Skip to page content
Office of the Chief Information Officer
Bookmark and Share

Privacy Impact Assessment Questionnaire

SOL — Evidence Management System (EMS) — FY2017

Overview

What are the system name and the name of the DOL component(s) which own(s) the system?

The Evidence Management System (EMS) is owned by the external Cloud Service Provider (CSP).

What is the purpose/function of the program, system, or technology and how it relates to the component's and DOL mission?

The mission of the Office of the Solicitor (SOL) is to provide legal advice and representation to the Secretary of Labor and client agencies in broad range of matters including affirmative and defensive litigation, and to ensure that legal staff has the tools needed to accomplish their critical mission effectively. The EMS delivers tools, capabilities and related services that significantly advance SOL's mission. The EMS provides on-demand, scalable litigation and document production support services to the diverse, geographically dispersed agencies of DOL.

Provide a general description of the information in the system.

Evidentiary information is used to support legal investigation and discovery activities. Evidentiary information may include items such as documents, images, media files, and emails. The information may contain both sensitive and protected PII. The degree of PII depends on the nature of the litigation case.

Provide a description of a typical transaction conducted on the system.

A typical transaction of the EMS begins by receiving electronic documents from an SOL office. The Cloud Service Provider (CSP) performs an inventory of the documents, uploads the documents into the IPRO, the processing component, to retrieve metadata about the documents and prepare the document to be loaded into Relativity. Relativity is the core component of EMS consisting of a database, storage area network to store files and images, and several servers to allow for administration of the application, searching, and analytics in a cloud environment. Once the documents are formatted, they are ready to be loaded into Relativity. The document is then available and viewable to SOL users through the Relativity Web interface. SOL users access Relativity by logging into the Relativity Web interface via Internet Explorer on the DOL network. EMS provides users the ability to search for a document and make certain legal determinations as needed. SOL users are provided the ability to mark the document privileged, not responsive, apply redaction to certain terms, or add bates numbers, or otherwise comment on the document. Once the documents have been reviewed, and marked to be produced, the documents are processed by IPRO to be used by SOL or opposing counsel. The end product of this process will result in portable document format (.pdf) documents, paper documents, or other electronic formats requested to be produced through other legal technology applications.

Is there any information sharing conducted by the program or system?

Yes. Information sharing is conducted with other federal agencies, courts and administrative bodies, arbitrators and mediators, and opposing counsel and parties to an investigation or litigation matter.

Provide a general description of the modules and subsystems, where relevant, and their functions.

Relativity Web — A web interface for SOL users to log into the EMS. The Relativity application resides on a web server and users are authenticated through a directory service for identification and authentication.

Relativity — The core component of EMS consists of a database, storage area network to store files and images, and several Relativity servers to allow for administration of the application, searching, and analytics in a cloud environment.

IPRO — The processing environment of Relativity which consists of the IPRO Suite and a few in-house IE Discovery tools. This component allows the Cloud Service Provider to inventory data, keep track of work flow, convert data into a raw format in order to derive meta data, prepare data to be loaded to the Relativity software, and to analyze data from multiple methods (e.g. unzip files, decrypt files, or break email archives out to individual emails). This processing environment also allows the transmission of documents back to SOL and to the opposing counsel by retrieving the data from Relativity and exporting data to a external hard drive, CD/DVD, thumb drive or other formats compatible with trial or other litigation tools, such as Concordance.

Where appropriate, what is the citation to the legal authority to operate the program or system?

5 U.S.C. 301, 5 U.S.C. 552 and 5 U.S.C. 552a.

Provide a description of why the PIA is being conducted.

The EMS contains PII on Federal employees, DOL contractors and members of the public and therefore a Privacy Impact Assessment is required. The Privacy Act requires that a SORN be published in the Federal Register when PII is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier. A Privacy Act System of Record Notice (SORN) is published in the Federal Register.

Characterization of the Information

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

PII is collected in the system from DOL client agencies and other parties to pending or active litigation cases (e.g. opposing counsel).

What are the sources of the PII in the information system?

The sources of PII are the following records obtained from the investigations, discovery, and trial litigation process including depositions, interrogations, interviews, and court ordered exchange of information:

  • Business records (including mine safety & health, occupational safety and health, black lung benefit statements, etc.
  • Business confidential information including trade secrets and other proprietary information
  • Investigation findings records
  • Medical records
  • Payroll records
  • Financial records
  • Internal audit records
  • Personal records including correspondence records (e.g. email, letters)

What is the PII being collected, used, disseminated, or maintained?

  • First and/or last name
  • Date of birth
  • Place of birth
  • SSN
  • SSN (truncated)
  • Military, immigration, or other government-issued identifier
  • Photographic identifiers (i.e., photograph image, x-rays, video)
  • Vehicle identifier (e.g., license place, VIN)
  • Driver's license number
  • Residential address
  • Personal phone numbers (e.g., phone, fax, cell)
  • Mailing address (e.g., P.O. Box)
  • Personal e-mail address
  • Business address
  • Business phone number (e.g., phone, fax, cell)
  • Business e-mail address
  • Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
  • Financial account information and/or number (e.g., checking account number, PIN, retirement, investment account)
  • Certificates (e.g., birth, death, marriage)
  • Legal documents or notes (e.g., divorce decree, criminal records)
  • Educational records
  • Network logon credentials (e.g., username and password)
  • Payroll records

How is the PII collected?

Evidence documents containing PII are collected as part of investigations and the discovery and trial litigation process including depositions, interrogations, interviews, and court ordered exchange of information.

How will the information be checked for accuracy?

In some instances the accuracy of the PII contained within the evidence document is validated as part of the litigation process and sometimes attested under oath as accurate by a party to the case.

What specific legal authorities, arrangements, and/or agreements defined the collection of information?

The Federal Rules of Civil Procedures and Federal Rules of Evidence.

Privacy Impact Analysis

The type of PII stored in EMS creates the risk of unauthorized access and disclosure. The PII stored in EMS is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The key security controls to ensure that PII is properly protected from unauthorized access and unauthorized disclosure include:

  • Technical Controls
    • Access Control (AC)
      • Account Management
      • Access Enforcement
      • Information Flow Enforcement
      • Separation of Duties
      • Least Privilege
      • Session Lock
      • Session Termination
    • Audit and Accountability (AU)
      • Audit Review, Analysis and Reporting
    • Identification and Authentication (IA)
      • Identifier Management
      • Authenticator Management
    • System and Communications Protection (SC)
      • Cryptographic Protection
  • Management Controls
    • Planning (PL)
      • Rules of Behavior
  • Operational Controls
    • Awareness and Training (AT)
      • Security Awareness Training
      • Role-based Training
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
    • Physical and Environmental Protection (PE)
      • Physical Access Authorizations
      • Physical Access Control

Uses of the PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The PII is used for any purpose permissible under DOL authorizing statutes and court orders.

What types of tools are used to analyze data and what type of data may be produced?

The EMS application/system uses the Relativity COTS tool to analyze and produce data.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No. The EMS does not generate new or previously unavailable data.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system uses commercial or publicly available data for any purpose permissible under DOL authorizing statutes and court orders.

Privacy Impact Analysis

The type of PII stored in EMS creates the risk of unauthorized access and disclosure. The PII stored in EMS is hosted in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organization. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

The key security controls to ensure that PII is properly protected from unauthorized access and unauthorized disclosure include:

  • Technical Controls
    • Access Control (AC)
      • Account Management
      • Access Enforcement
      • Information Flow Enforcement
      • Separation of Duties
      • Least Privilege
      • Session Lock
      • Session Termination
    • Audit and Accountability (AU)
      • Audit Review, Analysis and Reporting
    • Identification and Authentication (IA)
      • Identifier Management
      • Authenticator Management
    • System and Communications Protection (SC)
      • Cryptographic Protection
  • Management Controls
    • Planning (PL)
      • Rules of Behavior
  • Operational Controls
    • Awareness and Training (AT)
      • Security Awareness Training
      • Role-based Training
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
    • Physical and Environmental Protection (PE)
      • Physical Access Authorizations
      • Physical Access Control
  • Privacy Controls
    • Authority and Purpose (AP)
      • Authority to Collect
      • Purpose Specification

Retention

The following questions are intended to outline how long information will be retained after the initial collection.

How long is information retained in the system?

Information is retained in accordance with the SOL Records Schedule.

Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

Yes. National Archive and Records Administration Schedule # DAA-0174-2013-0006.

How is it determined that PII is no longer required?

A determination as to when PII is no longer required within the system is performed as part of the annual Privacy Impact Assessment. Specifically, the MALS Litigation Support Unit will make recommendations for approval by the System Owner. Also SOL addresses all federal mandates to reduce the use of PII and specific identifiers where possible in its information collection processes.

What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

PII is only e stored on the system during active litigation. When the litigation matter is completed or the need for the EMS evidence database has been satisfied, the information is removed from the system.

Provide a Privacy Impact Analysis.

The risk of unauthorized access and unauthorized disclosure is proportionally increased by the length of time in which the data is retained. The key security controls to ensure that PII is properly protected include:

  • Operational Controls
    • System and Information Integrity (SI)
      • Information Handling and Retention
  • Privacy Controls
    • Data minimization and Retention (DM)
      • Minimization of personally Identifiable Information
      • Data Retention and Disposal
      • Minimization of PII Used in Testing, Training, and Research

Internal Sharing and Disclosure

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

DOL agencies, as necessary for the handling of the investigation, facilitated resolution, or litigation matters.

How is the PII transmitted or disclosed?

PII is transmitted or disclosed through online queries, and online screen displays, and hard copies, and electronic copies on portable media.

Privacy Impact Analysis

When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. The key security controls to ensure that access to PII is properly authorized include:

  • Technical Controls
    • Access Control (AC)
      • Information Sharing
  • Operational Controls
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
  • Privacy Controls
    • Use Limitation (UL)
      • Internal Use

External Sharing and Disclosure

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

A full range of PII is shared with other federal agencies, courts and administrative bodies, arbitrators and mediators, and opposing counsel and parties to an investigation or litigation matter to support the litigation process.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes, the sharing of PII outside the Department is compatible with the original collection,

Yes, see description of "Routine uses of records maintained in the system" in the SORN.

How is the information shared outside the Department and what security measures safeguard its transmission?

Evidence documents that may contain PII are shared through document filings that are made via email or through the court's electronic filing system.

Privacy Impact Analysis

When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. The key security controls to ensure that access to PII is properly authorized include:

  • Technical Controls
    • Access Control (AC)
      • Information Sharing
  • Operational Controls
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
  • Privacy Controls
    • Use Limitation (UL)
      • Internal Use

SOL users have an approved DOL exemption to not encrypt portable media (CD, DVD, flash drive, external hard drive) containing DOL sensitive and non-sensitive information in support of litigation activities, under various statutes, or in response to court/tribunal requirements or orders, or congressional requests. All other SOL information must be encrypted. The encryption exemption increases exposure to unauthorized access and disclosure of PII.

Notice

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII?

Yes. Notice was provided to the individual prior to collection of PII by the DOL agency. This occurs prior to SOL's use of the information. SOL does not collect PII directly from members of the public but rather extracts the information from records collected by the DOL client agencies.

Do individuals have the opportunity and/or right to decline to provide information?

Yes, individuals have the right to decline to provide information based on the invocation of the Privacy Act of 1974. Individuals would have addressed this opportunity or right with the DOL agency prior to SOL's use of the information. SOL does not collect this information directly from members of the public but rather extracts the information from records collected by the DOL agencies.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No, as there are only routine uses of the information, and no particular uses that would require consent under the Privacy Act of 1974.

Privacy Impact Analysis

The predominant risk exists in unauthorized disclosure. DOL shall not disclose, nor make available, any personal data except with the consent of the individual concerned or by authority of law. DOL shall, when appropriate and required by law, provide access to, and a process for amending, personal information in accordance with the Privacy Act of 1974. The key security controls to ensure proper notice include:

  • Privacy Controls
    • Transparency (TR)
      • Privacy Notice
      • System of Records Notices and Privacy Act Statements
      • Dissemination of Privacy Program Information

Access, Redress, and Correction

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their information?

An individual, or legal representative acting on their behalf, may request access to their record by appearing in person or by writing to the Department of Labor, Associate Solicitor, Office of Management and Administrative Legal Services, Office of the Solicitor (SOL), 200 Constitution Avenue, NW, Washington, DC 20210. A requester in need of guidance in defining his request may write to the Assistant Secretary for Administration and Management, U.S. Department of Labor, 200 Constitution Avenue, NW, Washington, DC 20210.

The specific procedures for allowing an individual to gain access to their information are provided in Title 29 CFR Part 71.2.

What are the procedures for correcting inaccurate or erroneous information?

An individual may submit a request for correction or amendment of their record. The request must be in writing and must be addressed to Department of Labor, Associate Solicitor, Office of Management and Administrative Legal Services, Office of the Solicitor (SOL), 200 Constitution Avenue, NW, Washington, DC 20210. The request must identify the particular record in question, state the correction or amendment sought, and set forth the justification for the change. Both the envelope and the request itself must be clearly marked: "Privacy Act Amendment Request."

The specific procedures for correcting inaccurate or erroneous information are provided in Title 29 CFR 71.9.

How are individuals notified of the procedures for correcting their information?

This information is published in the Federal Register entry for the system. .

If no formal redress is provided, what alternatives are available to the individual?

When a request for correction or amendment is denied in whole or in part, the requester may appeal the denial to the Solicitor of Labor within 90 days of receipt of the notice denying the request.

Provide a Privacy Impact Analysis.

There is minimal risk to the data integrity of PII stored in the MMS because it is well protected by numerous security controls. Data integrity is primarily accomplished through authorized restrictive access to information in the system.

The key security controls to ensure the integrity of PII include:

  • Operational Controls
    • System and Information Integrity (SI)
      • Information Input Validation
      • Error Handling
      • Information Handling and Retention
  • Privacy Controls
    • Individual Participation and Redress (IP)
      • Consent
      • Individual Access
      • Redress
      • Complaint Management
    • Data Quality and Integrity (DI)
      • Data Quality
      • Data Integrity and Data Integrity Board

Technical Access and Security

The following questions are intended to describe technical safeguards and security measures.

What procedures are in place to determine which users may access the system and are they documented?

Access Control procedures are in place in accordance with DOL computer security guidelines and the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Recommended Security and Privacy Controls for Federal Information Systems and Organizations. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects.

Highlights of the access procedures include:

  • General and privileged user Rules of Behavior
  • two-factor authentication using Cloud Service Provider (CSP) supplied RSA tokens
  • access provided strictly on the basis of approved authorizations
  • automatic removal of inactive access accounts
  • least privilege access based on role
  • separation of duties

Will Department contractors have access to the system?

Yes, EMS is accessed by Cloud Service Provider (CSP) developers and system administrators, for the purpose of developing, testing, operating and maintaining the externally hosted cloud solution.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Mandatory DOL Information Systems Security Privacy and Awareness Training is provided to all SOL employees and contractors annually.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Auditing functionality exists within the system to record all business users and system administrator actions in an Audit Log. The Audit Log is protected from viewing by unauthorized users and is reviewed on a weekly basis for unusual or suspicious activity.

Within the system there are specific user roles (groups) defined which provide varying levels of authorized access to data stored in the EMS. Critical functions are divided among different individuals based on their user role assignment. Data stored in the system is encrypted at rest and during transmission. Inactive user accounts are automatically deactivated.

Privacy Impact Analysis

The PII stored within the EMS is limited to information necessary for SOL to carry out its duties. It is well protected in a cloud environment with implementation of the Federal Risk and Authorization Management Program (FedRAMP) baseline security controls for a Moderate system as supported by NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. FedRAMP controls are specifically designed for cloud environment projects and are more stringent than controls for non-cloud projects. The EMS does not interface with any other systems except its hosting network infrastructure.

The operational storage of PII in the system can create the risk of unauthorized access and disclosure. The PII stored in the MMS is subject to minimal risk because it is well protected by numerous security controls. The key security controls to ensure that PII is properly protected include:

  • Technical Controls
    • Access Control (AC)
      • Account Management
      • Access Enforcement
      • Information Flow Enforcement
      • Separation of Duties
      • Least Privilege
      • Session Lock
      • Session Termination
    • Audit and Accountability (AU)
      • Audit Review, Analysis, and Reporting
    • Identification and Authentication (IA)
      • Identifier Management
      • Authenticator Management
    • System and Communications Protection (SC):
      • Cryptographic Protection
  • Operational Controls
    • Awareness and Training (AT)
      • Security Awareness Training
      • Role-based Training
    • Media Protection (MP)
      • Media Access
      • Media Marking
      • Media Storage
      • Media Transport
      • Media Transport/Cryptographic Protection
    • Physical and Environmental Protection (PE)
      • Physical Access Authorizations
      • Physical Access Control
  • Privacy Controls
    • Security (SE)
      • Inventory of Personally Identifiable Information
      • Privacy Incident Response

Technology

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.

What stage of development is the system in, and what project development life cycle was used?

EMS is in the Phase 6 Operations and Maintenance. The ATO was signed December 2015 and the initial system rollout to national and regional offices was completed in January 2013. The project development life cycle used is the DOL Systems Development Life Cycle Management Manual (SDLCMM).

Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

Yes. EMS is an externally hosted cloud solution that is owned and operated by an external Cloud Service Provider. There are other federal agencies that utilize the cloud service. Although use of the application software is shared with other federal agencies, the data is maintained separately for each agency.

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • SOL has completed the PIA for the Evidence Management System. SOL has determined that the safeguards and controls for this moderate system will adequately protect the information and will be referenced in Evidence Management System Security Plan.
  • SOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.