Privacy Impact Assessment Questionnaire
WHD Civil Money Penalty System (CMPS) FY2012
The Wage and Hour Division (WHD) is an agency of the U.S Department of Labor (DOL). The WHD is responsible for administering and enforcing some of our nation's most comprehensive labor laws, including: the minimum wage, overtime, and child labor provisions of the Fair Labor Standards Act (FLSA); the Family and Medical Leave Act (FMLA); the Migrant and Seasonal Agricultural Worker Protection Act (MSPA); worker protections provided in several temporary visa programs; and the prevailing wage requirements of the Davis-Bacon Act (DBA) and the Service Contract Act (SCA). CMPS supports WHD in meeting its core business functions.
The Civil Money Penalty System (CMPS) is an automated data processing system developed for WHD to standardize Civil Money Penalty (CMP) processes throughout the country, consolidate debt collection activities in the Regional Offices, implement procedures for charging interest and penalties, negotiate Agreements, and issue Final Orders. This Privacy Impact Assessment is being conducted because CMPS contains PII.
The WHD, CMPS application is used to facilitate the collection of civil money penalties that are levied against employers who violate laws enforced by WHD. The CMPS application automatically accepts CMP cases from the Wage and Hour Investigative Support and Reporting Database (WHISARD) application and provides DOL staff in the RO with the capability of researching case information, logging checks into and out of the RO, processing payments, processing deposits, managing debts to the U.S. Treasury, disbursing overpayments back to the employer, printing letters, generating reports, and setting up and calculating installment plans.
The data used by CMPS is a part of the overall WHISARD database, which consists of a DB2 database and several different executables that access parts of the database. The WHISARD database, itself, contains several hundred tables with some specifically used only by CMPS.
The CMPS supports the Department's Strategic Goals of 1) preparing workers for good jobs and ensuring fair competition, 2) ensuring workplaces are safe and healthy, and 3) assuring fair and high quality work-life environments. The collection of civil money penalties through CMPS deters future violations and furthers the WHD mission of increased compliance, particularly in low-wage industries, of the statutes the WHD is mandated to enforce.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
CMPS collects Personally Identifiable Information (PII) on members of the public (U.S. Citizens) and foreign citizens.
What are the sources of the PII in the information system?
The PII is collected directly from individuals who are the target of a Wage Hour investigation for the possible violation of certain labor laws in the workplace and who have been assessed penalties for violations under one or more of eleven different labor law categories.
What is the PII being collected, used, disseminated, or maintained?
The collection, dissemination, and maintenance of PII in CMPS consist of the following:
- Social Security Number
- Business address
- Business e-mail address
- Business phone number
- Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
How is the PII collected?
PII is collected during the course of an investigation into the possible violation of certain labor laws in the workplace which WHD enforces and is collected directly from an employer who is the target of such an investigation. The PII information is normally provided on paper based source documents provided as evidence during the investigation.
How will the information be checked for accuracy?
PII is collected directly from the employer who is the target of the investigation and thereby is assumed to be correct. However, if circumstances exist where accuracy of the information is in question, verification is performed using tax records and public records.
What specific legal authorities, arrangements, and/or agreements defined the collection of information?
The CMPS system supports the following labor laws in the work place:
- FLSA (Fair Labor Standards Act - Section 6&7 Minimum Wage and Overtime)
- Child Labor
- MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
- FMLA (Family Medical Leave Act)
- EPPA (Employee Polygraph Protection Act)
- H-1A (Provisions of the Immigration Nursing Relief Act)
- H-1B (Provisions of the Immigration Naturalization Act)
- H-2A(Provisions of the Immigration Reform Control Act of 1990)
- Homeworker (Provisions of the Fair Labor Standards Act)
- CREW (Longshore) (Provisions of Immigration and Naturalization Act).
Privacy Impact Analysis
While PII is collected, only the minimum information necessary to accomplish the mission is recorded and the information is collected directly from affected employees and/or employers.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
CMPS is designed to collect and track civil money penalties that are levied against employers who violate certain labor laws in the workplace. PII is collected by CMPS only when the EIN does not exist and when collected, it is used only for the purpose of transferring debts to the U.S. Treasury for collection and disbursing overpayments received from employers.
What types of tools are used to analyze data and what type of data may be produced?
There are no customized or specialized tools that are used to analyze data on Wage and Hour cases.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No, CMPS is not designed to derive new information or create previously unavailable data about individuals.
If the system uses commercial or publicly available data, please explain why and how it is used.
This system does not use commercial or publicly available data.
Privacy Impact Analysis
The PII collected is used only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected by CMPS.
The following questions are intended to outline how long information will be retained after the initial collection.
How long is information retained in the system?
In accordance with WHD record retention schedule NN-160-43, records will be retained for a minimum of 12 years.
This guidance is further enhanced by SORN DOL/ESA-36 which states:
- Electronic records are electronically archived; data tapes are retained for 25 years.
- Printed information generated by this system and retained in a Wage-Hour office will be disposed of as follows:
Printed information, concerning cases where violations were found, is disposed of 12 years after the date the case is closed. For cases where no violation were found, printed information is disposed of three years after the closing date.
Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
WHD record retention schedule NN-160-43 has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).
It should be noted that new schedules have been submitted to NARA for approval.
Privacy Impact Analysis
Data is retained in strict accordance with the WHD record retention schedule NN-160-43 and SORN DOL/ESA-36. Safeguards are in place for the data stored in the WHISARD database as well as the archived data which is maintained off-site in a vendor provided secure storage facility that meets or exceeds federal standards for physical access control.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
The CMPS system does not share PII information with any internal organizations.
How is the PII transmitted or disclosed?
The CMPS system does not transmit or disclose PII information with any internal organizations
Privacy Impact Analysis
There is no Privacy Impact with the CMPS system because it does not transmit, share or disclose PII to any internal organization.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
- U.S Treasury Debt Management System receives information on referred debts due the Government.
- U.S. Treasury Secure Payment System (SPS) is used to submit requests for the issuance of checks due to overpayment of penalties.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Yes, sharing of PII outside of DOL complies with SORN PARN DOL/OCFO-2. The WHD has developed a PARN for WHFAS that is published by the SOL. CMPS is covered under the existing PARN for DOLAR$.
How is the information shared outside the Department and what security measures safeguard its transmission?
WHD shares information directly with the Department of the Treasury via Connect:Direct software. Connect:Direct is a vendor provided product that uses a proprietary protocol and encryption method which is FIPS 140-2 compliant.
WHD also shares information directly with the Department of the Treasury via their Secure Payment System (SPS) which is secured using a FIPS 140-2 validated SSL implementation.
Privacy Impact Analysis
PII is shared with the Department of the Treasury and only for the purposes of collecting debts owed the government and issuing checks due to overpayments. Two different methods are used to accomplish these communications and both are protected by FIPS 140-2 validated encryption solutions. No other information is shared electronically from CMPS. Memorandums of Understanding (MOU) and Interconnection Service Agreements (ISA) are in place between WHD and the Treasury that governs the electronic transfer data.
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII?
Yes. CMPS collects information only on employers and is provided directly to the WHD investigator by the employer who is the subject of the investigation. Notice to individuals is not provided since CMPS does not collect PII information on individuals.
Do individuals have the opportunity and/or right to decline to provide information?
Yes. The employer has both the opportunity and right at any time to decline to provide information. This does not apply to individuals since CMPS does not collect PII on individuals.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. Information is collected as a result of an investigation. It is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information
Privacy Impact Analysis
Due to the fact that the PII being collected is done so with the full knowledge and cooperation of the owners of that information, risk to privacy is greatly reduced.
Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their information?
There are no procedures to allow individuals to gain access to their information. The CMPS application is an internal system that is accessed only by WHD employees or contractors for the purpose of conducting investigations and to assess Civil Money Properties. Access to the public is not allowed.
What are the procedures for correcting inaccurate or erroneous information?
Information is received directly from the employer who is the target of the investigation. For this reason, it is assumed that the information is correct and accurate.
How are individuals notified of the procedures for correcting their information?
Information is collected during the conduct of an investigation. It is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information.
If no formal redress is provided, what alternatives are available to the individual?
The publication of SORN DOL/ESA 36 addresses the procedure for correcting or updating information that is gathered. Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment. Information about district and regional offices for Wage Hour can be found by going to http://www.dol.gov/whd/about/whdabout.htm on the internet or by contacting the disclosure officer at the following address:
Administrator, Wage and Hour Division,
Room S-3502, Frances Perkins Building
200 Constitution Avenue, NW, Washington, DC 20210
Privacy Impact Analysis
PII collected during the conduct of an investigation is used only for identifying the employer who is the target of the investigation and subject of the Civil Money Penalty. Because it is an investigation into their potential violation of certain labor laws, employers are not provided access to their information nor do they have a right to consent. CMPS does not collect PII on individuals.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
What procedures are in place to determine which users may access the system and are they documented?
Procedures are in place that must be followed before allowing users access to the system. The process is designed to comply with the principles of least privilege and separation of duties as follows.
All DOL employees and contractors must undergo at a minimum a standard DOL background check. Users of the system must first complete the process for requesting and obtaining a DOL network account. Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges. All requests for system access must be approved by the user's supervisor and the System Owner (SO) or SO representative. Separation of duties in enforced by requiring actions by both OWCP-DITMS account managers and WHD account administrators to complete the process before user access to the system is granted.
Will Department contractors have access to the system?
Yes, WHD contractors will have access to the system if required based on their assigned duties.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found is NIST Special Publication 800-53.
WHD users must first login to the DOL/OWCP-DITMS-GSS network and only then would it be possible to login to CMPS. A separate ID and password is required for the user to login to CMPS. Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are routinely reviewed by management in an effort to detect any unusual or unauthorized activity.
WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities.
OWCP-DITMS-GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall
Privacy Impact Analysis
The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII. These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
What stage of development is the system in, and what project development life cycle was used?
All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM).
Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
The CMPS system utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- Wage and Hour Division (WHD) has completed the PIA for Civil Money Penalty (CMPS) which is currently in operation. WHD has determined that the safeguards and controls for this moderate system adequately protect the information referenced in Civil Money Penalty (CMPS) System.
- Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.