OVERVIEW

Enterprise Business Support System (EBSS) is an Employment and Training Administration (ETA) Major Information System. EBSS consists of multiple individual modules that generate management reports for ETA. A PIA is being conducted because EBSS stores personally identifiable information (PII).

The first components of EBSS were developed in mid-1998 and have been operational since then. EBSS is a Major Application (MA) that consists of multiple individual applications (known as modules) that collect grantee performance data and generate management reports on ETA programs. EBSS uses an Oracle Relational Database Management System (RDBMS) backend and provides both internal and external web-enabled user interfaces. It is accessible by ETA headquarters' intranet, regional locations nationwide, grantees, and registered users nationally.

For ETA, EBSS is a management tool that assists with the review and analysis of program data. EBSS enables ETA to review data submitted by grantees and generate management reports (e.g., delinquency, aggregate, projections, etc.). A business intelligence and data warehouse component is under development to generate these management reports and to display them as a series of charts, graphs and tables accessible to ETA users from the Active Desktop after logging in from the DOL General Support System (GSS). Information is first displayed at a national level, with a "drill down" capacity to show regional, state, and then grantee level data.

EBSS applications share a networked computer infrastructure and have a common Oracle back-end for data storage and retrieval. They share a common single logon application that verifies users and routes them to application areas based on pre-set role definitions. Table schemas are normalized so that common data elements that are entered or updated in one application will be accessible within other applications.

EBSS comprises the following modules:

  • Indian/Native American Program Performance Reporting

    INAP is a web-enabled module that manages program performance data for the Indian and Native American program participants. Version 2.0 5 November 2019
  • Job Corp Financial Accounting System (JFAS)

    JFAS is an internal budget and cost reporting/tracking module which manages the Annual Advance Procurement Plan (AAPP), contract history, and Financial Operating Plan changes for the Job Corps Budget Office.
  • Labor Exchange Agricultural Reporting System (LEARS)

    A web-enabled module that supports the collection, certification, and assessment of services to migrant and seasonal farm workers data submitted by the State Employment Security Agencies (SESAs). The system is comprised of two components: Internal and external. For external users, the system supports the electronic submission of services to migrant and seasonal farm workers data by the States. For internal users, the system enables users to retrieve, review, and assess the data submitted by SESAs.
  • Prisoner Re-Entry Initiative (PRI)/Re-integration of Ex-Offenders (ReXO) Case Management and Reporting System /Female Ex-Offenders (FEXO) /Training 2 Work (T2W)

    These modules seek to strengthen urban communities characterized by large numbers of returning prisoners through an employment-centered program that incorporates mentoring, job training, and other comprehensive transitional services. This program, which involves several Federal agencies, is designed to reduce recidivism by helping inmates find work when they return to their communities, as part of an effort to build a life in the community for everyone.
  • Title XII Loan and Repayment Application System

    The Title XII allows states to apply for Title XII loans for NO to process applications.
  • Tax Credit Reporting System (WOTC/WtW)

    WOTC/WtW automates the on-line submission of conditional certification information by state coordinators and helps regional/national coordinators assess the certification data submitted by the state coordinators so that they can better monitor and oversee the WOTC/WtW tax credit programs.
  • YouthBuild Case Management and Reporting System (YB)

    The YouthBuild (YB) program is an existing successful alternative education program that assists youth who are significantly behind in basic skills in obtaining a high school diploma or GED credential. The target population for the YB program includes: adjudicated youth, youth aging out of foster care, and out of school youth. The Youth Build application is a web-based case management system for grantees to enroll, track performance and report out evaluation data.
  • Youth Offenders Case Management and Reporting System (YO)

    The Youth Offender system is a Management Information System (MIS) designed to capture data on youths who are receiving benefits through various youthful offender programs. The overall purpose of the Youth Offender system is to allow the DOL to collect and generate quarterly MIS reports from various sets of grantees. ETA will collect quarterly data from these grantees on participant characteristics, services provided, and participant outcomes.

Section 303(a)(6) of the Social Security Act and WIOA [https://www.dol.gov/agencies/eta/wioa/] provides a legal authority for EBSS to operate.

CHARACTERIZATION OF THE INFORMATION

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

EBSS collects personally identifiable information (PII) on members of the public who participate in the grant programs.

From whom is information to be collected?

Grantees collect PII from members of the general public, who are the participants in the program.

Why is the Information being collected?

Participant PII is collected to support grant performance measures.

What is the PII being collected, used, disseminated, or maintained?

  • Name
  • Date of birth
  • Social Security Number (SSN) – only for the PRI application
  • Mailing address
  • Phone number
  • Education records
  • Ethnic group
  • Wages
  • Veteran status
  • Sex

How is the PII collected?

Below is a brief description of how applicable modules collect PII:

  • PRI: Case Managers enter the data provided by the participants.
  • Youth Offender: Case managers enter the data provided by the participants.
  • Youth Build: Case managers enter the data provided by the participants.

How will the information collected from individuals or derived from the system be checked for accuracy?

As required by the Privacy Act of 1974, OMB 7-16, and NIST SP800-122, PII entering this system undergoes several integrity checks, as follows:

At the state level, where PII is initially collected, grantee level staff review participant identification and validate all PII before entering it into the system.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

  • Workforce Investment Act of (29 U.S.C. 2801 et seq.)
  • Section 303(a)(6) of the Social Security Act
  • FISMA
  • Privacy Act of 1974
  • OMB 7-1

Privacy Impact Analysis

The risk to privacy is inappropriate handling or disclosure of PII, especially SSNs. Access controls mitigate the risk that data will be compromised. In addition, the SSN column is encrypted at rest and while in transit to ensure the confidentiality of this data element.

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

Participant PII information is collected to support grant performance measures.

What types of tools are used to analyze data and what type of data may be produced?

Not applicable. Tools are not used to analyze the data

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

EBSS does not derive new data through aggregation of collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

EBSS does not use publicly available data.

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

No.

Privacy Impact Analysis

The following security controls have been implemented to prevent data from being compromised:-

  • Each grantee is assigned a unique user name and password.  Grantee users for PRI, YO, YB, WOTC and LEARS are required to use Login.gov for their login authentication method.
  • Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains SSNs
  • The page for the file upload has Secure Socket Layer (SSL) enabled

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

Data is retained until the system is decommissioned per customer request.

Is a retention period established to minimize privacy risk?

No.

Has the retention schedule been approved National Archives and Records Administration (NARA)?

No. In accordance with the Workforce Investment Act (WIA) records are retained for an indefinite period of time. As 12/2019 system information has been submitted to the DOL Records Management Department to schedule the system in accordance with NARA requirements.

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?

Participant PII information is collected and stored securely.

How is it determined that PII is no longer required?

PII is retained indefinitely for the purpose of historical analysis required by the program offices.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

Privacy Impact Analysis

Risks associated with the length of time data is retained include inadvertent disclosure of confidential information. These risks are mitigated by the implementation of the following controls:

  • Data are encrypted in the database.
  • Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains SSNs.
  • An audit trail is kept of attempts to decrypt the data.

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII is not shared with internal organizations.

How is the PII transmitted or disclosed?

Not applicable.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

Not applicable. There is no internal sharing of PII.

Privacy Impact Analysis

Not applicable. There is no internal sharing of PII.

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

PII is not shared with external organizations

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

PII is not shared with external organizations

How is the information shared outside the Department and what security measures safeguard its transmission?

PII is not shared with external organizations

How is the information transmitted or disclosed?

N/A

How is the shared information secured by the recipient?

N/A

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

N/A

Privacy Impact Analysis

PII is not shared with external organizations

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal

Register Notice. If notice was not provided, please explain.

N/A; since notice is provided to individuals (participants) by the grantees. PII is collected through grantees, not collected directly by ETA from the individuals.

Do individuals have the opportunity and/or right to decline to provide information?

Yes. SSN disclosure must be voluntarily provided by the individual and grantees cannot deny the participant access to services if the SSN is not provided. In such instances, the grantee is instructed to use an alternate unique identifier.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Yes. Individuals have the right to consent to particular uses in writing.

Privacy Impact Analysis

Individuals are informed that providing SSNs is voluntary.

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

Individuals do not have access to the system; only grantees can access the system.

What are the procedures for correcting inaccurate or erroneous information?

Not applicable

How are individuals notified of the procedures for correcting their own information?

Not applicable

If no formal redress is provided, what alternatives are available to the individual?

Not applicable

Privacy Impact Analysis

Individuals have the right to withdraw from the program.

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

DOL's Program managers and analysts have general access to the system. The registered Grantees have access specific to their own data

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

No; External contractors do not have access to the system.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

Yes; the access request forms of this system are at https://www.internal.doleta.gov/oist/eta-systems/index.cfm . The roles of read-only and read-write access are further restricted to each menu item of this system using this access request form

What procedures are in place to determine which users may access the system and are they documented?

Only grantees access the system using a unique user name and password. This process is documented.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Internal DOL program office users are vetted by their supervisors and provided access on a need to know basis.  Users are required to read an acknowledge the rules of behavior

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

ETA users take a Rules of Behavior training course.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Data are encrypted in the database and an audit trail of activities performed on the database is tracked.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes; the system is enrolled in Ongoing-Authorization and conducts an assessment annually. The last being conducted in FY22.

Privacy Impact Analysis

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The system was built from the ground up.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

The data integrity, privacy and security were analyzed and integrated as FISMA compliant NIST controls into the system design and development. These were subsequently assessed by security professionals as a requirement to authorize its operation.

What design choices were made to enhance privacy?

The data at rest and over transit are protected as per as FISMA compliant NIST controls.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

EBSS is operational; the system development conforms to computer security lifecycle defined in the DOL System Development Lifecycle Management Manual (SDLCMM). Based on the SDLCMM the system is in the 'Operations and Maintenance' phase.

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

EBSS does not employ technology which may raise privacy concerns.

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • ETA has completed the PIA for EBSS which is currently in operation.
  • ETA has determined that the safeguards and controls for this moderate system adequately protect the information.
  • ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.