Privacy Impact Assessment Questionnaire
Secretary’s Information Management System, also known as SIMS, is an Office of the Assistant Secretary of Administration and Management (OASAM) Major Information System (MIS). The SIMS FOIA application is a department-wide system based on SIMS, with additional FOIA-specific features. SIMS and SIMS FOIA share the same production database and are referenced with the same OASAM System ID, since they are one system from a security perspective.
SIMS system is designed to support the Executive Secretariat and all supporting Correspondence Control Units (CCU) within the agencies of Department of Labor (DOL) by providing a management tool for controlling correspondence addressed to the DOL, and particularly the Secretary of Labor. The SIMS application enables users to collect metadata; track document compliance; send electronic email notifications; store images; and query, track, and report on all data.
Section 208 of the E-Government Act of 2002 requires Federal government agencies to conduct a Privacy Impact Assessment (PIA) for all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information (PII). PII is defined as information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
SIMS was developed in 2001 and has been operational since July, 2001. SIMS is a web-based system designed to support the Executive Secretariat and all supporting Correspondence Control Units (CCU) within the agencies of Department of Labor (DOL) by providing a management tool for controlling correspondence addressed to the DOL, and particularly the Secretary of Labor. The SIMS application enables users to collect metadata; track document compliance; send electronic email notifications; store images; and query, track, and report on all data.
The SIMS FOIA application is a department-wide system based on SIMS, with additional FOIA-specific features. SIMS and SIMS FOIA share the same production database and are referenced with the same OASAM System ID, since they are one system from a security perspective. While SIMS and SIMS FOIA are components of the same system, they serve two user bases: SIMS serves the Executive Secretariat community, while SIMS FOIA serves the Office of the Solicitor community. Users are thus accessing different components of the same system, via a SIMS or a SIMS FOIA URL.
SIMS provides a singular correspondence system DOL-wide and allows electronic dialogue capabilities for clearance between the Executive Secretariat, peers, and intra-organizationally. SIMS supports the modification of the current business model and eliminates the paper process.
The role of SIMS user privileges in order of highest to lowest are Administrator, Power User, and User. Each role, in addition to its own privileges, has the privileges of its succeeding roles. The Administrator has system administrator privileges; the Power User has organization-wide privileges to add other power users as well as users; and the User can scan, view, and transfer correspondence.
SIMS FOIA supports the record keeping aspects of the FOIA, (5 USC 552) and the FOIA Amendment of 1996, by tracking requests and the number of days left to respond and provides reports for annual reporting. SIMS FOIA eliminates manual and hardcopy tracking of FOIA requests because such requests are tracked and resolved online.
The role of SIMS FOIA user privileges in order of highest to lowest are Administrator, FOIA Coordinator, Power User, and User. Each role, in addition to its own privileges, has the privileges of its succeeding roles. The Administrator has system administrator privileges; the FOIA Coordinator can assign, process, and close FOIA requests; the Power User can add other offices, users, and power users; and the User can process and track requests.
The SIMS system resides on the Employee Computer Network (ECN) and was designed as an Intranet application within the DOL to comply with the standards and guidelines put forth in the ECN and Departmental Computer Network (DCN) System Security Plan (SSP). All systems and devices are physically located at DOL on the first floor in Room N1305. The OASAM Information Technology Center (ITC) offices are also located on the 1st floor. The entire building is occupied by DOL federal employees and contractor personnel and is not open to the general public. The database server operates Microsoft Windows Server 2003 SP2, and workstations run Windows XP SP2. The web server runs Windows Server 2003 SP2. SIMS is interconnected with the DOL internal backbone, the DCN, for Intranet access. SIMS also runs on SQL Server 2000 with SP4 plus the 2187 upgrade. Due to the nature of the information processed and stored on SIMS, security measures are implemented to prevent the potential for any unauthorized disclosure. The security software protecting all systems resources is the built in security of Microsoft Windows Server 2003. The anti-virus software protecting the SIMS servers is McAfee VirusScan Enterprise Edition version 8.0.
SIMS FOIA tracks request from the public sent via the mail (snail mail). The information collected by SIMS FOIA such as first and/or last name, business address, personal phone numbers, personal e-mail address, and mailing address is maintained in the SIMS FOIA database.
Federal agencies are required by law to ensure the protection of the personally identifiable information (PII) they collect, store, and transmit. With a thriving digital economy, agencies are collecting large amounts of personal information unlike ever before. Instances of past abuse, misuse, and egregious errors in federal agencies’ management of personal information, combined with growing public concern about the U.S. Government’s ability to protect their private information, have increased congressional scrutiny and expectations for compliance with federal privacy laws and regulations. Protection of the Government’s accumulation of this vast amount of personal information begins with the responsibility of federal employees at all levels and in all positions.
DOL is responsible for ensuring proper protection of the information contained within its information systems, including PII. To that end, DOL uses the Privacy Impact Assessment methodology to evaluate whether a system containing PII meets legal privacy requirements. This methodology, based on the evaluation of applicable law and executive branch guidance as well as internal policy, was the foundation for determining question sets and remediation guidance for developing the PIA Questionnaire that is to be applied to the Department’s information technology (IT) systems. The Privacy Impact Methodology and the PIA Questionnaire, used to implement this methodology, are detailed within this document, which serves as an introduction to the IT PIA and DOL’s privacy mission and principles and offers guidance on how to use the methodology and questionnaire.
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
** SIMS FOIA tracks request from the public sent via the mail (snail mail). The information collected by SIMS FOIA such as first and/or last name, business address, personal phone numbers, personal e-mail address, and mailing address.
The source of the PII information is from Public and internal DOL correspondence and public FOIA requests to the Secretary.
First and/or last name, business address, personal phone numbers, personal e-mail address and mailing address. The email address and personal phone numbers are optional.
The data is entered into SIMS via the web interface which enables users to collect metadata; track document compliance; send electronic email notifications; store images; and query, track, and report on all data.
Information is checked for accuracy through follow-up communication with requesters via phone call, standard mail, or email.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
Freedom of Information Act (FOIA), (5 USC 552) and the FOIA Amendment of 1996.
Section 208 of FISMA and the Privacy Act of 1974, require that when developing or procuring IT systems or projects that collect, use, store, and/or disclose information in identifiable form from or about members of the public or agency employees (the latter prescribed by Section 522), to identify potential privacy risks and implement appropriate privacy controls and compliance requirements.
SIMS FOIA supports the record keeping aspects of the FOIA, (5 USC 552) and the FOIA Amendment of 1996.
Standard security (account, auditing, physical access) controls are in place to mitigate any risks. For additional information, see SIMS SSP.
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Track correspondence request status and response.
No data analysis/tools used.
No.
Not Applicable
The system is characterized for confidentiality, integrity, and availability along with the high water mark; the type of information contained on the system is then identified; information-sharing practices are evaluated; and system controls for administrative, technical, and physical safeguards are assessed to ensure the system is adequately protected. For more information see SIMS SSP.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
SIMS maintains PII information on a permanent basis.
The data is currently kept indefinitely but physical and logical access controls to server and database makes risk minimal.
The following questions are intended to define the scope of sharing within the Department of Labor.
No SIMS/SIMS FOIA information is shared.
No SIMS/SIMS FOIA information is transmitted.
No internal sharing of information.
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
No information is shared.
N/A
N/A
N/A
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Notice is published in Federal Register (DOL/OASAM-24).
The individual may decline to provide personal phone number and personal e-mail address.
No – information is only used for the standard purpose of communications.
In accordance to the Section 208 of the FISMA and Privacy Act of 1974, SIMS identify potential privacy risks and implement appropriate privacy controls and compliance requirements – SORN published in the Federal Register.
The following questions are directed at an individual’s ability to ensure the accuracy of the information collected about them.
None - Individuals do not have direct access to system.
Any corrections are done per individual request.
If system user finds information that requires correction, notification may occur via phone or e-mail to the requestor of the information.
The individuals requesting information is contacted if additional information is needed by the Office of Secretary but there are no formal redress capability. If the requests are incorrect and no additional information can be obtained, the requests have to be re-initiated by the individual and the old (incorrect) request will be deleted.
There are no additional risk in redress process as the public does not have direct access.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
Business customer enforces account creation policy. Maintenance of documentation rests with customer. Access Control Policy and Procedures are clearly described in the Rules of Behavior and Network Access documents that users must read and sign/acknowledge prior to gaining authorized access to SIMS system resources.
Yes
Federal and contractor personnel are required to complete refresher training annually. All users (including SIMS/SIMS FOIA users) are required to take DOL annual Computer Based Information Security Awareness Training. Training Materials are available on LaborNet. In addition, all SIMS/SIMS FOIA users must acknowledge that they have read, understand, and agree to abide by SIMS/SIMS FOIA rules of behavior, before they are authorized access to system. There is no specific privacy training for SIMS currently.
Office of Technical Services (OTS) regularly reviews/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate personnel, and takes necessary actions. Various teams within OTS review system and application logs daily, if an anomaly occurs it is escalated in accordance with OASAM SOP.
Given that the information maintained is used only to track FOIA requests, the number of days left to respond, and provides reports for annual reporting. The logical and physical access controls as identified in the SIMS SSP mitigates the risks.
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
The SIMS/SIMS FOIA system is in Operations and Maintenance Phase of the SDLCM.
No, the implementation of SIMS/SIMS FOIA is based on the evaluation of the applicable laws and framework by which agencies can ensure that they have complied with all relevant privacy policies, regulations, and guidance, both internal and external to DOL. For detailed information refer to the latest version of SIMS SSP.
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
OASAM has completed the PIA for SIMS/SIMS FOIA which is currently in operation and has determined that the safeguards and controls for this moderate system, adequately protect the information referenced in SIMS/SIMS FOIA System Security Plan (v2.0.2) change history dated January 14, 2008.
|
