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

Yes, the System has a built-in Role-Base Access Control (RBAC) framework based around Appian Groups.  Appian Groups are used to control access to processes and interfaces within an Appian application.  At a high level, these roles include:

Basic User roles – the least privilege role needed for a user to interact with the appropriate processes and interfaces within a specific application

Privileged User roles – these roles are for assigning user access within an application by being able to add or remove users to Basic User roles

System Administrator roles – uses with this role have full privileges on the platform, including updating code, monitoring processes, and changing configuration

What procedures are in place to determine which users may access the system and are they documented?

To request an account on the BPMP, a user must submit a ticket to the respective application's Help Desk, stating the role the user is requesting.  An application administrator will review the request, and if all requested information and forms are provided, their account will be provisioned using the application's User Access control module

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Rules of Behavior forms are required to be signed before a user can have their account provisioned on BPMP.  Role assignment is verified by assigning a user to the appropriate Appian Groups, which

authorize the user's access to the appropriate application-level access.  Training is required for all users annually using DOL's Cybersecurity and Privacy Awareness Training.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

1. Cybersecurity and Privacy Awareness Training
2. Contractor Role Based Training

What auditing measures and technical safeguards are in place to prevent misuse of data?

Data is encrypted in the database and an audit trail of activities performed on the database is tracked.  Data is also encrypted in transit using TLS 1.2.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes – BPMP is in Ongoing-Authorization which conducts a Security Assessment every year.

Privacy Impact Analysis

MOU between ETA and Kansas, Iowa, and Nebraska to address key issues.

Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains the SSNs.

The page for the file upload has Secure Socket Layer (SSL) enabled but will not have third-party verification.

Secure File Transfer protocol (S-FTP) is used to transfer files from ET A to Kansas, Iowa, and Nebraska. Each has an S-FTP server and DOL has the S-FTP client.

Files are password protected.

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The BPMP applications are custom designed applications built on top of a purchased platform-as-a-service instance of Appian's low-code development software

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

The Department of Labor built the BPMP on top of a FedRAMP-compliant Appian Cloud.  This allowed for the development of applications which leverage the built-in Appian Security Framework without writing any custom code.  Application development was preformed followed DOL Center of Excellence guidelines utilizing an Agile development process which required consistent review of all aspects of the application development.

What design choices were made to enhance privacy?

Applications were developed using Appian best practices making use of the built-in permissions framework using Appian Groups.  Applications are reviewed for alignment with Center of Excellence guidance around least-privileged object configuration for supporting application operations

For systems in development, what stage of development is the system in, and what project development life cycle was used?

The applications on the BPMP are all in the Production environment, and are in the development, maintenance, and enhancement phase of the software development life cycle

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

There are no new applications currently under development on BPMP.

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

• ETA has completed the PIA for BPMP which is currently in operation.
• ETA has determined that the safeguards and controls for this moderate system adequately protect the information.
• ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.