Privacy Impact Assessment Questionnaire
WHD CMP FY 2017
The WHD Civil Money Penalty System (CMP-2001) application is used to facilitate the collection of civil money penalties that are levied against employers who violate laws enforced by WHD. The CMP-2001 application automatically accepts CMP cases from the Wage and Hour Investigative Support and Reporting Database (WHISARD) application and provides Department of Labor (DOL) staff in the RO with the capability of researching case information, logging checks into and out of the RO, processing payments, processing deposits, managing debts to the U.S. Treasury, disbursing overpayments back to the employer, printing letters, generating reports, and setting up and calculating installment plans.
The data used by CMP-2001 is a part of the overall WHISARD database, which consists of a DB2 database and several different executables that access parts of the database. The WHISARD database, itself, contains several hundred tables with some specifically used only by CMP-2001.
The CMP-2001 supports the DOL Strategic Plan 2011-2016, Strategic Goal 1 Prepare workers for good jobs and ensure fair compensation, Outcome Goal 1.5 Secure Wages and Overtime. The collection of civil money penalties through CMP-2001 deters future violations and furthers the WHD mission of increased compliance, particularly in low-wage industries, of the statutes the WHD is mandated to enforce.
Characterization of the Information
CMP-2001 collects Personally Identifiable Information (PII) on members of the public (U.S. Citizens) and foreign citizens.
What are the sources of the PII in the information system?
The PII is collected directly from individuals who are the target of a Wage Hour investigation for the possible violation of certain labor laws in the workplace and who have been assessed penalties for violations under one or more of eleven different labor law categories.
What is the PII being collected, used, disseminated, or maintained?
The following information is collected, used, disseminated or maintained by the CMP-2001:
- Phone Numbers
- EIN (or Social Security Number but only when an EIN does not exist)
- Business address
- Mailing Address
- Business Phone
- Business e-mail address
- Residential address
How is the PII collected?
PII is collected during the course of an investigation into the possible violation of certain labor laws in the workplace which WHD enforces and is collected directly from an employer who is the target of such an investigation. The PII information is normally provided on paper based source documents provided as evidence during the investigation.
- How will the information be checked for accuracy?
PII is collected directly from the employer who is the target of the investigation and thereby is assumed to be correct. However, if circumstances exist where accuracy of the information is in question, verification is performed using tax records and public records.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The CMP-2001 system supports the following labor laws in the work place:
- FLSA (Fair Labor Standards Act - Section 6&7 Minimum Wage and Overtime)
- Child Labor
- MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
- FMLA (Family Medical Leave Act)
- EPPA (Employee Polygraph Protection Act)
- H-1A (Provisions of the Immigration Nursing Relief Act)
- H-1B (Provisions of the Immigration Naturalization Act)
- H-2A (Provisions of the Immigration Reform Control Act of 1990)
- H-2B (Temporary Alien Non-Agricultural Worker)
- Homeworker (Provisions of the Fair Labor Standards Act)
- CREW (Longshore) (Provisions of Immigration and Naturalization Act)
Privacy Impact Analysis
While PII is collected, only the minimum necessary to accomplish the mission is recorded and the affected employees and or employers are directly involved in the collection process. WHD personnel that handles the sensitive PII mitigates risk of improper use of PII by following the Wage & Hour Field Operation Handbooks (FOH) and policies given by OCIO.
Uses of the PII
Describe all the uses of the PII.
CMP-2001 is designed to collect and track civil money penalties that are levied against employers who violate certain labor laws in the workplace. PII is collected by CMP-2001 only when the EIN does not exist and when collected, it is used only for the purpose of transferring debts to the U.S. Treasury for collection and disbursing overpayments received from employers.
What types of tools are used to analyze data and what type of data may be produced?
We use Business Objects tool to generate reports for analyzing the data on Wage and Hour cases.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No, CMP-2001 is not designed to derive new information or create previously unavailable data about individuals.
If the system uses commercial or publicly available data, please explain why and how it is used.
This system does not use commercial or publicly available data.
Privacy Impact Analysis
The PII collected is used only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected by CMP.
How long is information retained in the system?
In accordance with WHD record retention schedule NN-160-43, records will be retained for a minimum of 12 years.
This guidance is further enhanced by SORN DOL/ESA-36 which states:
- Electronic records are electronically archived; data tapes are retained for 25 years.
- Printed information generated by this system and retained in a Wage-Hour office will be disposed of as follows:
Printed information, concerning cases where violations were found, is disposed of 12 years after the date the case is closed. For cases where no violations were found, printed information is disposed of three years after the closing date.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
WHD record retention schedule NN-160-43 has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).
It should be noted that new schedules have been submitted to NARA for approval.
How is it determined that PII is no longer required?
PII is collected by CMP-2001 only when the EIN does not exist, and, when collected, it is used only for the purpose of transferring debts to the U.S. Treasury for collection and disbursing overpayments received from employers. CMP-2001 does not collect PII on individuals. As such, the PII is always required.
What efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?
PII is collected by CMP-2001 only when the EIN does not exist and when collected, it is used only for the purpose of transferring debts to the U.S. Treasury for collection and disbursing overpayments received from employers. CMP-2001 does not collect PII on individuals. As such, the PII is always required.
Privacy Impact Analysis
Data is retained in strict accordance with the WHD record retention schedule NN-160-43 and SORN DOL/ESA-36. Safeguards are in place for the data stored in the WHISARD database as well as the archived data which is maintained off-site in a vendor provided secure storage facility that meets or exceeds federal standards for physical access control.
Internal Sharing and Disclosure
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
PII is not shared with any internal organization.
How is the PII transmitted or disclosed?
The CMP-2001 system does not transmit or disclose PII information with any internal organizations.
Privacy Impact Analysis
There is no Privacy Impact with the CMP-2001 system because it does not transmit, share or disclose PII to any internal organization.
External Sharing and Disclosure
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
- U.S Treasury Debt Management System receives information on referred debts due the Government.
- U.S. Treasury Secure Payment System (SPS) is used to submit requests for the issuance of checks due to overpayment of penalties.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Yes, sharing of PII outside of DOL complies with SORN PARN DOL/OCFO-2. The WHD has developed a PARN for WHFAS that is published by the SOL. CMP-2001 is covered under the existing PARN for DOLAR$.
How is the information shared outside the Department and what security measures safeguard its transmission?
WHD shares information directly with the Department of the Treasury via Connect:Direct. Connect:Direct is a vendor-provided product that uses a proprietary protocol and encryption method which is FIPS 140-2 compliant.
WHD also shares information directly with the Department of the Treasury via their Secure Payment System (SPS) which is secured using a FIPS 140-2 validated SSL implementation.
Privacy Impact Analysis
PII is shared with the Department of the Treasury and only for the purposes of collecting debts owed the government and issuing checks due to overpayments. Two different methods are used to accomplish these communications and both are protected by FIPS 140-2 validated encryption solutions. No other information is shared electronically from CMP-2001. Memorandums of Understanding (MOU) and Interconnection Service Agreements (ISA) are in place between OCIO GSS and the Treasury that governs the electronic transfer data.
Was notice provided to the individual prior to collection of PII?
Yes. CMP-2001 collects information only on employers and is provided directly to the WHD investigator by the employer who is the subject of the investigation. Notice to individuals is not provided since CMP-2001 does not collect PII information on individuals.
Do individuals have the opportunity and/or right to decline to provide information?
Yes. The employer has both the opportunity and right at any time to decline to provide information. This does not apply to individuals since CMP-2001 does not collect PII on individuals.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. Information is collected as a result of an investigation. It is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information.
Privacy Impact Analysis
Due to the fact that the PII being collected is done so with the full knowledge and cooperation of the owners of that information, risk to privacy is greatly reduced.
Access, Redress, and Correction
What are the procedures that allow individuals to gain access to their information?
There are no procedures to allow employers to gain access to their information. The CMP-2001 application is an internal system that is accessed only by WHD employees or contractors for the purpose of conducting investigations and to assess Civil Money Penalties. Access to the public is not allowed.
What are the procedures for correcting inaccurate or erroneous information?
Information is received directly from the employer who is the target of the investigation. For this reason, it is assumed that the information is correct and accurate.
How are individuals notified of the procedures for correcting their information?
Information is collected during the conduct of an investigation. It is used only for identifying the employer who is the subject of an investigation or compliance action and subject of the Civil Money Penalty. Due to the limited nature of its use and nature of the law enforcement action, individuals are not provided an option for consenting to this use of the information.
If no formal redress is provided, what alternatives are available to the individual?
The publication of SORN DOL/ESA 36 addresses the procedure for correcting or updating information that is gathered. Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment. Information about district and regional offices for Wage and Hour can be found by going to http://www.dol.gov/whd/about/whdabout.htm on the internet or by contacting the disclosure officer at the following address:
Administrator, Wage and Hour Division,
Room S-3502, Frances Perkins Building
200 Constitution Avenue, NW, Washington, DC 20210
Privacy Impact Analysis
PII collected during the conduct of an investigation is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Because it is an investigation into their potential violation of certain labor laws, employers are not provided access to their information nor do they have a right to consent. CMP-2001 does not collect PII on individuals.
Technical Access and Security
What procedures are in place to determine which users may access the system and are they documented?
Procedures are in place that must be followed before allowing users access to the system. The process is designed to comply with the principles of least privilege and separation of duties as follows.
All DOL employees and contractors must undergo at a minimum a standard DOL background check. Users of the system must first complete the process for requesting and obtaining a DOL network account. Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges. All requests for system access must be approved by the user’s supervisor and the System Owner (SO) or SO representative. Separation of duties is enforced by requiring actions by both WHD/DITMS account managers and WHD account administrators to complete the role based process before user access to the system is granted.
Will Department contractors have access to the system?
Yes, WHD contractors will have access to the system, if required, based on their assigned duties.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found is NIST Special Publication 800-53.
WHD users must first login to the DOL/OCIO network and only then would it be possible to login to CMP-2001. A separate ID and password is required for the user to now login to CMP-2001. Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are reviewed monthly by management in an effort to detect any unusual or unauthorized activity.
WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities.
OCIO GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall
Privacy Impact Analysis
The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII. These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected.
What stage of development is the system in, and what project development life cycle was used?
All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM the CMP-2001 system is in the Operations and Maintenance Phase (Phase IV).
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
CMP-2001 utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.
- Wage and Hour Division (WHD) has completed the PIA for Civil Money Penalty System (CMP-2001) which is currently in operation.
- WHD has determined that the safeguards and controls for this moderate system adequately protect the information referenced in Civil Money Penalty (CMP-2001) System Security Plan, dated March 13, 2013.
- Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.