MSHA Standardized Information System (MSIS)

Abstract

Mine Safety and Health Administration (MSHA) Standardized Information Systems (MSIS) is a Major Application and is an n-tier, web-enabled database application, integrating all MIS applications into a single platform and common database. The system is designed to provide thin-client access to a central database through an application server for all authorized MSHA users to conduct transactions for data entry and data retrieval.  The purpose of the MSIS application is to provide information management support for activities conducted to achieve MSHA’s mission in protecting the safety and health of the nation’s miners. MSIS PIA is being conducted because of the personally identifiable information (PII) that is contained within this system.

Overview

MSHA Standardized Information System (MSIS) is a major application owned by MSHA’s Directorate of Program Evaluation and Information Resources (PEIR) (DOL Unique Identifier DOL-MSHA-MSIS-MA-001) is supported by the E-Gov a subsystem with module web interface; which is itself a collection of forms that is collected from the general public for dissemination and distribution once authenticated and approved. There are three levels of internal review prior to any submitted record being uploaded into the MSIS databases.

MSIS is an n-tier, Web-enabled database application, integrating all MIS applications (Penalty Assessment, Coal and Metal/Non-metal Enforcement and Qualification & Certification) into a single platform and common database.  The system is designed to provide thin-client access to a central database through an application server for all authorized MSHA users to conduct transactions for data entry and data retrieval, with the exception of eGov information which is sent through an approval staging process.

The primary function of MSIS is to support the DOL Quality Workplace Outcome Goal to Reduce Workplace Injuries, Illnesses, and Fatalities by providing information management support for enforcement activities conducted to achieve MSHA’s mission in protecting the safety and health of the nation’s miners.

MSIS collects and maintains information about mines, mine operations, miner and instructor qualifications and certifications, mine inspections, coal dust sampling management, infractions of mandatory safety and health standards, IAW mandatory standards, and provides information to assess alleged violations against mine operators and independent contractors. The application is accessible to many of the MSHA program area offices via agency’s intranet.

MSIS is also providing the information to the US Treasury from the MSIS application such as Penalty Assessment, Coal and Metal/Non-metal Enforcement and Qualification & Certification. The US Treasury updates are completed through the use of FTPS activities after verification and validation of the information within MSIS has been completed.

Introduction

Mine Safety and Health Administration (MSHA) Standardized Information System, also known as MSIS, is a MSHA Major Information System (MIS). MSIS was developed in 2001 and has been operational since 2001. MSIS collects and maintains information about mines, mine operations, miner and instructor qualifications and certifications, mine inspections, coal dust sampling management, infractions of mandatory safety and health standards, IAW mandatory standards, and provides information to assess alleged violations against mine operators and independent contractors.

Characterization of the Information

MSIS collects and maintains information about mines, mine operations, miner and instructor qualifications and certifications, mine inspections, coal dust sampling management, infractions of mandatory safety and health standards, IAW mandatory standards, and provides information to assess alleged violations against mine operators and independent contractors.

• What are the sources of the PII in the information system?

Social Security Administration, MSHA Training Facility, US Mining Community

• What is the PII being collected, used, disseminated, or maintained?

MSIS collects Name, Date of Birth, Social Security Number (or other number originated by a government that specifically identifies and individual), Mailing Address, Phone Numbers (e.g., Phone, Fax and Cell), Certificates (e.g., Birth, death, and Marriage), Email Address, Education Records, Tax ID, Employer ID, Authorized Representative #, Right of Entry #. The information is used in the determination and assessment of alleged violations against mine operators and independent contractors.

• How is the PII collected?

On line, i.e., webpage submission of form, faxed in of these forms, or mailed in forms that have to be entered into the MSIS manually by an MSHA authorized employee.

See E-Gov a subsystem with module web interface consists of forms that can be viewed at http://www.msha.gov/forms/forms.asp  of which there are four (4) forms that have PII data collected. The following is listing of the four (4) forms:

• Legal Identity Report (2000-7) 
• Mine ID Request (7000-51)
• Certificate of Electrical/Noise Training (5000-1) 
• Health Activity Certification or Hoisting Engineers Qualification Request Form (5000-41) 

• How will the information be checked for accuracy?

Prior to any information being inserted into the database, a staging series of authorizations takes place.

• What specific legal authorities, arrangements, and/or agreements defined the collection of information?

30 CFR

• Privacy Impact Analysis

There are compensating controls in place to prevent database contamination should nefarious acts be taken against the front-end website. The information has to be reviewed by at least three approving authorities prior to it being introduced and or uploaded into the appropriate database for further analysis and data manipulation. Data extracts are redacted of the PII prior to being released for public consumption.

Uses of the PII

• Describe all the uses of the PII

As part of the Mine Act and 30 CFR, MSHA uses the MSHA Standardized Information System (MSIS) to gather and manage some PII data.  The collection and management of this PII data is required in order to execute responsibilities delineated in the following sections of 30 CFR.  These include Part 48, Part 49, Part 50, Part 90, and Part 100.   Part 48 and 49 pertain to training, certification and qualification of miners for performing specified duties, both in Coal and Metal/Non-Metal mines.  Part 50 pertains to miner accident and injury reporting.   Part 90 involves identification and management of miners that have contracted black lung disease.  Part 100 involves assessment of civil penalties against violators.   In the case of Part 100, the collection of PII data pertains only to instances where the violator (mine operator or contractor) is a sole proprietor.  Collection of this information for assessment of civil penalties is also justified under the Debt Collection Act.

• What types of tools are used to analyze data and what type of data may be produced?

MSIS provides reporting and query facilities for users.  Access to the reports and queries are restricted to certain specified roles.   Roles are assigned to users with the approval of the Delegated Requestor who reviews the job description and current responsibilities of the individual to ensure that the roles being requested are consistent and justified. 
The reports are generated through online reports as well as batch reports.   A separate reporting tool is also used for some reports and queries.  In all cases, access to the PII data is restricted to authorized individuals.   When reports are generated, MSIS does log the user name and report as required by OMB 06-16. 
Data produced is in the form of printed reports, online reports, and data. 

• Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No

• If the system uses commercial or publicly available data, please explain why and how it is used.

MSIS collects and maintains information about mines, mine operations, miner and instructor qualifications and certifications, mine inspections, coal dust sampling management, infractions of mandatory safety and health standards, IAW mandatory standards, and provides information to assess alleged violations against mine operators and independent contractors

• Privacy Impact Analysis

There are submitting controls in place on the online forms themselves starting with the user community has to have an authenticated user ID and password in order to submit a form for consideration into the staging area, i.e., the approval process for upload to the database. The compensating controls have not allowing any direct access of the data into the backend database queries to take place. Only after the final authorized approval does data get loaded into the database. The three stages of review and approval have to be accomplished before upload of that record is permitted. No sequel injection into the backend database is directly possible through the staging of the data process that has been implemented. No direct data extracts from the database is allowed either. As the data is routed through approving authorities to ensure the recipient is permitted to receive the data in question.

Retention

• How long is information retained in the system?

7 years

• Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?

We are currently in the process of updating the retention schedule and obtaining approval for archiving MSIS data. 

• Privacy Impact Analysis

Data is retained in back up at the approved off site storage location under contract with a facility approved of by GSA for data retention of Federal records. The transport, distribution and rejuvenation of the data have been tested in accordance with Department policy as well as agency requirements to meet the Federal guidelines in this area. 

Internal Sharing and Disclosure

• With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

Only those systems that have been inculcated within the MSIS system and have a need to extract data from within a particular database have rights to read or write to that database. Not all systems within the MSIS system have the same privileges and it is on a case-by-case decision of the system owner and the business case that this decision is made.

• How is the PII transmitted or disclosed?

Information is transmitted internally through the appropriate calls to the appropriate database and is not allowed to be sent to a holding or staging area where it could possibly leave orphaned.

• Privacy Impact Analysis

Business case is written up any authorized for any requesting source for a resource for PII data within the MSIS system. That business case is reviewed and maintained in accordance with department policy. Calls to and from the databases are monitored through scripts designed to check for changes in database integrity by system administrators and are sent on a daily basis for review to the system administrators and at least one of the security team personnel for third-person review.

External Sharing and Disclosure

• With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Organization:    Dept of Treasury
Purpose:           Debt collection

• Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Collection of this data is covered by the Debt Collection Act.  MSHA transfers outstanding delinquent debt for payment of penalties to Dept of Treasury for collection.  Specifically, in the case of sole proprietorship mine operators and mine contractors, the tax ID number used would be the individual’s SSN.

• How is the information shared outside the Department and what security measures safeguard its transmission?

The data is transferred via secure FTP to Dept of Treasury.  Certification of transfer and processing is provided by Treasury.  The data is then handled consistently with other privacy data managed by that department. 

• Privacy Impact Analysis

The primary risks to MSHA are in data transmission to the Dept of Treasury.  MSHA transfers this data via secure FTP.  Treasury sends a notification that the data has been transferred safely and that it has been processed into their system.   

Notice

• Was notice provided to the individual prior to collection of PII?

Yes, there is a Privacy notice on the webpage as well as instructions for filling out of the forms prior to submitting; in one of four ways: online, facsimile, mail, or in person.

• Do individuals have the opportunity and/or right to decline to provide information?

Yes

• Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

30 CFR Part 48 and Part 49 require miners to get a certification in order to perform electrical work.   MSHA also requires miners to provide PII data in order to issues a certification as specified and in accordance with 30 CFR. Individuals submitting information and requesting certification are consenting to the propose use of their PII in order to obtain the certification. 

30 CFR Part 90 is the authority used to solicit privacy information from individuals who chose to participate in the Part 90 program.  This program is entirely voluntary. 

30 CFR Part 100 and the Debt Collection Act is the legal authority under which MSHA collects PII data from individuals who are sole proprietors as mine operators or contractors. 

The forms (paper and online) have clearly the privacy act notices displayed for all users to access and determine their individual rights in submitting PII data. 

• Privacy Impact Analysis

The privacy act notice is clearly displayed both in MSIS and online forms for external users.  We do use secure web server to display this data cannot be intercepted by a third party. 

Access, Redress, and Correction

• What are the procedures that allow individuals to gain access to their information?

Website access to the submitting party of the information they have on file is permitted and if the information of the user has a valid ID and selects Change online filing registration information. This provides the user a pop up form for entering their user name and password for accessing the information they previously submitted for correction.

• What are the procedures for correcting inaccurate or erroneous information?

Electronic filers may correct their information online as described above.  Employees of the MSIS conduct regular quality reviews to identify erroneous information and, upon review, may enter corrections. There are three stages of review prior to actual data going into the database and most if not every error is caught at one of these three levels.

• How are individuals notified of the procedures for correcting their information?

Once external individuals log in to the system, they do have the ability to change their PII information if they so choose.   Whenever individuals receive mailings from the system, they are furnished with instructions regarding contact information if data is incorrect.  This applies to both recipients of civil penalties and those receiving certifications or qualifications from MSHA

• If no formal redress is provided, what alternatives are available to the individual?

N/A

• Privacy Impact Analysis

Users have the ability to correct their privacy data online through the eGov registration process.  For information such as certifications that are provided to individuals, instructions are furnished with the mailings that specify who to contact when corrections are necessary.  Typically this would rely on contact over the phone or through the mail.

Technical Access and Security

• What procedures are in place to determine which users may access the system and are they documented?

A valid user name and password is used in the Active Directory, which is authenticated across the Domain to prevent those from other Domains from breeching the security of the system through the web interface.

• Will Department contractors have access to the system?

Yes

• Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

As annual awareness and training is provided through the DOL the user community is also given periodic updates through e-mails from the CIO reminding them of their responsibility in the area of privacy and privacy issues. MSHA also provides initial awareness and training before setting up new access account and require that the end user provide validation of the their taking of the initial training which is kept on file.

• What auditing measures and technical safeguards are in place to prevent misuse of data?

All authenticated and should the unlikely event a user acquires sign on privileges their activities are logged while they are on the system. Each entry into the system does not automatically get loaded into the backend databases. There are intermediate steps and precautionary steps, compensating controls in place to prevent the misuse of the system and infecting or disrupting of the system by nefarious acts of unauthorized or malicious users who are authorized to use the system.

• Privacy Impact Analysis

Given the three stage process prior to data upload, no direct access to the database by the external user community, the logging of user’s actions once they have been authenticated the controls are in place and function to ensure adequate measures have been taken to protect the PII of this system.

Technology

• What stage of development is the system in, and what project development life cycle was used?

The system is in Operations & Maintenance Phase. The DOL System Development Lifecycle Management Manual was used for the project development.  `

• Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

No

Determination

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

MSHA has completed the PIA for MSHA Standardized Information System (MSIS) which is currently in operation. MSHA has determined that the safeguards and controls for this moderate system adequately protect the information referenced in MSIS System Security Plan, v7.4, dated 02/22/2008.

MSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.