By law, US federal agencies are required to ensure the protection of the personally identifiable information (PII) they collect, store and transmit. In light of the current digital environment, government agencies are collecting more and more personal information. Highly publicized events of abuse, misuse and inadvertent errors in agency management of PII has fueled public concern about the government’s ability to protect private or sensitive information. This has resulted in increasing scrutiny and compliance expectations regarding federal privacy laws and regulations, which affects federal employees at all levels.
This article takes a look at how the US Department of Labor regulates privacy issues.
Department of Labor
The US Department of Labor (DoL) must appropriately protect the information contained within its information systems, including PII. In order to meet this objective, the DoL has developed a Privacy Impact Methodology to assess whether a system containing PII meets legal privacy requirements.
The DoL’s Methodology looks something like this:
Characterization of the Information
- What are the sources of the PII in the information system?
- What is the PII being collected, used, disseminated, or maintained?
- How is the PII collected?
- How will the information be checked for accuracy?
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
Uses of the PII
- Describe all uses of the PII
- What types of tools are used to analyze the data and what type of data may be produced?
- Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
- If the system uses commercial or publicly available data, please explain why and how it is used.
- How long is information retained in the system?
- Has the retention schedule been approved by the DoL agency records officer and the National Archives and Records Administration (NARA)?
- How is it determined that PII is no longer required?
- What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
Internal Sharing and Disclosure
- With which internal organization(s) is the PII shared, what information I shared, and for what purpose?
- How is the PII transmitted or disclosed?
External Sharing and Disclosure
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If not, describe under what legal mechanism the program or system is allowed to share the PII outside of the DoL.
- How is the information shared outside the Department and what security measures safeguard its transmission?
- Was notice provided to the individual prior to collection of PII?
- Do individuals have the opportunity and/or right to decline to provide information?
- Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
Access, Redress, and Correction
- What are the procedures that allow individuals to gain access to their information?
- What are the procedures for correcting inaccurate or erroneous information?
- How are individuals notified of the procedures for correcting their information?
- If no formal redress is provided, what alternatives are available to the individual?
Technical Access and Security
- What procedures are in place to determine which users may access the system and are they documented?
- Will Department contractors have access to the system?
- Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
- What auditing measures and technical safeguards are in place to prevent misuse of data?
- What stage of development is the system in and what project development life cycle was used?
- Does the project employ technology which may raise privacy concerns? If so, please discuss their implementation.
An example of the DoL’s Privacy Impact Methodology in use may be found here.
US federal agencies are legally required to protect the personally identifiable information (PII) they collect, store and transmit. This article takes a look at how the US Department of Labor (DoL) regulates privacy issues.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- US agencies regulating workplace privacy issues – Department of Labor (IV.A.b.ii.)