|November 5, 2008|
E-Procurement System (EPS)
EXECUTIVE SUMMARY REPORT
INTRODUCTION TO THE PIA
Office of the Secretary for Administration and Management (OASAM) at the U.S. Department of Labor (DOL) is sponsoring an initiative to provide the DOL acquisition management community with a modern, web-based E-Procurement system. Currently the project team is implementing a Commercial Off The Shelf (COTS) based procurement system. The solution is in the development stage, and there will be a Pilot release on July 1, 2003 across a selected group of DOL agencies. The Pilot will coincide with the shutdown of Purchase Request Information System (PRISM) as the E-Procurement system will replace the functionality of PRISM. The E-Procurement solution will be more innovative and efficient, will comply with legislative requirements, and will enable greater participation in government wide initiatives.
Purpose and Approach
The objective in conducting a Privacy Impact Assessment (PIA) is to determine if Personally Identifiable Information (PII) is collected, used, transmitted and/or stored by the E-Procurement system. In addition, the PIA addresses system and website privacy compliance issues. The PIA enables an assessment of the impact of potential privacy threats to information on the system. This PIA covers only the Pilot release of the E-Procurement system; each subsequent release (which includes additional functionality) will require the Project Team to conduct another PIA.
The PIA was performed by the Independent Review Team of the E-Procurement project using the guidelines established by DOL's Office of the Chief Information Officer in its Department of Labor Information Technology Privacy Impact Assessment Template. .
The core functionality of the web-based E-Procurement system can be divided into two primary areas: requisition processing and contract management. Requisition processing will automate the entire procurement cycle for micro and small purchases from initiation of the purchase request through closeout. Contract management functionality will support the full life cycle of a contract after receipt of the purchase request in the contracting office. This functionality encompasses solicitation development, contract award, FPDS reporting, contract administration processes, closeout and audit support. In addition to automating the procurement cycle, the system will provide robust data reporting, administration capabilities, and Federal Procurement Data System (FPDS) reporting.
Based on the responses to the PIA questionnaire, there are no high or medium risk privacy findings and three low risk privacy findings. These findings and remediation actions are discussed in this section.
High Risks: There are no high risks identified.
Medium Risks: There are no high risks identified.
Low Risks: The privacy assessment indicates that the E-Procurement system contains three instances of PII, and all three pose only a low risk privacy impact. The risks are described as follows:
1) The use of name as PII within the system - In some cases, the system may contain the names of individuals related to the procurement process. For example, the system may contain the name(s) for individual contact people at a particular vendor. This form of PII poses only a low risk as the names will not be shared with other departments. Furthermore only authorized personnel will have access to these names-in the case of a requisition containing a vendor contact name, only the requisitioner, approvers, contract officers, and system administrators will have access to the name.
2) The use of a social security number as PII within the system-In very infrequent cases, the system may contain the social security number or tax identification number of individuals. For example, small-scale vendors, such as individual consultants, may use a personal social security number as the vendor tax number. A Privacy Act Systems of Records Notice (PARN) has been published in the Federal Register, which details the usage of a social security number as PII in DOLAR$ under DOL/OCFO-2. Since the E-Procurement system's vendor database will be created from the vendor data DOLAR$ and PRISM, the E-Procurement system's usage of a social security number as PII is covered by the PARN for DOLAR$. Therefore, this usage of PIA poses only a low risk as the frequency will be extremely low and a relevant PARN has already been filed.
The only exception to the case above is the infrequent scenario in which a requisitioner needs to procure a good or service from a new vendor. In this case, a system administrator will need to create a vendor profile in the system. Again, this situation poses only a low privacy risk as the system administrator will be trained to use a standard process for obtaining the data from the vendor. The vendor will also be notified of the risk of using a individual social security number as the vendor tax number.
As an additional note, the usage of a social security number as PII will be obsolete in late 2003 due to the introduction of the Business Partner Network (BPN). The General Services Administration is currently implementing the BPN initiative, which will require all vendors receiving payment from the United States government to obtain a Data Universal Number System (DUNS) number. Thus, as all vendors will need to obtain a DUNS to comply with the BPN initiative, there will be no instance of a vendor using an individual social security number for procurement activity with DOL.
3) The voluntary submission of PII through free form fields - As with many systems and websites, users may potentially submit PII voluntarily to the E-Procurement system via free-form response fields. In this case, the configuration of the field is free-form and will not restrict users from inputting PII. For example, a requisitioner may include an individual's name as PII in the following comment, "The goods were purchased through Rose Jones rather than through the usual contact person, John Henry." To mitigate or reduce the frequency of voluntary PII submissions, users will be trained not to include PII in the free-form fields. Summary
As with all information on the system, this occurrence of PII will be maintained in the system. However, there will be no method for searching or directly retrieving this PII via a search of the comments field. Thus, this form of PII is a low privacy risk as the PII is not retrievable. In addition, the database will be restricted to system administrators, further reducing the potential risk.
For the identified uses of PII in the system, mitigation actions are discussed below. These actions include:
The analysis contained in this PIA indicates that the E-Procurement system will pose only low privacy risks.