|
|
|
 |
www.dol.gov/cio
|
 |
 |
 |
| November 5, 2008 DOL Home > CIO > Privacy Impact Assessments |
|
Mine Accident Injury and Employment System (MAIES) Abstract The Mine Accident Injury and Employment System (MAIES) a major application and a component of the Mine Safety and Health Administration (MSHA). MAIES collects, edits, updates, stores and reports information pertaining to mine operators and independent contractors working at mining operations, along with employment, accidents, injuries and fatalities chargeable to mine operators and contractors as defined in Part 50, 30 CFR and the system provides statistical information. MAIES PIA is being conducted because of the personally identifiable information (PII) that is contained within this system. Introduction The Mine Accident Injury and Employment System (MAIES) is owned by the Office of Injury and Employment Information (OIEI) of the Information Technology Center (ITC) and maintained by the Legacy Systems Branch (LSB) which is also part of ITC. The Mine Accident, Injury and Employment System (MAIES) accomplishes the functions that are authorized by 30 USC 819. MAIES collects, edits, updates, stores and reports information pertaining to mine operators and independent contractors working at mining operations, as well as employment, accidents, injuries and fatalities chargeable to mine operators and contractors as defined in Part 50, 30 CFR. The system also provides statistical information. This data provides MSHA timely information for making decisions on improving safety and health programs, improving education and training efforts, and establishing priorities in technical assistance activities in the mining industry. The primary uses of the records are (a) to determine probable cause of accidents, injuries, and illnesses and (b) to provide a statistical analytic data base for allocation of MSHA and other resources to reduce occupational injuries and illnesses. The accident and injury data maintained by MAIES is utilized to provide statistical information and is not reported for an individual. Reported information is not traceable to a specific individual. MAIES is a self contained system with data that is shared with MSHA Standardized Information System (MSIS) as MAIES is to be incorporated within the MSIS infrastructure at a future date. However, at this level of data sharing no PII information is shared between these systems. General: PL 93-579 (Privacy Act of 1974) December 31, 1974 Authority: Section 103 of Public Law 91-173, as amended by Public Law 95-164 Effects of Non-Disclosure: PL 93-579 Section 7(b). MSHA asks for the last 4 digits of the social security number, under authority of Section 103 of Public Law 91-173, as amended by Public Law 95-164. This personal identification, which is not unique to any individual, helps MSHA establish the accuracy and usefulness of the information from injury and illness records. The Department of Labor (DOL) is responsible for ensuring proper protections of the information contained within its information systems, including PII. To that end, the Department developed a Privacy Impact Methodology to assess whether a system that contains PII meets legal privacy requirements. This methodology, based on the evaluation of applicable law and executive branch guidance as well as internal policy, was the foundation for determining question sets and remediation guidance for developing the PIA Questionnaire that was applied to the Mine Accident Injury and Employment System. 30 CFR § 50.20 (a) Each operator shall maintain at the mine office a supply of MSHA Mine Accident, Injury, and Illness Report Form 7000-1. These may be obtained from the MSHA District Office. Each operator shall report each accident, occupational injury, or occupational illness at the mine. The principal officer in charge of health and safety at the mine or the supervisor of the mine area in which an accident or occupational injury occurs, or an occupational illness may have originated, shall complete or review the form in accordance with the instructions and criteria in §§50.20-1 through 50.20-7. If an occupational illness is diagnosed as being one of those listed in §50.20-6(b)(7), the operator must report it under this part. The operator shall mail completed forms to MSHA within ten working days after an accident or occupational injury occurs or an occupational illness is diagnosed. When an accident specified in §50.10 occurs, which does not involve an occupational injury, sections A, B, and items 5 through 12 of section C of Form 7000-1 shall be completed and mailed to MSHA in accordance with the instructions in §50.20-1 and criteria contained in §§50.20-4 through 50.20-6. (b) Each operator shall report each occupational injury or occupational illness on one set of forms. If more than one miner is injured in the same accident or is affected simultaneously with the same occupational illness, an operator shall complete a separate set of forms for each miner affected. To the extent that the form is not self-explanatory, an operator shall complete the form in accordance with the instructions in §50.20-1 and criteria contained in §§50.20-2 through 50.20-7. (Secs. 103(a) and (h), and 508, Pub. L. 91-173, as amended by Pub. L. 95-164, 91 Stat. 1297, 1299, 83 Stat. 803 (30 U.S.C. 801, 813, 957)) [42 FR 65535, Dec. 30, 1977, as amended at 44 FR 52828, Sept. 11, 1979; 60 FR 35692, July 11, 1995] Characterization of the InformationThe following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed. Members of the public (miners and/or people who are injured on mine property). PII is collected from submitted 7000-1 forms (a.k.a. Mine Accident, Injury Reports which contain accident/injury information), that are completed by mine operators and independent contractors. The PII collected consists of last name, date of birth and the last 4 digits of the Social Security Number. It is used and maintained for statistical purposes. 7000-1 forms (aka Mine Accident Injury Reports) are submitted either via hardcopy, facsimile or electronically by mine operators and independent contractors. Personal data collected is provided by the mine operator or contractor as obtained from the individual who is the subject of the data being collected.
PL 93-579 (Privacy Act of 1974) December 31, 1974 The MAIES is hosted by SunGard on an IBM mainframe computer located in Voorhees, New Jersey. The SunGard facility provides: • High availability in a fully secure data center System security is enforced through IBM's Resource Access Control Facility (RACF), a powerful security program that allows system administrators to implement the most stringent security policies. Following is a partial list of what RACF lets system administrators do: • identify and verify system users; Uses of the PIIThe following questions are intended to clearly delineate the use of information and the accuracy of the data being used. Indexed and filed by mine identification number and date of accident and injury occurrence or illness diagnosis. Accessed by programs that reference the following types of information:
Data stores on the IBM mainframe are accessed by authorized personnel using COBOL retrieval programs and reports. Some reports contain detailed information about specific accidents, illnesses, or injuries; others provide summarized statistical information. Information containing PII is restricted to those authorized to view it. These individuals have been trained on their duties and responsibilities of handling PII data and are given annual refresher training in this area. Data to outside parties is stripped of PII information and provided in text format.
N/A Uses data provided by mine operators and independent contractors. Computer safeguards and procedures developed by MSHA under GSA Circular E-34. Appropriate reports are marked with the Privacy Act warning. Only authorized personnel have access to files. RetentionThe following questions are intended to outline how long information will be retained after the initial collection. MSHA Forms 7000-1, Mine Accident, Injury, and Illness Report, are retained for 6 years after year of record and then destroyed. Electronic copies of these documents are retained by the Office of Injury and Employment Information permanently (older magnetic media is being converted to electronic media). Records in electronic media are transferred to NARA as permanent records immediately after each annual close-out.
Yes. Data retention is a requirement through NARA and the meeting of these requirements is necessary for the survivability of data once entered into the system. The data is held in the data back up system and continues to be accessible should there be cause for investigation of a particular case. Internal Sharing and DisclosureThe following questions are intended to define the scope of sharing within the Department of Labor.
No data from the MAIES system pertaining to PII is transferred to any other system within the MSHA domain. N/A N/A External Sharing and DisclosureThe following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
None.
N/A
N/A N/A NoticeThe following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information. Yes, Privacy Notification is located on the website, on form 7000-1 and in Part 50, 30 CFR. See http://www.msha.gov/privacy.htm on the main portal page or http://www.msha.gov/specdisc/70001-Disclaim.htm on the MSHA Form 7000-1 No. PII is required for employment. Mine operators and independent contractors are required to provide PII under Part 50, 30 CFR.
No. There are three ways to have forms submitted through for processing on the MAIES system. They are online, mail, or facsimile. Individuals deciding to provide this information online must first have a valid user account and password on the system. If this is the case these individuals have been instructed of their responsibility of keeping privacy data, including information pertaining to them, secured and transmit through the proper channels. On the initial webpage of there is the prerequisite posting of Privacy Statement required by the Privacy Act of 1974. DOL has also provided additional information in subsequent hyperlinks within this thread http://www.dol.gov/dol/privacynotice.htm to their requirements that MSHA must also meet in order to be in compliance with Federal mandates. This information is classified and correlated by category not by individual. There are specific procedures and guidelines for those within the public domain to request information contained within this system under the Freedom of Information Act. Access, Redress, and CorrectionThe following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them. Mine operators and independent contractors with a valid ID may view their information online. Individuals may obtain their own information by contacting the Chief of the Office of Injury and Employment Information (OIEI) in writing and providing specific information about the records sought, along with the following information:
Employees of the Office of Injury and Employment Information (OIEI) conduct regular quality reviews to identify erroneous information and, upon review, may enter corrections. Request for changes may also be submitted in writing to the Office of Injury and Employment Information (OIEI). Individuals requesting amendment to the record should contact the Chief of the Office of Injury and Employment Information (OIEI) in writing and furnish the following information:
How are individuals notified of the procedures for correcting their information? Mine operators and independent contractors are provided annual reports of the information they have provided, along with contact information for corrections. N/A – Correction procedures exist for correction of data. Correspondence requesting corrections are subject to the same procedures within the Office of Injury and Employment Information as initial submissions of form 7000-1. Technical Access and SecurityThe following questions are intended to describe technical safeguards and security measures.
Network and mainframe access for internal users is granted only upon written request of a supervisor and review by one of MSHA’s Delegated Requestors. Yes – as described for internal users above.
As annual awareness and training is provided through the DOL. The user community is also given periodic updates through e-mails from the CIO reminding them of their responsibility in the area of privacy and privacy issues. All users are authenticated prior to logon and access to the data. These General Support Systems employ security measures which are documented elsewhere. Internal access requires both a network and mainframe account. In addition, data update logs are provided to the Office of Injury and Employment Information daily for review. Typically within a system that has forms in use for submitting privacy data the end user has to take the onus upon them to determine the best practice or course of action for submitting this information in a timely manner as required by 30 CFR § 50.20. However, if the user community, i.e., the mine operators and independent contractors, do obtain their valid account and file on line the inherited controls of the MAIES system, which is a service provided by SunGard in Voorhees, NJ are exercised. SunGard has been authorized by the DOL to provide third party services to MSHA MAIES under contract and has maintained their certification of service for the past several years. Computer safeguards and procedures developed by MSHA under GSA Circular E-34. Appropriate reports are marked with the Privacy Act warning. Only authorized personnel have access to files. TechnologyThe following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology. Operations and Maintenance Phase
No – The PII in this system are protected by multiple layers of security including both mainframe and network. It is also protected by manual procedures within the Office of Injury and Employment Information (OIEI). DeterminationAs a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information? MSHA has completed the PIA for MAIES which is currently in operation. MSHA has determined that the safeguards and controls for this moderate system adequately protect the information referenced in MAEIS System Security Plan, v3.5, dated March 28, 2007. MSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.
|
||||||||
| ||||||||
