skip navigational linksDOL Seal - Link to DOL Home Page
Photos representing the workforce - Digital Imagery© copyright 2001 PhotoDisc, Inc.
www.dol.gov/cio
Search / A to Z Index
By Topic | By Audience | By Top 20 Requested Items | By Form | By Organization | By Location    
November 5, 2008    DOL Home > CIO > Privacy Impact Assessments

e-OIG

EXECUTIVE SUMMARY REPORT

INTRODUCTION TO THE PIA

Federal agencies are required by law to ensure the protection of the personally identifiable information (PII) they collect, store, and transmit. With a thriving digital economy, agencies are collecting ever-larger amounts of personal information unlike ever before. Instances of past abuse, misuse, and egregious errors in federal agencies' management of personal information, combined with growing public concern about the U.S. Government's ability to protect their private information, have increased congressional scrutiny and expectations for compliance with federal privacy laws and regulations. Protection of the Government's vast accumulation of personal information begins with the responsibility of federal employees at all levels and in all positions.

The Department of Labor (DOL) is responsible for ensuring proper protections of the information contained within its information systems, including PII. To that end, the Department developed a Privacy Impact Methodology to assess whether a system that contains PII meets legal privacy requirements. This methodology, based on the evaluation of applicable law and executive branch guidance as well as internal policy, was the foundation for determining question sets and remediation guidance for developing the PIA Questionnaire that is to be applied to the Department's information technology (IT) systems. The Privacy Impact Methodology and the PIA Questionnaire, used to implement this methodology, are detailed within this document, which serves as an introduction to the IT PIA and DOL's privacy mission and principles and offers guidance on how to use the methodology and questionnaire.

Purpose

The Office of Inspector General (OIG) is responsible for ensuring the confidentiality, integrity, and availability of the information contained within its information systems. The OIG must at times collect, use, analyze, and store Personally Identifiable Information (PII) from its employees and customers. The OIG remains vigilant in protecting all its information technology resources, but this is especially true of those systems containing PII. Ideally, the PIA should be performed during the development phase of a system life cycle. A PIA should also be conducted at any time when the system is significantly modified, or the sensitivity of the data contained within the system is changed.

A PIA is used to evaluate privacy vulnerabilities and risks, and their implications on information systems. PIAs provide a number of benefits to agencies that include enhancing policy decision-making and system design, anticipating the public's possible privacy concerns, and generating confidence that privacy objectives are addressed in the development and implementation of single-agency or integrated information systems. The IT PIA Questionnaire provides a framework by which agencies can ensure that they have complied with all relevant privacy policies, regulations, and guidance, both internal and external to the OIG.

Scope

A Privacy Impact Assessment was conducted on the OIG Major Application System (e-OIG) in compliance with DOL, Office of the Chief Information Officer's "Privacy Impact Methodology and Assessment", version 2.0, dated April 2004.

The e-OIG system (software) consists of a SUN Server with Solaris Operating System with ORACLE applications. The e-OIG system consists of multiple individual applications (sub components) that support OIG's mission. The system is comprised of the following systems: Investigations, Subpoena, Inspections and 1811 Time Sheet. The e-OIG is not a stand-alone resource and is totally dependent on the OIG LAN/WAN to function. The Department of Labor, Office of Inspector General's Major Application ( e-OIG) system is physically housed in a Government-owned building located in Washington, DC. The entire building is occupied by Department of Labor Civil Service and contractor personnel and is not open to the general public.

PIA Approach

OIG's Privacy Impact Assessment Methodology:

  1. Consulted with system administrator and owner in an effort to obtain the most accurate characteristics about the system. Past reports regarding the system's security (such as certification and accreditation reports, system security plan and risk assessments) was helpful in answering some question sets, especially the administrative, technical, and physical controls questions. Office Of Legal Services provided consultation for clarification of Privacy Act-related compliance issues and interpretation of federal case law.
  2. Determined what PII exits on OIG and DOL systems.
  3. Established OIG's PIA Questionnaire to determine what PII is contained on the systems, how the PII is collected, handled, maintained, updated, distributed, accessed, protected, and for what purposes. Responded to DOL's PIA Questionnaire. The DOL Privacy Impact Assessment Questionnaire was distributed and completed by the system owner and the System Administrator.
  4. Assimilated responses into the OIG PIA.

PIA Results

  1. OIG is committed to provide a secure environment to protect the integrity and confidentiality of the personal identifiable information that it collects, stores, and accesses;
  2. OIG maintains in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive Order of the President;
  3. The collection of information is to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about the individual's rights, benefits, and privileges under Federal programs;
  4. Access to and disclosures of PII maintained by the OIG are in accordance with the requirements of the Privacy Act and applicable regulations, and OIG procedures;
  5. Employees periodically receive privacy issues updates and reminders to reinforce OIG's responsibilities and compliance with the information collection requirements of the Privacy Act, and the handling, distribution, and usage of PII;
  6. Only those authorized personnel with a "need-to-know" have access to PII;
  7. All OIG audit, evaluation, and administrative staff must provide a written notice when they solicit personal information directly from an individual;
  8. OIG investigators conducting an authorized criminal or civil law enforcement investigation are exempted from providing specific written notice to the individual;
  9. Access to DOL and other outside systems that contain an individual's PII, via the e-OIG and OIG LAN/WAN, must comply with federal, Department, and OIG's regulations; and
  10. Individual's PII is used for the original intended purpose only. If the data is to be used for another purposes than originally intended, then the individual must be notified of the intent.

Summary

  1. OIG's privacy mission is to ensure the security and protection of individual's personal identifiable information. Only authorized personnel, with a need-to-know are granted access to PII.
  2. The PIA provides a tool to review and reinforce OIG's commitment to protecting the confidentially, reliability, and integrity of all PIIs which are collected, stored, and transmitted on the OIG's IT systems or other systems which are assessed through the OIG system.
  3. A high degree of security for the system is considered mandatory. The system contains information, which must be protected from unauthorized, unanticipated, or unintentional modification. Controls are used that severely restrict access to the operating system and applications.
  4. OIG restricts access to all PII to only those individuals who have a need-to-know.
  5. Multiple User IDs and passwords are used for access to the OIG systems and, in addition, the application (i.e., PeoplePower, Travel Manager, etc.) may require another User ID and password for accessing the application.
  6. OIG employees are informed of OIG privacy rules of conduct and other applicable privacy laws for employees involved with the design, development, maintenance, or operation of systems containing PII.
  7. OIG collects only the minimum and necessary PII from individuals, in accordance with federal and regulatory mandates.
  8. OIG does not disclose, nor make available, PII, except with the consent of the individual concerned, or by authority of law.
  9. OIG provides access to PII for review and a process for amending PII in accordance with the Privacy Act of 1974.
  10. All reports and documents containing PII are picked up immediately upon completion of printing.
  11. All obsolete hardcopies containing PII are shredded.
  12. OIG fully complies with policies and procedures concerning privacy on DOL and OIG Internets and Intranets as prescribed in DLMS 9 - Chapter 1500, Privacy Policy on Data Collection Over the DOL Web Sites, OMB Memorandum 99-18, "Privacy Policies on Federal Websites, and OMB Memorandum M-00-13, 'Privacy Policies and Data Collection on Federal Websites".
Back to Top Back to Top
www.dol.gov/cio
www.dol.gov
Frequently Asked Questions | Freedom of Information Act | Customer Survey
Privacy & Security Statement | Disclaimers | E-mail to a Friend
U.S. Department of Labor
Frances Perkins Building
200 Constitution Avenue, NW
Washington, DC 20210
 Phone Numbers
1-866-4-USA-DOL
TTY: 1-877-889-5627
Contact Us