DOL — Master Data Repository

Purpose

This Privacy Impact Assessment (PIA) is being conducted because the Department of Labor Master Data Repository (DOL MDR) has been identified as an information system that will use, collect, and store personally identifiable information (PII).

The DOL MDR was created to support the Fair Pay and Safe Workplaces Executive Order (although this does not preclude the MDR being used for other purposes in the future). The Executive Order (EO) requires prospective federal contractors to disclose labor law violations and gives federal agencies more guidance on how to consider labor violations when awarding federal contracts. Labor Compliance Advisors (LCAs) representing all federal agencies will query the DOL MDR through a Labor Compliance Advisory Hub (LCA) Hub.

System Description

System Name:

Department of Labor Master Data Repository (DOL MDR)

System Identifier:

DOL-OASAM-OCIO-M-007

 

The DOL MDR is designed, developed, implemented, and maintained by the Office of the Chief Information Officer (OCIO). The DOL MDR stores consolidated employer labor law violations extracted from the Office of Federal Contracts Compliance Programs (OFCCP), the Occupational Safety and Health Administration (OSHA), the Office of the Solicitor (SOL), and the Wage and Hour Division (WHD). Specifically, the DOL MDR provides a data warehouse for storage of data, a data mart for business specific view of the data, a web application programming interface (API) for access to the data, a data exchange platform for access to raw data sources, and an extract, transform and load (ETL) module for data loading and data transformation.

Listed below are high-level descriptions for each module:

  • Data Warehouse: Stores labor violation case data. Supports storage of raw agency data (Master Repository Staging Area) and transformed and normalized data.
  • Employer Data Mart: Provides a business specific view of the enforcement agency data.
  • Employer Violation Case API: Allows the LCA Hub system to query the MDR database. Supports access to the labor violation case data using a RESTful web service.
  • Data Exchange Platform: Provides a mechanism to exchange data between DOL agencies and systems. For the EO implementation, it provides web services to access the raw data from SOL and the enforcement agencies OFCCP, OSHA, and WHD.
  • Enforcement Data ETL: Allows the extraction, transformation, validation and loading (ETL) of the labor violation case data from the enforcement agencies into the target tables in the Data Warehouse database.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected, as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

The DOL MDR indirectly collects PII on members of the public (U.S. citizens). It does not collect PII (either directly or indirectly) from DOL employees, other federal employees, contractors, foreign citizens, or minor children.

From whom is the information to be collected?

The DOL MDR will collect PII from the following DOL enforcement agencies' systems: OFCCP Information System (OFIS), OSHA Information System (OIS), and WHD Investigative Support and Records Database (WHISARD).

Why is the information being collected?

In support of the Fair Pay and Safe Workplaces Executive Order, the Labor Compliance Advisory (LCA) Hub is the third-party website/application that will allow Labor Compliance Advisors (LCAs) to query the DOL MDR and search for labor law violation cases. The PII collected in the enforcement case information (e.g. EIN/TIN) is required for identifying the employers with respect to their bid on a contract.

What is the PII being collected, used, disseminated, or maintained?

The PII includes business address, employer identification Number (EIN) and/or Taxpayer Identification Number (TIN). (Note: some self-employed government contractors may use their personal SSN as a substitute for the EIN/TIN. The enforcement agencies did not ask for an SSN, only the EIN/TIN.)

How is the PII collected?

The DOL MDR utilizes an ETL process to retrieve PII from the DOL enforcement agencies' systems. The DOL MDR Data Exchange Platform hosts web services that connect directly to a staging database within each enforcement agency's production environment, makes the data available through a RESTful web service, and returns the data in JSON format.

How will the information collected from individuals or derives from the system be checked for accuracy?

Since the DOL MDR retrieves the PII from the enforcement agencies' systems and does not directly collect PII, the DOL MDR only provides mechanisms that check for valid formats.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

An Interface Control Document (ICD) defines the technical specifications and describes the interface between the DOL MDR and each enforcement agencies' systems. In addition, a Memorandum of Understanding (MOU)/Interconnection Security Agreement (ISA) will be put in place between DOL OCIO and each of the three enforcement agencies.

Privacy Impact Analysis

The use of business address and EIN/TIN should be considered a privacy risk and can negatively impact the employer or individual if the PII information is carelessly disseminated. To mitigate the risk, only authorized users will have access to the PII and they will follow an appropriate use policy for the handling of the PII.

Describe The Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII.

The PII collected in the enforcement case information (e.g. EIN/TIN) is required for identifying the employers with respect to their bid on a contract. In addition, when LCAs use the LCA Hub to query the DOL MDR, the PII will be present in the query results.

What types of tools are used to analyze data and what type of data may be produced?

Currently, the DOL MDR does not perform data analysis or derive new data from the collected data. A completely separate system (Business Objects) under a separate ATO does have an external interface with the MDR and it is used for data analysis. The Business Objects tool will be used by the enforcement agencies (OFCCP, OSHA, and WHD) to improve their enforcement mission by sharing data and identifying repeat labor law violators.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

The DOL MDR will not derive new data, or create previously unavailable data, about an employer/individual through aggregation of the collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

The DOL MDR does contain information that is publically available. The DOL houses a Searchable Enforcement Database, which is a data warehouse that provides the public with access to enforcement data in one location and is searchable along a series of common dimensions such as State, Zip, and Industry Code.

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

The DOL MDR will not create or modify a "system of records notification". Although the DOL MDR does collect PII, it is not the source of the PII and the retrieval of the PII is not done through the use of a personal identifier (e.g., first name, last name, SSN). (Note: However, some self-employed government contractors may use their personal SSN as a substitute for the EIN/TIN. The enforcement agencies did not ask for an SSN, only the EIN/TIN.)

Is the agency's use of PII regarding third-party website or application consistent with all applicable laws, regulations and policies?

DOL's use of PII regarding third-party website or applications is consistent with all applicable laws, regulations, and policies.

Privacy Impact Analysis

Only authorized users will have access to the PII and they will follow an appropriate use policy which describes the proper handling of the PII.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

The DOL MDR will retain the PII indefinitely.

Is a retention period established to minimize privacy risk?

Currently, there is no retention period that has been established to minimize privacy risks.

Has the retention schedule been approved by the National Archives and Records Administration (NARA)?

The retention schedule has not been approved by either the DOL agency records officer or NARA.

Per M-O7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

The PII is required to identify the employers with respect to their bid on a contract. As such, no efforts are currently being made to eliminate or reduce PII from the DOL MDR. An effort to eliminate or reduce PII will be considered if another mechanism is developed to guarantee employer verification and identification.

Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

No. The PII is required to identify the employers with respect to their bid on a contract. As such, no efforts are currently being made to eliminate or reduce PII from the DOL MDR.

How is it determined that PII is no longer required?

Currently, the DOL MDR does not have any procedures that can be followed to determine if PII is no longer required.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII?

No efforts are being taken to mask, de-identify, or anonymize PII. Controlling and restricting access to PII in the DOL MDR to authorized users negates the need to mask, de-identify, or anonymize PII.

Privacy Impact Analysis

Since the PII will currently be stored in the DOL MDR indefinitely, it is possible for the retention period to become a privacy risk. Controlling and restricting access to the stored data in the DOL MDR mitigates this risk. LCAs using the LCA Hub to query the DOL MDR must be authorized users, and they will only be able to query data from the last 3 years. In addition, only authorized DOL System Administrators and Database Administrators will have access to the data beyond the last three years.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The PII that will be stored in the DOL MDR will be sourced from the following enforcement agencies: OFCCP, OSHA, and WHD and will be shared among them. The purpose for sharing will be to identify repeat labor law violators and improve their enforcement mission.

How is the PII transmitted or disclosed?

The PII is stored in the DOL MDR and is accessed via (a) the LCA Hub through a secure RESTful web service and (b) the Business Objects tool via a database connection.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

From a project level, the answer is no. The System Owner is not aware if the agency reviews the sharing of personal information.

Privacy Impact Analysis

Only authorized users will have access to the PII and they will follow an appropriate use policy which describes the proper handling of the PII.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL, which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

The DOL MDR shares all employer violation case data (including PII) with all the federal agencies (via the LCAs) that are in scope for the EO.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

The authority to share the PII with other LCA's outside the Department of Labor is derived from the Fair Pay and Safe Workplaces Executive Order.

How is the information shared outside the Department and what security measures safeguard its transmission?

The LCA Hub is the third-party website/application that will allow LCAs to query the DOL MDR and search for labor law violation cases. LCAs will query the DOL Master Data Repository through a RESTful API. The API will use public key infrastructure (PKI) certificate-based security to support client authentication and authorization, and protect requests and responses using encryption.

How is the information transmitted or disclosed?

The PII is stored in the DOL MDR and is accessed via the LCA Hub through a secure RESTful web service.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If yes, include who the agreement is with and the duration of the agreement.

No. An MOU/ISA has been drafted, but never finalized. A PO&AM exists to finalize the MOU/ISA.

How is the shared information secured by the recipient?

The security of the information being passed between the DOL MDR and LCA Hub connections is protected through the use of FIPS 140-2 approved encryption mechanisms. The connections at each end are located within controlled access facilities, guarded 24 hours a day. Individual users will not have access to the data except through the systems security software inherent to the operating system. All access is controlled by authentication methods to validate the approved users. LCA certifies that its respective system is designed, managed, and operated in compliance with all relevant Federal laws, regulations, and policies.

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

Federal agencies that are in the scope of the EO are responsible for developing the required training for their users.

Privacy Impact Analysis

The PII is adequately protected in transmission through the use of PKI infrastructure.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

The DOL MDR does not collect PII directly from employers/individuals. The DOL enforcement agencies OFCCP, OSHA, and WHD are responsible for the direct collection of PII.

Do individuals have the opportunity and/or right to decline to provide information?

Not applicable.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Not applicable.

Privacy Impact Analysis

No major privacy risks have been identified since the DOL MDR does not collect PII directly from employers/individuals. The DOL enforcement agencies OFCCP, OSHA, and WHD are responsible for the direct collection of PII.

Individual Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

The DOL MDR does not have procedures that allow individuals to gain access to the information. The PII that will be stored in the DOL MDR will be sourced from the following enforcement agencies: OFCCP, OSHA, and WHD.

What are the procedures for correcting inaccurate or erroneous information?

If the enforcement agencies (OFCCP, OSHA, and WHD) correct PII within their source systems, those changes will be reflected in the DOL MDR through the ETL process.

How are individuals notified of the procedures for correcting their own information?

Not applicable.

If no formal redress is provided, what alternatives are available to the individual?

Not applicable.

Privacy Impact Analysis

No major privacy risks have been identified. The DOL MDR does not permit individuals to directly access, redress, or correct individual information.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (for example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

Only DOL System Administrators and Database Administrators have direct access to the DOL MDR. There will be no direct user access to the DOL MDR. Rather, any authorized LCA Hub user will be permitted to query the DOL Master Data Repository via an LCA Hub user interface. Any authorized DOL enforcement agency user will be permitted to query the MDR via Business Objects.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Yes.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

No.

What procedures are in place to determine which users may access the system and are they documented?

DOL System Administrators and Database Administrators must read and sign the DOL MDR Rules of Behavior. In addition, LCAs (i.e, the users) must also read and sign a Rules of Behavior for using the LCA Hub.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

DOL System Administrators and Database Administrators use their PIV card to access the MDR EDEP web service and a list of users that can access the system is stored in a configuration file on the server. There is no training for the System and Database Administrators. Assignment of roles and Rules of Behavior for LCA Hub users are verified and managed through the user's federal agency.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

DOL agencies provide training that covers information system security awareness, and the handling and protection of PII.

What auditing measures and technical safeguards are in place to prevent misuse of data?

The DOL MDR will rely on ECN/DCN (GSS) and DOL Operations policies for technical safeguards and auditing measures.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes. The last Security Assessment and Authorization completed on 04/11/2016.

Privacy Impact Analysis

Only DOL System Administrators and Database Administrators have direct access to the DOL MDR. Although there are training programs and a Rules of Behavior that provide usage guidance for the Administrators, those materials do not guarantee that misuse/abuse of the DOL MDR system will not occur. Maintaining an access audit log to the OS and the DOL MDR database will mitigate this risk. The DOL MDR will rely on ECN/DCN (GSS) to produce and maintain the described audit logs.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

This system was built from the ground up using a platform-independent JAVA EE platform, standard communication protocols such as TCP/IP and HTTP, and open data representation standards such as XML and JSON.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

DOL MDR is solely the repository for PII data sourced by the enforcement agencies from their respective systems. Each enforcement agency's system has been evaluated for confidentiality, integrity, and availability requirements and each system has been categorized in accordance with FIPS 199 at a Moderate level. The LCA Hub (external agency) is hosted on the FedRAMP agency authorized MAX software as a service platform. The data exchanged between DOL and OMB"s MAX system is unclassified and the FIPS 199 categorization level is Moderate. Based on the enforcement agencies' and LCA Hub's categorization levels, DOL MDR was built with a Moderate FIPS 199 categorization level in mind ensuring the appropriate security controls to support the Moderate categorization level was put in place.

What design choices were made to enhance privacy?

The DOL MDR has been deployed with a design that allocates different servers into different network zones based on the security risks and access control needs. Access to each server in the MDR system is restricted in the firewall to specific servers and the OCIO Operations management network. Specific protocols and communication paths are described in the deployment diagrams and firewall rules shall be set up to only allow required protocol/communication paths. MDR supports TLS in network communications (HTTPS). TLS is required to be used in web-based applications to protect Government sensitive information.

The DOL MDR's Employer Violation Case API utilizes public key infrastructure (PKI) certificate-based security to support client authentication and authorization, and protect requests and responses using encryption.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

Not applicable. As of October 24, 2016, the DOL MDR is in operational status.

For systems in development, does the project employ technology that may raise privacy concerns? If so please discuss their implementation?

Not applicable.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • DOL OASAM-OCIO has completed the PIA for DOL MDR, which is currently in operational status. DOL OASAM-OCIO has determined that the safeguards and controls for this moderate system will adequately protect the information and will be referenced in DOL MDR System Security Plan.
  • DOL OASAM-OCIO has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.