PRIVACY IMPACT ASSESSMENT

QuickHire

August, 12, 2004

Table of Contents

Overview of Federal Highway Administration (FHWA) privacy management process for QuickHire
Personally-identifiable information and QuickHire
Why QuickHire collects information
How QuickHire uses information
How QuickHire shares information
How QuickHire provides notice and consent
How QuickHire ensures data accuracy
How QuickHire provides redress
How QuickHire secures information
System of records

Overview of Federal Highway Administration (FHWA) privacy management process for QuickHire

Federal Highway Administration (FHWA), within the Department of Transportation (DOT), has been given the responsibility enhancing the highway movement of people and goods, while also ensuring the safety of the traveling public, promoting the efficiency of the transportation system, and protecting the environment.[1] One vital component involved in reaching those goals is finding and hiring the best people for the job. To manage this increasingly complex task while modeling frameworks described in the President’s Management Agenda and the Human Capital Standards for Success, the comprehensive framework prepared by the Office of Management and Budget, the Office of Personnel Management, and the General Accounting Office, FHWA is currently employing an automated human capital management tool – QuickHire.

The QuickHire system is a publicly available Web site[2] through which applicants can provide information, apply for jobs, and track status; and through which FHWA Human Resources (HR) personnel can process the receipt of applicants, rate and rank applicants, communicate internally with hiring authorities, notify applicants of status, and overall streamline the hiring process. Applicants may enter the QuickHire system through consolidated online government job boards, such as through www.usajobs.com. If an applicants requests to apply for a DOT job, that applicant’s Web browser is forwarded to the separate QuickHire Web site. As the federal government consolidates more of it HR activities, more or less of the ownership and control of QuickHire data and functionality may fall under the Office of Personnel Management.

QuickHire is a narrowly focused, volunteer-based communication vehicle and hiring information repository. QuickHire serves as a central point of HR communication up to the point of hire, and it increases efficiency and effectiveness by connecting the right people to the right jobs.

Privacy management is an integral part of the QuickHire project. DOT/ FHWA has retained the services of privacy experts to help assess its privacy management program, utilizing proven technology, sound policies and procedures, and proven methodologies.

The privacy management process is built upon a methodology that has been developed and implemented in leading companies around the country and globally. The methodology is designed to help ensure that DOT and FHWA will have the information, tools, and technology necessary to manage privacy effectively and employ the highest level of fair information practices while allowing FHWA to achieve its mission of protecting and enhancing a most important U.S. transportation system. The methodology is based upon the following:

Establish priority, authority, and responsibility. Appoint a cross-functional privacy management team to ensure input from systems architecture, technology, security, legal, and other disciplines necessary to ensure that an effective privacy management program is developed.
Assess the current privacy environment. This involves interviews with key individuals involved in the QuickHire system to ensure that all uses of personally identifiable data, along with the risks involved with such use, are identified and documented.
Organize the resources necessary for the project’s goals. Internal DOT/FHWA resources, along with outside experts, are involved in reviewing the technology, data uses, and associated risks. They are also involved in developing the necessary redress systems and training programs.
Develop the policies, practices, and procedures. The resources identified in the paragraph immediately above will work to develop an effective policy or policies, practices, and procedures to ensure that fair information practices are complied with. The policies will effectively protect privacy while allowing DOT/FHWA to achieve its mission.
Implement the policies, practices, and procedures. Once the policies, practices, and procedures are developed, they must be implemented. This involves training of all individuals who will have access to and/or process personally identifiable information. It also entails working with vendors to ensure that they maintain the highest standard for privacy while providing services to the FHWA project.
Maintain policies, practices, and procedures. Due to changes in technology, personnel, and other aspects of any program, effective privacy management requires that technology and information be available to the privacy management team to ensure that privacy policies, practices, and procedures continue to reflect actual practices. Regular monitoring of compliance with privacy policies, practices, and procedures will be required.
Manage exceptions and/or problems with the policies, practices, and procedures. This step involves the development and implementation of an effective redress and audit system to ensure that any complaints can be effectively addressed and corrections made if necessary.

Personally-identifiable information (PII) and QuickHire

The QuickHire system uses both PII and non-PII data from and about volunteer Web site applicants. Using the QuickHire Web site, applicants may:

Voluntarily set up a profile that includes name, date of birth, social security number, phone number, email address, citizen/military service/veteran status, and a resume that may also contain Personally Identifiable Information (PII). In addition, applicants set up a password and secret question for continued access to their PII.
Apply for jobs.
Access any provided personal information and change profile information, including changing contact information.

FHWA uses PII submitted through QuickHire to screen individuals for job postings, assist in automating the hiring process, and communicate with applicants.

Why QuickHire collects information

QuickHire’s goal of linking applicants with federal jobs demands some degree of information collection and sharing, by definition. With this in mind, applicants volunteer to share PII through the QuickHire Web site so that FHWA HR and hiring professionals may assess their qualifications and consider them for applicable positions. Also, FHWA uses PII in QuickHire to contact references, verify applicant statements, and facilitate communication with applicants.

How QuickHire uses information

Information in an identifiable form is used to provide FHWA and volunteer applicants with an enhanced, efficient hiring process. FHWA does not use PII in QuickHire for any purposes outside of the hiring process.

The QuickHire system collects PII only with express permission of users, and only for activities associated with the hiring process. FHWA does not use QuickHire PII in any other way. If it is determined that this is a Privacy Act system of records, the Act’s statutory exemptions and DOT’s General Routine Uses will permit other uses of information in the system. At any time, a user may elect to withdraw from receiving emails.

How QuickHire shares information

FHWA HR professionals and officials responsible for making hiring decisions may have access to all or some of the PII that QuickHire contains. During the selection process, these personnel may share data contained in QuickHire with training facilities and organizations deciding claims for retirement, insurance, unemployment or health benefits. FWHA does not share QuickHire personally-identifiable information in any other way.

How QuickHire provides notice and consent

QuickHire provides a “layered” system of notices. First, the QuickHire system provides visible links to a Privacy Policy that describes privacy practices and information uses. In the future, QuickHire may provide links to Web sites outside of DOT/FWHA. In these cases, QuickHire will provide a pop-up window that informs a user that he or she is leaving the site and that different privacy practices may apply.

As an applicant is creating a profile, QuickHire provides the opportunity for the applicant to select his or her notification preferences.[3]

How QuickHire ensures data accuracy

QuickHire allows users to access PII, change that information, and request complete deletion from the QuickHire database at any time. Applicants access their own PII through the QuickHire Web site, which authenticates applicants through applicant-provided online ID or email address and password.

If an applicant has provided a non-functional email address, a FHWA HR user or System Manager contacts that applicant by phone or postal letter, requesting that he or she update the email address. In addition, if during the hiring process a FHWA HR user or System Manager realizes that an item of PII is incorrect, he or she may request that the applicant change the information online, or may make the change him or herself.

How QuickHire provides redress

At any time, a user may request, through email, to request privacy practices be reviewed. This contact information is provided in the Privacy Policy, posted visibly on the Web sites.

How QuickHire secures information

The QuickHire system is housed in Rockville, MD, in a facility run by QuickHire. Physical access to the QuickHire system (Web server) is limited to appropriate personnel through building key cards and room-access key pads.

In addition to physical access, electronic access to PII in QuickHire is limited according to job function. FHWA controls access privileges according to the following roles:

Applicant
HR User
Selection Official
System Manager

The following matrix describes the privileges and safeguards around each of these roles as they pertain to PII.

ROLE	ACCESS	SAFEGUARDS
Applicant	Creates own profile Accesses and change own profile information Changes own password Applies for jobs Views jobs and status	User-set email and password: Minimum 5-character length for password Secret question to change or remember password
HR User	Posts jobs Views aggregate Race/National Origin reports (no PII) Reviews or changes all applicant information, except for password and answer to secret question	HR Users are set up as users by System Managers and have two sets of passwords, one for the system and one for the database. The following safeguards apply: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of uppercase, lowercase, and special characters. Accounts are locked after a set number of incorrect attempts.
Selection Officials	Views all of applicant record as sent by HR User. The applicant record may include name, social security number, citizen status, DOB, home address, phone, resume and all included information, and answers to qualifying questions	Selection Officials have only temporary access to applicant information, and only to applicants that the HR User has determined are possible job candidates. A temporary password provides read-only access, and the password expires when an HR User closes the job case.
System Manager	Views and changes all information, including password and answer to secret question.	System Managers have two sets of passwords, one for the system and one for the database. The following safeguards apply: Passwords expire after a set period. Accounts are locked after a set period of inactivity. Minimum length of passwords is eight characters. Passwords must be a combination of uppercase, lowercase, and special characters. Accounts are locked after a set number of incorrect attempts.

System of records

QuickHire is a Privacy Act System of Records, as it is searched by name and unique identifier. The applicable Privacy Act System of Records notice is: OPM/GOVT-5, Recruiting, Examining, and Placement Records.FHWA has certified and accredited QuickHire under DOT requirements.

[1] Fiscal 2003 Performance Plan; http://www.fhwa.dot.gov/reports/2003plan/index.htm

[2] http://www.fhwa.dot.gov/vacancy/roads.htm

[3]

1. I would NOT like to be notified by email about new job postings.

2. I would like to be notified by email about ALL new job postings.

3. I would like to be notified by email about new job postings that meet my specified email notification criteria.
(Email notification criteria will be selected on the next page.)