Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

OFCCP Information Systems (OFCCP) — FY2016

Overview

The Office of Federal Contract Compliance Programs (OFCCP) is a Department of Labor (DOL) agency responsible for regulatory compliance for federal contractors in meeting equal employment opportunity (EEO) and affirmative action laws and other federal contract provisions. Through the authorities mentioned below, the OFCCP enforces non-discrimination and equal opportunity standards for all individuals, including women, minorities, Vietnam-era veterans and persons with disabilities.

OFCCP supports a single major information system, OFCCP Information System (OFIS). OFIS is a set of automated tools used to collect data, track, plan, and report on the compliance evaluations and complaint investigations OFCCP conducts to ensure that the laws the program administers are enforced. OFIS has three subsystems within the application. They are:

  • OFIS Case Management System (CMS): CMS is the primary data collection vehicle for the integrated OFIS suite. It provides compliance officers with essential progress tracking tools and an automated method to submit compliance information and case investigation milestones.
  • OFIS Executive Information System (EIS): EIS is the primary reporting vehicle for the integrated OFIS suite of applications. It is the reporting tool that accesses data through CMS.
  • OFIS Administration System (ADM): ADM is an administrative module developed for user authentication and authorization. It is used to grant and maintain system access and privileges to an authorized list of users by means of a customized interface of administrative templates and forms.

These OFIS subsystems are client/server software products where the client module resides on the Citrix server farm. OFIS provides information on a daily basis for both the compliance evaluations and complaint investigations conducted under the auspices of OFCCP. OFIS offers general standardization and infrastructure benefits for these efforts as well.

OFIS does not directly connect with any other information system. However, OFIS data is used by other information systems, including the DOL Customer Relations Management (CRM) system. Under no circumstances is any PII extracted from OFIS for use with any other information system or program.

The OFIS is a Major Application that runs on and is supported by the Office of the Chief Information Officer (OCIO) General Support System (GSS), Employee Computer Network/Department Computer Network (ECN/DCN).

The Senior Agency Official for Privacy (SAOP) for OFCCP is Michael Kerr, our Assistant Secretary for the Office of the Assistant Secretary for Administration and Management (OASAM). The Chief Privacy Officer (CPO) is Dawn Leaf, Chief Information Officer for the OASAM Office of the Chief Information Officer.

  • The system name and the name of the DOL component(s) which own(s) the system.
    • OFCCP Information System (OFIS)

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

OFIS collects information on federal contractors and federal contract businesses exclusively.

OFIS supports tracking investigation cases. However, it does not store or maintain any separate documents related to the case. All information collected is about federal contractors and their employees.

From whom is information to be collected?

Employees of federal contractors who request a compliance review based on claims of discrimination may provide their contact information, name, and data related to the claim in order to support an investigation. Additionally, during scheduled compliance reviews of federal contractors, representatives of the corporation are expected to provide names and professional contact information to support the OFCCP review of their affirmative action activities.

Why is the Information being collected?

Information is collected to support tracking and reporting on investigation cases.

What is the PII being collected, used, disseminated, or maintained?

The PII that is collected as a part of compliance evaluation process are the following:

  • First Name, Middle Initial and Last Name of the federal contractors primary points of contact
  • The POC's official title, if known
  • The POC's business telephone number
  • The POC's business telephone number extension, if applicable
  • The POC's email address

The PII that is collected as a part of complaint investigation process are the following:

  • First Name, Middle Initial and Last Name of the complainant who files the complaint
  • The Street Address, City, State and Zip Code of the complainant who files the complaint
  • First Name, Middle Initial and Last Name of the federal contractors primary points of contact
  • The POC's official title, if known
  • The POC's business telephone number
  • The POC's business telephone number extension, if applicable
  • The POC's email address

How is the PII collected?

PII for the compliance evaluation is collected from the POC identified as a part of the compliance evaluation process conducted on the federal contractor's facility.

PII for the complaint investigation is collected either electronically, through the use of OFCCP Form CC-4 or manually using the same form. This data is voluntarily provided by the claimant as part of filing a claim.

How will the information collected from individuals or derived from the system be checked for accuracy?

The data collected is checked for accuracy and verified by the OFCCP compliance officer and the OFCCP Regional and District Office management. The POC receives a copy of all documents, which they can review for accuracy.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

The legal authority, arrangement, and or agreements that define and provide for the collection of this information from the OFCCP federal contractor community is provided in the Code of Federal Regulations (CFR), Title 41 (Public Contracts and Property Management), Chapter 60 (Office of Federal Contract Compliance Programs, Equal Employment Opportunity, Department of Labor). OFCCP's mission is authorized and mandated by the following laws:

  • Americans With Disabilities Act Of 1990
  • Executive Order (EO) 11246
  • Section 503 of the Rehabilitation Act of 1973, as amended
  • 38 USC 4212 — The Vietnam Era Veterans' Readjustment Assistance Act of 1974 including subsequent amendments
  • Notice of Employee Rights Concerning Payment of Union Dues — EO 13496

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The only users that have direct access to this information are OFCCP compliance officers, designated OFCCP authorized users, and OFIS operations teams. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  1. Inappropriate use of the PII collected
  2. Failure to secure any hardcopy documents on which PII appears
  3. Malicious theft of data by a motivated outside attacker.

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  1. Establish and provide secure access to the OFCCP Information System (OFIS)
  2. Establish and provide secure access to all OFCCP office locations
  3. Establish and provide secure storage of hardcopy documentation in OFCCP offices
  4. Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  5. Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.
  6. Minimize all data collection to the minimum necessary to conduct investigations.
  7. Enforce rigorous standards when shipping or mailing documents.

Describe the Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII is intended to be used by compliance officers conducting either compliance evaluations or complaint investigations. While this PII is stored in OFIS, it is not included as data on the majority of reports accessible to end users of this information system. With the exception of the PII collected during the complaint investigation process, this information does not appear on any of the pre-formatted reports that are available within OFIS.

What types of tools are used to analyze data and what type of data may be produced?

There are no analytical tools which are made available to our user community for the purpose of performing analysis related to the identified PII. No qualitative or quantitative data is generated from the identified PII collected through OFIS.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No qualitative or quantitative data is generated from the identified PII contained within OFIS.

If the system uses commercial or publicly available data, please explain why and how it is used.

Not applicable.

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

Yes. This is managed under the existing OFCCP Statement of Records Notice.

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The only users that have direct access to this information are OFCCP compliance officers, designated OFCCP authorized users, and OFIS operations teams. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  1. Inappropriate use of the PII collected
  2. Failure to secure any hardcopy documents on which PII appears
  3. Malicious theft of data by a motivated outside attacker.

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  1. Establish and provide secure access to the OFCCP Information System (OFIS)
  2. Establish and provide secure access to all OFCCP office locations
  3. Establish and provide secure storage of hardcopy documentation in OFCCP offices
  4. Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  5. Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.
  6. Minimize all data collection to the minimum necessary to conduct investigations.
  7. Enforce rigorous standards when shipping or mailing documents.

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

5 years.

The following information is derived from the OFCCP Record Retention Plan which has been approved and is currently in use with the National Archives and Records Administration (NARA):

  1. ELECTRONIC RECORD MEDIA

THE OFIS DATABASE (Master File). This mission-critical database contains information on compliance and complaint investigations conducted by the OFCCP. This information is for both historical investigations and ongoing investigations. There is also a disaster recovery procedure in place. The information in the OFIS Database must adhere to the established impact criteria described below:

Data Confidentiality Medium to High
Data Integrity Medium to High
Data Availability Low

PRIVACY RESTRICTIONS: YES

ARRANGEMENT OF DATA. Data is available in the OFIS database for reporting
Purposes according to the following structure:

Nationwide Scope
Regional Office Scope
District Office Scope

Electronic Media Volume: 2 CDs
Annual Accumulation: Less than 1 CD per year

PRIVACY RESTRICTIONS: YES

DISPOSITION: PERMANENT. Cutoff period — 5 calendar years. Transfer to the NARA every 5 calendar years in a format acceptable to NARA at time of transfer.

b. OUTPUT RECORDS (Paper Documents)

  • Case File Documents (Forms) - Computer generated forms provided by this system are used as part of the official case file.

PRIVACY RESTRICTIONS: YES

DISPOSITION: TEMPORARY. Cut off file at end of calendar year. Hold in office and destroy when seven calendar years old.

  • Hard Copy Reports - Management reports generated by this system are provided when requested. These Reports are then retained by the requesting office (National, Regional, or District).

DISPOSITION: TEMPORARY. Cut off file at end of calendar year and hold in office. Transfer three calendar years after cut off to FRC. Destroy when seven calendar years old.

Is a retention period established to minimize privacy risk?

Yes

Has the retention schedule been approved National Archives and Records Administration (NARA)?

Yes

Per M-O7-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

OFCCP data requirements have been reviewed by OFCCP management and determined to be necessary for OFCCP operations. Should OFCCP operational requirements change, OFCCP management will review the data requirements with the purpose of altering the amount of PII collected, stored, or maintained by OFIS.

Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

Not applicable; OFIS data requirements have previously been stripped down to the bare minimum required for OFCCP operations. OFCCP does not create PII data extracts.

How is it determined that PII is no longer required?

Data requirements are established by NARA and FOIA requirements.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

As the information is used to directly contact points of contact and access is limited to employees responsible for working with those individuals, no anonymization or masking is feasible.

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The only users that have direct access to this information are OFCCP compliance officers, designated OFCCP authorized users, and OFIS operations teams. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  1. Inappropriate use of the PII collected
  2. Failure to secure any hardcopy documents on which PII appears
  3. Malicious theft of data by a motivated outside attacker.

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  1. Establish and provide secure access to the OFCCP Information System (OFIS)
  2. Establish and provide secure access to all OFCCP office locations
  3. Establish and provide secure storage of hardcopy documentation in OFCCP offices
  4. Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  5. Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.
  6. Minimize all data collection to the minimum necessary to conduct investigations.
  7. Enforce rigorous standards when shipping or mailing documents.

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

The identified is collected through our regional, district and area office locations, as well as the national office. This information is only available internally via OFIS, OFIS reports, and the original case files.

How is the PII transmitted or disclosed?

The identified PII is transmitted internally between the OFCCP regional/district/area offices and the national office through OFIS. This information is transmitted electronically and is only disclosed to those employees on a "need-to-know" basis.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

Not applicable; the information is maintained in OFIS to support FOIA and NARA requirements, and potential future investigations.

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The only users that have direct access to this information are OFCCP compliance officers, designated OFCCP authorized users, and OFIS operations teams. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  1. Inappropriate use of the PII collected
  2. Failure to secure any hardcopy documents on which PII appears
  3. Malicious theft of data by a motivated outside attacker.

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  1. Establish and provide secure access to the OFCCP Information System (OFIS)
  2. Establish and provide secure access to all OFCCP office locations
  3. Establish and provide secure storage of hardcopy documentation in OFCCP offices
  4. Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  5. Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.
  6. Minimize all data collection to the minimum necessary to conduct investigations.
  7. Enforce rigorous standards when shipping or mailing documents.

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP. Note; OFIS does maintain a connection with the DOL Level Road system, but the data transfer is one-way (from OFIS to Level Road) via a controlled staging area to prevent possible data disruption or attacks. OFIS maintains a similar connection with the Department of Labor Customer Relations Management (DOLCRM) system. Only publicly-accessible, non-PII data is transferred over these connections.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

How is the information shared outside the Department and what security measures safeguard its transmission?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

How is the information transmitted or disclosed?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If yes, include who the agreement is with and the duration of the agreement.

MOUs are in place for both connections. The MOUs are between OFCCP, OCIO, and other participating agencies, and are signed for three years. Both MOUs outline explicitly that no PII is to be transferred between OFCCP or OFIS and the connected system.

How is the shared information secured by the recipient?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

Not Applicable. The identified PII is not shared with any organizations/entities outside of the OFCCP.

Privacy Impact Analysis

There is no risk identified with external sharing, as OFCCP does not participate in any agreements involving the transfer of PII.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

  • Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

The following information is provided to the public (and is included on the CC-4 Form) used to initiate complaint investigations received by the OFCCP.

Instructions: Before completing this form, please read all instructions, including the Privacy Act statement below. Use this form to file a complaint of discrimination in employment under any of the OFCCP programs. Note: Persons are not required to respond to this collection of information unless it displays a currently valid OMB control number.

Privacy Act Notice:

The authority for collecting this information is Executive Order 11246, as amended; Sec. 503 of the Rehabilitation Act of 1973, as amended; the Vietnam Era Veterans' Readjustment Assistance Act of 1974, as amended, 38 U.S.C. 4212; Title VII of the Civil Rights Act of 1964, as amended; and/or Title I of the American with Disabilities Act of 1990, as amended (ADA). This information is used to process complaints and conduct investigations of alleged violations of the above Order or Acts. We will provide a copy of this complaint to the employer against whom it is filed and, when matters alleged are covered by Title VII and/or ADA, to the U.S. Equal Employment Opportunity Commission (EEOC). The information collected may be verified with others who may have knowledge relevant to the complaint. It may be used in settlement negotiations with the employer or in the course of presenting evidence at a hearing, or may be disclosed to other agencies with jurisdiction over the complaint. Providing this information is voluntary; however, failure to provide the information will restrict the action that the Department of Labor can take on your behalf and, for matters covered by Title VII or the ADA, may affect your rights to sue under those laws.

Do individuals have the opportunity and/or right to decline to provide information?

Yes. There is no regulatory requirement which mandates the collection of the identified PII, either for compliance evaluations or complaint investigations conducted by the OFCCP.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

An individual has the right to consent to the collection of data since this data collection is a voluntary component of the compliance evaluation and/or complaint investigation process, but there is no process/procedure currently in place within the OFCCP which defines a "consent requirement" for a particular use of the PII collected.

Privacy Impact Analysis

This Notice is provided to either the POC for the Federal Contractor and/or the Complainant during direct contact with the OFCCP Compliance Officer responsible for conducting the compliance evaluation/complaint investigation. Submission of the identified PII by representatives/parties as a part of either investigative process is voluntary and this information is communicated by the compliance officer assigned to the investigation and also is provided in writing prior to the collection of PII.

Individual Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

For the PII related to compliance evaluation case records, the requestor should inquire with the compliance officer(s) assigned to conduct the compliance evaluation of the federal contractor.

For the PII related to the complaint investigation case record, the respondent is provided with a copy of the CC-4 form during the initial meeting with the assigned compliance officer(s). The identified PII is entered in the OFIS from the information collected on the CC-4 Form.

What are the procedures for correcting inaccurate or erroneous information?

Upon identification/notification of the identified PII, whether associated with a compliance evaluation or a complaint investigation case record, the assigned compliance officer is responsible for correcting inaccuracies with the identified PII prior to the completion of the compliance evaluation or complaint investigation.

How are individuals notified of the procedures for correcting their own information?

This process is currently provided to individuals verbally, by the compliance officer(s) assigned to conduct the evaluation/investigation under which the identified PII is collected.

If no formal redress is provided, what alternatives are available to the individual?

Not applicable (see above).

Privacy Impact Analysis

Currently, there is only one known privacy risk associated to individuals with respect to the redress processes described above. This risk is not directly related to the OFIS, but rather, to the "Ethical Standard" under which OFCCP employees perform their duties. To mitigate this risk, the OFCCP continues to provide the appropriate training to all employees regarding their conduct while in the federal service and their obligation to protect all information collected by the federal government, as mandated.

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (for example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

Access is limited to OFCCP employees, and the contract staff responsible for supporting the system.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Yes, contract support for OFIS is provided by Systems Plus. No contractors outside of the contract staff are provided access to the system.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

Yes, OFIS employs role-based access. Each user is given a "role" (compliance officer, manager district director, regional director, etc.), and an office location. Users can only access, modify, and view cases within the geographic region for which they are responsible. Managers have access to the files of their employees.

What procedures are in place to determine which users may access the system and are they documented?

There are Access Control/Account Management procedures which are currently in place that describe the technical safeguards and security measures for ensuring access to the OFIS is managed and monitored.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Roles are established and managed by OFCCP managers. Managers cannot elevate a user above their own privileges. All users must complete the OASAM Rules of Behavior prior to being granted access to the system. OFCCP is in the process of generating a system-specific set of Rules of Behavior which must be reviewed and signed by the individual as part of the account creation process.

Employees participate in mandatory Privacy Act and Records Management training annually. This is provided by Learning Link, and so no single hard date is available. In 2015 it was available in CQ3 and 4.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Employees participate in mandatory Privacy Act and Records Management training annually. This is provided by Learning Link, and so no single hard date is available. In 2015 it was available in CQ3 and 4.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Auditing is provided by DMAP support staff and OASAM as well as other technical safeguards to prevent the misuse of data.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes. The last Authorization to Operate (ATO) was completed in May 2014.

Privacy Impact Analysis

The risks identified are directly related to the collection and use of the PII by designated OFCCP personnel nationwide. The primary OFCCP user community that has direct access to this information is the Compliance Officer Community. These employees are responsible for conducting the evaluations and investigations in support of the mission of the OFCCP. Possible risks include the following:

  1. Inappropriate use of the PII collected
  2. Failure to secure any hardcopy documents on which PII appears
  3. Malicious theft of data by a motivated outside attacker.

The mitigations actions that are currently employed to reduce the potential of exposure of the identified PII are the following:

  1. Establish and provide secure access to the OFCCP Information System (OFIS)
  2. Establish and provide secure access to all OFCCP office locations
  3. Establish and provide secure storage of hardcopy documentation in OFCCP offices
  4. Conduct annual training to all OFCCP employees and contractors on OFCCP employees' responsibilities for protection all information received (electronic and non-electronic) from federal contractors
  5. Provide access to and training for the proper disposal (shredding and/or burning) of all hardcopy documents prior to disposal and/or for the destruction of all electronic portable media (CDs, USB Drives, Memory Cards, etc.) received or used during the investigation and evaluation processes conducted by the OFCCP. This includes the acquisition and use of shredding devices at all OFCCP office locations.
  6. Minimize all data collection to the minimum necessary to conduct investigations.
  7. Enforce rigorous standards when shipping or mailing documents.

While there are no auditing measures in place to protect the PII in the system, there are technical safeguards that restrict access to the system as previously mentioned. In addition, users of the systems have been adequately trained in the use and administration of privacy information.

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The system was custom-designed and built.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

OFIS was designed prior to the publication of FISMA. As such, basic security was built in as required at the time. However, management has decided against significantly expanding OFIS's functionality that might expand the quantity or processing of PII until OFIS can be replaced with a newer system with more robust security controls.

What design choices were made to enhance privacy?

OFCCP has declined to add functionality to OFIS which may pose a threat to the privacy data stored. Data extracts for other agencies and to the testing environment are sanitized, or PII fields are excluded, to avoid possible loss of PII data.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

Not applicable; OFIS is in steady-state.

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

Not applicable; OFIS is in steady-state.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • OFCCP has completed the PIA for the OFCCP Information System (OFIS) which is currently in operation. OFCCP has determined that the safeguards and controls for this moderate system adequately protect the information.
  • OFCCP has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.