|
|
|
 |
www.dol.gov/cio
|
 |
 |
 |
| November 5, 2008 DOL Home > CIO > Privacy Impact Assessments |
|
Department of Labor Accounting and Related Systems (DOLAR$) Abstract The Office of the Chief Financial Officer (OCFO) owns and operates a system called DOLAR$ that contains PII. The system consists of multiple subsystems that are used to process financial data. This PIA is being conducted due to requirement of performing an annual PIA as stipulated in OMB M-07-16. OverviewThe OCFO owns a system called DOLAR$. This system is used as the System of Record for financial information for the Department of Labor, to process financial system data and generate the financial statements as required by law for reporting. DOLAR$ consists of hardware, software, human capital, business functions, business processes, informational inputs and informational outputs. In addition to its current SDLC phase there are segregated development activities which support the refreshment of DOLAR$. DOLAR$ is integral to the DOL mission, as it directly supports the following Federal Enterprise Architecture (FEA) Financial Management Line of Business (FMLoB) processes and functions:
This system shares information with the Department of Treasury. DOLAR$ Authority to Operate was signed the Designated Approving Authority September 2007. IntroductionDOLAR$ is used as the System of Record for financial information for the Department of Labor, to process financial system data and generate the financial statements as required by law for reporting. Characterization of the InformationThe following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed. The system contains PII on DOL employees, contractors, and vendors. PII is provided by vendors or contractors for the purpose of making payments to them. PII is also fed into DOLAR$ from other sources. These sources are the following:
What is the PII being collected, used, disseminated, or maintained? The PII data collected is First and/or last name, SSN, Residential address, Personal phone numbers, Mailing address and Financial account information and/or number. This information is collected from vendors or contractors via invoices, and interfaces with EGov Travel, EPMS and PeoplePower. How will the information be checked for accuracy? No reconciliation of PII exists, unless problems arise from payments. No information is available to the vendors, contractors, or federal employees to verify the provided information is accurate and the information provided from the contractor, vendor, or federal employee is not cross-checked with any external databases. What specific legal authorities, arrangements, and/or agreements defined the collection of information? PII is required to make some payments. This information is legally required to meet the requirements of the Prompt Payment Act. The privacy risks are minimal because the information is transmitted only to other government agencies as required for payments. All communication to and from DOLAR$, including the user interface, is in the process or is already protected by 128-bit or higher SSL/TLS encryption. Information received via invoices is entered by a government employee or a contractor working for the government. Uses of the PIIThe following questions are intended to clearly delineate the use of information and the accuracy of the data being used. PII data is used to pay invoices and DOL employees. The vendor, consultant, contractor, or employee is required to perform services or goods to receive payment. What types of tools are used to analyze data and what type of data may be produced? Online analytical processing and reporting tools to support financial statements. PII is not used in this analytical process or reporting to support financial statements. Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information? No. The system does not use commercial or publicly available data. DOLAR$ and the DOLAR$ interfaces can only use the data to make payments to vendors, contractors, and DOL employees. DOLAR$ and its interfaces are not externally accessible. All DOLAR$ users receive training on the appropriate uses and handling of PII within DOLAR$. The following questions are intended to outline how long information will be retained after the initial collection. DOLAR$ data is retained 6 years and 3 months after the close of the fiscal year involved, which is in accordance with DOL (Records Management Handbook) and federal retention requirements (Federal Records Act of 1950, 5 USC 301). Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)? Yes, DOLAR$ system is covered by NARA General Records Schedule 7. The data is stored on archival tapes to meet the retention requirements. This data is password protected and off-site tapes used to meet retention requirements are stored at a vendor-provided secure storage facility that meets federal standards for physical access controls. The retention time of off-site tapes is no less than 6 years and 3 months. The data that is currently in use is stored in the SunGard data center room. Physical access is monitored and controlled. Internal Sharing and DisclosureThe following questions are intended to define the scope of sharing within the Department of Labor.
Detailed financial transaction information is shared with DOL National Office, Agency offices, and the OASAM regional offices for the purposes of financial reporting on behalf of the federal employee or contractor to report W-2 wages, workers compensation to the IRS, etc... All communications to and from DOLAR$ is in the process or is already protected by 128-bit or higher SSL/TLS encryption. Detailed financial transaction information is electronically shared with DOL National Office, Agency offices, and the OASAM regional offices for the purposes of financial reporting via SSL/TLS secured protocols. All communications to and from DOLAR$ is in the process or is already protected by 128-bit or higher SSL/TLS encryption. Using encryption provides confidentiality of the data and integrity of the data during transmission. External Sharing and DisclosureThe following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
DOL shares information with multiple external organizations. Please refer to the SORN, DOL/OCFO-2 (link is provided below) for information regarding the PII that is shared and for what purpose. Below are the following uses of that data and who it may be transmitted to outside the Department of Labor.
Yes, see SORN – DOL/CFO-2 or visit the following link or refer to above to a summary: http://www.dol.gov/_sec/regs/fedreg/notices/2002040801.htm
OCFO shares information directly with the Department of the Treasury via Connect:Direct. Connect:Direct is a vendor provided product that uses a proprietary protocol and encryption method. The encryption method is FIPS 140-2 compliant. For other information shared with external Department of Labor agencies, that information is provided in hard copy. PII is shared with external organizations as required for those individuals to perform work for or on behalf of DOL. Only communications to the Department of the Treasury use electronic means to transmit information from DOLAR$. Electronic transmission of the data is protected via Connect:Direct and the controls in place to secure that data are the responsibility of the Department of the Treasury. The data that is transmitted to the Department of the Treasury can only be transmitted via the Connect:Direct which uses a proprietary protocol and encryption method. No other information is transmitted via electronic means. NoticeThe following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information. Yes, a written or oral notice is provided before PII information is collected for making a voucher payment. Yes, an individual can not consent to provide PII information; however, if the PII information is not provided, travel voucher will not be reimbursed.
Individuals do not have a right to consent to particular uses of the PII provided. Either written or oral notice is provided to the traveler prior to the collection of PII information. PII data is never collected without the awareness of the individual; therefore there is no risk in the data being collected without their knowledge and consent. Access, Redress, and CorrectionThe following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them. Per the SORN, information can be accessed by contacting the system owner via mail. Per the SORN, information can be corrected that is inaccurate or erroneous by contacting the system owner via mail. The written procedures for correction of the information are not provided to the individuals.
However, due to the communication necessary to collect the information, the individual can contact the Department of Labor to determine was procedures are available to correct the provided PII data. The risk identified is the lack of written procedures provided to the individual at the time that PII is provided. However, this risk is mitigated by the fact that the information is gathered directly from the individual via telephone or the information is provided orally from another agency. Technical Access and SecurityThe following questions are intended to describe technical safeguards and security measures.
Each user of DOLAR$ undergoes a standard DOL employee background check. To gain access to the DOLAR$ application, the new user’s supervisor must complete and sign an access form that specifies the new user’s role. The form is than reviewed by the lead accountant and/or application security officer prior to the new user’s account being created. These procedures are documented in the OCFO Access Control Plan and the DOLAR$ System Security Plan. The procedures are written to be in compliance with NIST Special Publication 800-53 and DOL’s Computer Security Handbook. Yes, contractors have access to DOLAR$. Contractors must have a National Agency Check with Inquires to work at DOL and contractors must follow the same procedures for gaining access to DOLAR$.
All DOL employees and contractors must complete annual DOL CSAT training regarding the safe handling and use of PII. In addition, at the time the user is provided an account, a Rules of Behavior is provided. System access is controlled and only permitted to authorized personnel. Auditing and logging is performed for users accessing DOLAR$. Periodic maintenance is performed to test and maintain the quality of these controls. The security controls are in compliance with NIST Special Publication 800-53. As required by NIST 800-37, all the security controls are reviewed every three years, the system is certified and accredited, and independent audits are performed by the Office of Inspector General (OIG) on a periodic basis as determined by the OIG. Risk is mitigated by auditing measures and technical safeguards. System access is controlled and only permitted to authorized personnel. Auditing and logging is performed for users accessing DOLAR$. Periodic maintenance is performed to test and maintain the quality of these controls. All these mitigated risks are in compliance with security controls as stipulated in NIST Special publication 800-53 and 800-37. TechnologyThe following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology. The DOLAR$ system is currently in the operation and maintenance phase of the DOL system development life cycle. The project development life cycle used was the OASAM Systems Engineering Manual.
The system does not use technology that may raise privacy concerns. As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information? Office of the Chief Financial Officer (OCFO) has completed the PIA for DOLAR$ which is currently in operation. OCFO has determined that the safeguards and controls for this moderate system adequately protect the information referenced in DOLAR$ System Security Plan, v3.0, dated March 30, 2007. OCFO has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.
|
||||||||
| ||||||||
