Archives

Workplace Privacy: Equal Employment Opportunity Commission

By law, US federal agencies are required to ensure the protection of the personally identifiable information (PII) they collect, store and transmit. In light of the current digital environment, government agencies are collecting more and more personal information. Highly publicized events of abuse, misuse and inadvertent errors in agency management of PII has fueled public concern about the government’s ability to protect private or sensitive information. This has resulted in increasing scrutiny and compliance expectations regarding federal privacy laws and regulations, which affects federal employees at all levels.

This article takes a look at how the Equal Employment Opportunity Commission (EEOC) handles privacy issues.

EEOC Assessment System: Privacy Impact Assessment

The following laws and regulations establish specific requirements for the confidentiality, integrity and availability of the data processed, stored and transmitted by the EEOC Assessment System (EAS):

  • Computer Fraud and Abuse Act of 1984
  • Federal Information Security Management Act of 2002
  • OMB February 1996 Circular A-130, Appendix III
  • Paperwork Reduction Act of 1980
  • Privacy Act of 1974
  • Title VII of the Civil Rights Act of 1964
  • Equal Pay Act of 1963
  • Age Discrimination in Employment Act of 1967
  • Title I and V of the Americans with Disabilities Act of 1990
  • EEOC Order 240.005, EEOC Information Security Program
  • Information Security Responsibilities of EEOC Employees
  • EEOC Order 150.003, Privacy Act of 1974, as amended

This is what an EEOC privacy assessment would look like:

Data in the System

  • Generally describe the information to be used in the system in each of the following categories: complainant; company; EEOC employee; other.
  • What are the sources of the information in the system?
  • How will data collected from sources other than EEOC records and the complainant or company be verified for accuracy?
  • Are the data elements described in detail and documented? If yes, what is the name of the document?
  • How will the data be used by the agency? Who is responsible for assuring proper use of the data?

Access to the Data

  • Who will have access to the data in the system (e.g. users, managers, system administrators, developers, other)?
  • How is access to the data by a user determined? Are criteria, procedures, controls and responsibilities regarding access documented?
  • Will users have access to all data on the system or will the users’ access be restricted?
  • What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?
  • Do other systems share data or have access to data in this system? If so, explain. Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?
  • Will other agencies share data or have access to data in this system (e.g. international, federal, state, local, other)?
  • How will the system ensure that agencies only get the information they are entitled to under applicable statutes or regulations?

Attributes of the Data

  • Is the use of the data both relevant and necessary to the purpose for which the system is being designed?
  • Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
  • If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?
  • How will the data be retrieved? Can it be retrieved by a personal identifier? If yes, explain. What are the potential effects on the due process rights of individuals: consolidation and linkage of files and systems; derivation of data; accelerated information processing and decision-making; use of new technologies. How are the effects to be mitigated?

Maintenance of Administrative Controls

  • Explain how the system and its use will ensure equitable treatment of individuals. If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites?
  • What are the retention periods of data in this system?
  • Is the system using technologies in ways that the EEOC has not previously employed?
  • Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
  • Under which Systems of Record notice (SOR) does the system operate?

An example of an EEOC Assessment System Privacy Impact Assessment may be found here.

Summary

By law, US federal agencies are required to ensure the protection of the personally identifiable information (PII) they collect, store and transmit. This article takes a look at how the US Equal Employment Opportunity Commission (EEOC) handles data to ensure that privacy laws and regulations are being respected.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • US agencies regulating workplace privacy issues – Equal Employment Opportunity Commission (IV.A.b.iii.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>