EXECUTIVE SUMMARY REPORT
INTRODUCTION TO THE PIA
Federal agencies are required by law to ensure the protection of the
personally identifiable information (PII) they collect, store, and transmit.
With a thriving digital economy, agencies are collecting ever-larger amounts of
personal information unlike ever before. Instances of past abuse, misuse, and
egregious errors in federal agencies' management of personal information,
combined with growing public concern about the U.S. Government's ability to
protect their private information, have increased congressional scrutiny and
expectations for compliance with federal privacy laws and regulations.
Protection of the Government's vast accumulation of personal information begins
with the responsibility of federal employees at all levels and in all
positions.
The Department of Labor (DOL) is responsible for ensuring proper
protections of the information contained within its information systems,
including PII. To that end, the Department developed a Privacy Impact
Methodology to assess whether a system that contains PII meets legal privacy
requirements. This methodology, based on the evaluation of applicable law and
executive branch guidance as well as internal policy, was the foundation for
determining question sets and remediation guidance for developing the PIA
Questionnaire that is to be applied to the Department's information technology
(IT) systems. The Privacy Impact Methodology and the PIA Questionnaire, used to
implement this methodology, are detailed within this document, which serves as
an introduction to the IT PIA and DOL's privacy mission and principles and
offers guidance on how to use the methodology and questionnaire.
Purpose
The Office of Inspector General (OIG) is responsible for ensuring the
confidentiality, integrity, and availability of the information contained
within its information systems. The OIG must at times collect, use, analyze,
and store Personally Identifiable Information (PII) from its employees and
customers. The OIG remains vigilant in protecting all its information
technology resources, but this is especially true of those systems containing
PII. Ideally, the PIA should be performed during the development phase of a
system life cycle. A PIA should also be conducted at any time when the system
is significantly modified, or the sensitivity of the data contained within the
system is changed.
A PIA is used to evaluate privacy vulnerabilities and risks, and their
implications on information systems. PIAs provide a number of benefits to
agencies that include enhancing policy decision-making and system design,
anticipating the public's possible privacy concerns, and generating confidence
that privacy objectives are addressed in the development and implementation of
single-agency or integrated information systems. The IT PIA Questionnaire
provides a framework by which agencies can ensure that they have complied with
all relevant privacy policies, regulations, and guidance, both internal and
external to the OIG.
Scope
A Privacy Impact Assessment was conducted on the OIG Major Application
System (e-OIG) in compliance with DOL, Office of the Chief Information
Officer's "Privacy Impact Methodology and Assessment", version 2.0, dated April
2004.
The e-OIG system (software) consists of a SUN Server with Solaris
Operating System with ORACLE applications. The e-OIG system consists of
multiple individual applications (sub components) that support OIG's mission.
The system is comprised of the following systems: Investigations, Subpoena,
Inspections and 1811 Time Sheet. The e-OIG is not a stand-alone resource and is
totally dependent on the OIG LAN/WAN to function. The Department of Labor,
Office of Inspector General's Major Application ( e-OIG) system is physically
housed in a Government-owned building located in Washington, DC. The entire
building is occupied by Department of Labor Civil Service and contractor
personnel and is not open to the general public.
PIA Approach
OIG's Privacy Impact Assessment Methodology:
- Consulted with system administrator and owner in an effort to obtain
the most accurate characteristics about the system. Past reports regarding the
system's security (such as certification and accreditation reports, system
security plan and risk assessments) was helpful in answering some question
sets, especially the administrative, technical, and physical controls
questions. Office Of Legal Services provided consultation for clarification of
Privacy Act-related compliance issues and interpretation of federal case
law.
- Determined what PII exits on OIG and DOL systems.
- Established OIG's PIA Questionnaire to determine what PII is
contained on the systems, how the PII is collected, handled, maintained,
updated, distributed, accessed, protected, and for what purposes. Responded to
DOL's PIA Questionnaire. The DOL Privacy Impact Assessment Questionnaire was
distributed and completed by the system owner and the System
Administrator.
- Assimilated responses into the OIG PIA.
PIA Results
- OIG is committed to provide a secure environment to protect the
integrity and confidentiality of the personal identifiable information that it
collects, stores, and accesses;
- OIG maintains in its records only such information about an
individual as is relevant and necessary to accomplish a purpose of the agency
required to be accomplished by statute or by Executive Order of the President;
- The collection of information is to the greatest extent practicable
directly from the subject individual when the information may result in adverse
determinations about the individual's rights, benefits, and privileges under
Federal programs;
- Access to and disclosures of PII maintained by the OIG are in
accordance with the requirements of the Privacy Act and applicable regulations,
and OIG procedures;
- Employees periodically receive privacy issues updates and reminders
to reinforce OIG's responsibilities and compliance with the information
collection requirements of the Privacy Act, and the handling, distribution, and
usage of PII;
- Only those authorized personnel with a "need-to-know" have access to
PII;
- All OIG audit, evaluation, and administrative staff must provide a
written notice when they solicit personal information directly from an
individual;
- OIG investigators conducting an authorized criminal or civil law
enforcement investigation are exempted from providing specific written notice
to the individual;
- Access to DOL and other outside systems that contain an individual's
PII, via the e-OIG and OIG LAN/WAN, must comply with federal, Department, and
OIG's regulations; and
- Individual's PII is used for the original intended purpose only. If
the data is to be used for another purposes than originally intended, then the
individual must be notified of the intent.
Summary
- OIG's privacy mission is to ensure the security and protection of
individual's personal identifiable information. Only authorized personnel, with
a need-to-know are granted access to PII.
- The PIA provides a tool to review and reinforce OIG's commitment to
protecting the confidentially, reliability, and integrity of all PIIs which are
collected, stored, and transmitted on the OIG's IT systems or other systems
which are assessed through the OIG system.
- A high degree of security for the system is considered mandatory.
The system contains information, which must be protected from unauthorized,
unanticipated, or unintentional modification. Controls are used that severely
restrict access to the operating system and applications.
- OIG restricts access to all PII to only those individuals who have a
need-to-know.
- Multiple User IDs and passwords are used for access to the OIG
systems and, in addition, the application (i.e., PeoplePower, Travel Manager,
etc.) may require another User ID and password for accessing the
application.
- OIG employees are informed of OIG privacy rules of conduct and other
applicable privacy laws for employees involved with the design, development,
maintenance, or operation of systems containing PII.
- OIG collects only the minimum and necessary PII from individuals, in
accordance with federal and regulatory mandates.
- OIG does not disclose, nor make available, PII, except with the
consent of the individual concerned, or by authority of law.
- OIG provides access to PII for review and a process for amending PII
in accordance with the Privacy Act of 1974.
- All reports and documents containing PII are picked up immediately
upon completion of printing.
- All obsolete hardcopies containing PII are shredded.
- OIG fully complies with policies and procedures concerning privacy
on DOL and OIG Internets and Intranets as prescribed in DLMS 9 - Chapter 1500,
Privacy Policy on Data Collection Over the DOL Web Sites, OMB Memorandum 99-18,
"Privacy Policies on Federal Websites, and OMB Memorandum M-00-13, 'Privacy
Policies and Data Collection on Federal Websites".
|