Privacy Impact Assessment Questionnaire
WHD Back Wage Financial System (BWFS) FY 2017
The Wage and Hour Division (WHD) is an agency of DOL. The WHD is responsible for administering and enforcing some of our nation’s most comprehensive labor laws, including: the minimum wage, overtime, and child labor provisions of the Fair Labor Standards Act (FLSA); the Family and Medical Leave Act (FMLA); the Migrant and Seasonal Agricultural Worker Protection Act (MSPA); worker protections provided in several temporary visa programs; and the prevailing wage requirements of the Davis-Bacon and Related Acts (DBRA) and the Service Contract Act (SCA). Back Wage Financial System (BWFS) supports WHD meeting its core business functions.
WHD operates the Back Wage Financial System (BWFS), which is a financial management system used by the WHD. The system is used to collect back wages due to employees from employers as a result of violations of laws enforced by the WHD and to disburse those wages to employees. This Privacy Impact Assessment is being conducted because BWFS contains Personal Identifiable Information (PII).
The BWFS is a financial management system used by the WHD to collect back wages from employers (under certain conditions), disburse those wages to employees, and, when the WHD is unable to locate employees after three years, transfer any remaining monies to the U.S. Treasury. Major functions of the system include accruing and assessing interest and penalties for delinquent debt, transferring debts to Treasury’s Debt Management Service (DMS) for debt collection, producing tax documentation for gross cases, and producing period reports for financial reporting.
In addition to the US Treasury, the system provides data to the U.S. Secure Payment System regarding the issuing of checks and to the Internal Revenue Service (IRS) and the Social Security Administration (SSA) regarding tax withholding information about individuals and businesses.
The data used by BWFS is part of the overall WHISARD database, which consists of a database and several executables that access parts of the database. The WHISARD database itself contains multiple tables; some are used only by BWFS.
The BWFS application supports the Department’s Strategic Goals of 1) preparing workers for good jobs and ensuring fair competition, 2) ensuring workplaces are safe and healthy, and 3) assuring fair and high quality work-life environments. The collection and distribution of back wages through the BWFS deters future violations and furthers the WHD mission of increased compliance to the statutes that the WHD is mandated to enforce, particularly in low-wage industries.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
The BWFS collects personally identifiable information (PII) on members of the public (U.S. citizens).
What are the sources of the PII in the information system?
BWFS consists of two components: the BWFS application and the Back Wage Follow-Up (BWFU) module hosted in the WHISARD application. The source of PII in the WHISARD system comes directly from individuals who are filling a Wage and Hour complaint.
What is the PII being collected, used, disseminated, or maintained?
The collection, dissemination, and maintenance of PII in WHISARD consist of the following:
- Phone numbers
- Social Security numbers
- Business address
- Mailing address
- Business phone number
- Residential address
- Employer Identification Number (EIN)/Taxpayer Identification Number (TIN).
How is the PII collected?
PII is collected directly from the individual when a WHD employee interviews a complainant about a possible violation to one of the laws that WHD enforces. PII can also be collected when an investigation discovers that the violation affects additional individuals other than the complainant or as a result of a direct investigation when there is no complainant.
How will the information be checked for accuracy?
The BWFS uses Form WH-60 to verify an employee's name, address, phone number, and Social Security number before the issuance of a check. A series of letters is issued to the employer before the debt is sent for collection. The final letter is sent by certified mail to the addressee to verify the accuracy of information. In addition, the Employer is requested to verify his/her Employer ID Number.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The BWFS system supports the following labor laws in the work place:
- FLSA (Fair Labor Standards Act - Section 6&7 Minimum Wage and Overtime)
- Child Labor
- MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
- FMLA (Family Medical Leave Act)
- EPPA (Employee Polygraph Protection Act)
- H-1A (Provisions of the Immigration Nursing Relief Act)
- H-1B (Provisions of the Immigration Naturalization Act)
- H-2A (Provisions of the Immigration Reform Control Act of 1990)
- Homeworker (Provisions of the Fair Labor Standards Act)
- CREW (Longshore) (Provisions of Immigration and Naturalization Act)
Privacy Impact Analysis
While PII is collected, only the minimum necessary to accomplish the mission is recorded and the affected employees and or employers are directly involved in the collection process.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
Information being collected by BWFS is used to:
- Collect back wage funds due to employees as a result of violations of laws enforced by the WHD
- Disburse collected back wages to employees
- Report taxes owed to the Internal Revenue Service (IRS)
- Provide information to the Social Security Administration (SSA) for reporting Social Security benefits
- Transferring debts to Treasury’s Debt Management Service (DMS) for debt collection
What types of tools are used to analyze data and what type of data may be produced?
We use Business Objects tool to generate reports for analyzing the data on Wage and Hour cases.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No, BWFS is not currently designed to derive new information or create previously unavailable data about individuals.
If the system uses commercial or publicly available data, please explain why and how it is used.
The system data is not available for commercial or public use.
Privacy Impact Analysis
The PII collected is used but only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected by BWFS.
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
In accordance with WHD record retention schedule NN-160-43, records will be retained for a minimum of 12 years.
This guidance is further enhanced by SORN DOL/ESA-36 which states:
- Electronic records are electronically archived; data tapes are retained for 25 years.
- Printed information generated by this system and retained in a Wage-Hour office will be disposed of as follows:
Printed information, concerning cases where violations were found, is disposed of 12 years after the date the case is closed. For cases where no violations were found, printed information is disposed of three years after the closing date.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
WHD record retention schedule NN-160-43 has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).
It should be noted that new schedules have been submitted to NARA for approval.
Privacy Impact Analysis
Data is retained in strict accordance with the WHD record retention schedule NN-160-43 and SORN DOL/ESA-36. Safeguards are in place for the data stored in the WHISARD database as well as the archived data which is maintained off-site in a vendor provided secure storage facility that meets or exceeds federal standards for physical access control.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
The BWFS system does not share PII information with any internal organizations.
How is the PII transmitted or disclosed?
The BWFS system does not transmit or disclose PII information with any internal organizations.
Privacy Impact Analysis
There is no Privacy Impact with the BWFS system because it does not transmit, share or disclose PII to any internal organization.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
BWFS shares PII with external organizations as follows:
- Debt Management System (DMS) Used to refer debts over
180 days delinquent to Treasury
- Secure Payment System (SPS) Used to submit payment schedules to Treasury
- Business Services Online (BSO) Used to report Social Security benefits to Social Security Administration (SSA)
- Filing Information Returns Electronically (FIRE) used to report taxes to Internal Revenue Service (IRS)
- TALX Used for printing and distributing the W-2s
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Yes, sharing of PII outside of DOL complies with SORN PARN DOL/OCFO-2. The WHD has developed a PARN for WHFAS that is published by the SOL. BWFS is covered under the existing PARN for DOLAR$.
How is the information shared outside the Department and what security measures safeguard its transmission?
WHD shares information directly with the Department of the Treasury via Connect: Direct. Connect: Direct is a vendor provided product that uses a proprietary protocol and encryption method which is FIPS 140-2 compliant.
WHD also shares information directly with the Department of the Treasury via their Secure Payment System (SPS) which is secured using a FIPS 140-2 validated SSL implementation.
Privacy Impact Analysis
PII is shared with the Department of the Treasury and only for the purposes of disbursing back wages to employees. Two different methods are used to accomplish these communications and both are protected by FIPS 140-2 validated encryption solutions. . Memorandums of Understanding (MOU) and Interconnection Service Agreements (ISA) are in place between WHD and the Treasury that governs the electronic transfer data.
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
Not always. In some cases, PII is collected directly from the individual submitting a complaint. In other cases, PII may be collected as a result of a direct investigation that affects one or more individuals. Notice of the collection of PII information on individuals is provided by the publication of SORN DOL/ESA 42 in the Federal Register.
Do individuals have the opportunity and/or right to decline to provide information?
Not always. Information is collected as a result of an investigation. In some cases, this information is collected directly from the individual who at that time has the opportunity to decline to provide information. In other cases, information may be collected from a third party such as the employer and in such cases; the individuals do not have the opportunity to decline to provide information.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. Information is collected as a result of an investigation. It is used only for disbursement of back wages depending on the outcome of the investigation. Due to the nature of the work, individuals are not provided an option for consenting to this use of the information.
Privacy Impact Analysis
PII is collected as a result of an investigation. In some cases, this information is provided directly by the individual to whom it pertains but in all cases, individuals do not have the right to consent to its use.
Access, Redress, and Correction
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
There are no procedures to allow individuals to gain access to their information. The BWFS application is an internal system that is accessed only by WHD employees or contractors for the purpose of conducting investigations. Access to the public is not allowed.
What are the procedures for correcting inaccurate or erroneous information?
WHD provides the completed forms WH-60 to the individuals affected by the investigation requesting them to verify and update as necessary. The forms are then returned to WHD for processing.
How are individuals notified of the procedures for correcting their information?
Prior to the disbursement of back wages, individuals are contacted directly by WHD and provided with the completed form WH-60 for the purpose of verifying personal information and making any necessary corrections.
If no formal redress is provided, what alternatives are available to the individual?
The publication of SORN DOL/ESA 36 addresses the procedure for correcting or updating information that is gathered. Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment. Information about district and regional offices for Wage Hour can be found by going to http://www.dol.gov/whd/ on the internet or by contacting the disclosure officer at the following address:
Administrator, Wage and Hour Division,
Room S-3502, Frances Perkins Building
200 Constitution Avenue, NW, Washington, DC 20210
Privacy Impact Analysis
The form WH-60 is provided to the individuals involved in the investigation in an effort to ensure that their information is complete and accurate. In addition, the publication of SORN DOL/ESA 36 addresses the procedure for further correction and updating of the information that is gathered.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
Procedures are in place that must be followed before allowing users access to the system. The process is designed to comply with the principles of least privilege and separation of duties as follows.
All DOL employees and contractors must undergo at a minimum a standard DOL background check. Users of the system must first complete the process for requesting and obtaining a DOL network account. Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges. All requests for system access must be approved by the user’s supervisor and the System Owner (SO) or SO representative. Separation of duties is enforced by requiring actions by both OWCP-DITMS account managers and WHD account administrators to complete the process before user access to the system is granted.
Will Department contractors have access to the system?
Yes, WHD contractors will have access to the system if required based on their assigned duties.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found is NIST Special Publication 800-53.
WHD users must first login to the DOL/OWCP-DITMS-GSS network and only then would it be possible to login to BWFS. A separate ID and password is required for the user to now login to BWFS. Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are reviewed monthly by management in an effort to detect any unusual or unauthorized activity.
WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities.
OWCP-DITMS-GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.
Privacy Impact Analysis
The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII. These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM the BWFS system is in the Operations and Maintenance Phase (Phase IV).
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
The BWFS system utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- Wage and Hour Division (WHD) has completed the PIA for Back Wage Financial System (BWFS) which is currently in operation. WHD has determined that the safeguards and controls for this moderate system adequately protect the information referenced in Back Wage Financial System (BWFS) System Security Plan, dated 3/27/2013.
- Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.