Privacy Impact Assessment - ETA - Registered Appreticeship Partners Information Data System System 2.0 (RAPIDS 2.0)

OVERVIEW

The mission of the Employment & Training Administration (ETA) is to contribute to a more efficient function of the U.S. labor market by providing high quality job training, employment, labor market information, and income maintenance services. ETA carries these out primarily through state and local workforce development systems.

To keep up with the needs of America's workforce, The Department of Labor (DOL) selected Appian as a cloud-based, Software as a Service (SaaS) Business Process Management (BPM) software product because of its strong capabilities to automate inefficient work processes and become the backbone of a modernized ETA IT infrastructure.

The ETA BPMP is a solution which serves as the cornerstone of a modernized ETA Technology Platform that provides the following capabilities:

Hosted within a secure, FedRAMP compliant cloud environment
Configurable workflows and reporting
Scalable to needed capacity
Easy for all users (administrators, designers, users, etc.) to use
Ability to integrate with existing ETA systems and data

This BPMP solution, commonly known as the "RAPIDS Platform", is a business process platform and hosts a set of essential ETA applications that support the daily activities and goals of the Office of Apprenticeship (OA). This platform includes the following components:

Registered Apprenticeship Partners Information Data System 2.0 (RAPIDS 2.0)

RAPIDS is a case management system that serves as the data collection point for all DOL Registered Apprenticeship Programs across the United States. This data includes the relevant Program-level information including program name, location, points of contact, occupations, wage scales, related technical instruction, start/end dates of the program, completion data, etc. The system also captures Apprentice-level data such as Apprentice names, addresses, phone and email addresses, social security numbers, demographic information, occupation and wage information, start/end dates of apprenticeships, completion data and certificates, etc. The system also defines various types of users and their roles in the system and manages access to the system via group assignments.

In addition to supporting data entry, the system has a number of vital reporting tools which allow the various users to search, filter, and export the Program- and Apprentice-level data, but to create and generate documents related to the oversight and administration of a Registered Apprenticeship Program.

There are a number of data sharing and data integrations related to RAPIDS data which help promote and support related tasks for DOL and other US Agencies, state agencies, and the apprenticeship community as a whole. These include:

Memorandum of Understanding (MOU) Data Sharing Extracts (Secure data download via encrypted .csv file by authenticated RAPIDS user)
Public Use File (aggregate data without PII in .csv format posted to Appenticeship.gov)
OA Apprenticeship.gov Integration (One-way API connection from RAPIDS)
OA Salesforce Instance Integration (Two-way data connection via API connection)
DOL Data Analytics Capabilities (DAC) Tool Integration (One-way API connection from RAPIDS)
United States Military Apprenticeship Program (USMAP) Data Integration (One-way data import from secure data transfer of .csv file into RAPIDS)
State Apprenticeship Agencies (SAA) Data Integrations (One-way data import from API connection or .csv file upload to RAPIDS)

Subsystems of RAPIDS 2.0

Standards Builder Tool: A public-facing, employer-driven, online program registration process that assists employers to gather all of the information needed to generate the registration packages for submission to the U.S. Department of Labor for federally recognized programs. OA and SAA staff review and approve program submissions via this system.
Apprenticeship Occupation Request Tool: A public-facing submission request form for the determination of apprenticeable occupations. OA staff manage, review, and approve requests through this system, including collection of industry reviews submitted by external users.
Verify My Apprenticeship Tool: A public-facing, self-service search tool used by apprentice and their future employers to receive and verify their apprenticeship transcript.
American Association of Community Colleges (AACC) Quarterly Reporting System (sunsetting 12/31/2022): A grants reporting system allowing individual grant holders to upload program and apprentice data for tracking and oversight by external grants managers.

This PIA is being completed due to the sensitive PII data captured in this system.

CHARACTERIZATION OF THE INFORMATION

From whom is information to be collected and what is the PII being collected?

The following PII Data is being collected, used, disseminated, and maintained for the following three categories:

DOL Employees and other Federal and State Employees, Grantees, and Contractors (for the purpose of account creation and authentication only):

First name
Last name
Business email
Business phone number
Digital signing or encryption certificate (for Federal and State Staff only)

Sponsor/Employers, Related Technical Instructors, and Grant Recipients (members of the public):

First name
Last Name
Business email
Business phone number
Business address
Employer Identification Number (EIN)/Taxpayer Identification Number (TIN)
Digital signing or encryption certificate

Apprentices (members of the public 16 years old and above):

Prefix or title, such as Mr., Mrs., Ms., Jr. Sr.
First name
Middle initial
Last name
Suffix such as Jr. Sr., etc.
Business or Personal email
Business or personal phone number
Date of birth
SSN
Military, immigration, or other government-issued identifier
Residential or mailing address (including but not limited to, P.O. Box)
Educational records
Race
Ethnicity

Why is the information being collected?

Data is being collected to allow the SAAs, State Directors (SDs), Regional Directors (RDs), and Apprenticeship Training Representatives (ATRs) to capture, manage, monitor, and track apprentice data in 50 states. It also allows the ATRs to monitor their workload and performance throughout the year and provides the SAAs, SDs, and RDs the access to their ATR' s information to view apprenticeship progress within their state or region. In the case of the AOR tool, PII is being collected for outreach to vetted Industry Reviewers who have agreed to participate in the Apprenticeable Occupation Determination Process.

How is the PII collected?

This data is entered in RAPIDS by OA/SAA ATRs and Program Sponsors/Employers via the following methods:

Hand-entry through web-based user interfaces
File upload and ingestion process through web-based user interfaces
Transfer between API connected systems
Data ingestion of .csv file using a custom script to write to the AWS database

How will the information collected from individuals or derived from the system be checked for accuracy?

The system performs range, type, and bounds checking on PII via the follow methods:

Data validation checks within the user interface during hand-entry
Data validation checks within the process models during data uploads
Review by Sponsors/Employers of their own data
Review and analysis of dashboard counts and data reports by OA Staff
Data analysis by external users with access to data via MOU Agreements
Audits performed by OA Staff
Audits performed by DOL Office of Inspector General (OIG)

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

Workforce Investment Act of (29 U.S.C. 2801 et seq.)
Section 303(a)(6) of the Social Security Act
FISMA
Privacy Act of 1974
OMB 7-16
RAPIDS-BPMP is enrolled in Ongoing-Authorization which assesses 1/3 of the controls on an annual basis

Purpose of PIA

This PIA document is being submitted in compliance with DOL's Privacy Guidelines and the Privacy Act System of Record Notice (SORN) for RAPIDS 2.0. A System of Records Notice (SORN) is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (routine uses), and how to access and correct any PII maintained by DOL.

Privacy Impact Analysis

The risk to privacy is inappropriate handling or disclosure of PII, especially SSNs. Access controls mitigate the risk that data will be compromised. In addition, the SSN column is encrypted to ensure the confidentiality of this data element.

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

OA and SAA Staff use the data to monitor the core purpose of the programs – mainly, how many people found jobs due to training provided by these services? Did they stay employed? What were their earnings? Stakeholders are better able to derive solutions from the data, and improve services provided to the American job-seeker as needed. OA National Office users monitor these reports and data to set goals, identify funding needs, and create opportunities for growth.

MOU Agreements between SAA States and other Federal Agencies such as the Census Bureau all for the download of full of state-specific data to be used for analysis or populating other data systems.

The system collects SSNs for the Common Reporting Interchange System (CRIS). CRIS uses state and Federal Employment Data Exchange System (FEDES) and Wage Record Interchange System (WRIS) in generating reports. CRIS in turn provides common performance measures for the grant programs since the programs do not have the ability to collect the common measure outcomes, i.e. Entered Employment Rate, Retention Rate, and Average Earnings etc. on their own.

What types of tools are used to analyze data and what type of data may be produced?

Canned reports are generated for targeted reporting purposes and custom ad-hoc reports are available on all fields contained in the system. Both can be downloaded in .csv format for import into data analysis tools and systems.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

The system derives aggregate data from the collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system does not use publicly available data.

Privacy Impact Analysis

The following security controls have been implemented to prevent data from being compromised:

Encryption is utilized to manage the secure transfer of the Standardized Participant Information Record Data file, which contains SSNs.
The page for the file upload has Secure Socket Layer (SSL) enabled.
File encryption keys and password protected files are used for MOU data downloads
File encryption keys are used for API Integrations

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

Records are maintained indefinitely to allow historical analysis.

Is a retention period established to minimize privacy risk?

Records are maintained indefinitely to allow historical analysis.

Has the retention schedule been approved National Archives and Records Administration (NARA)?

There is no contract/agreement with National Archives and Records Administration (NARA).

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?

Records are maintained indefinitely to allow historical analysis.

How is it determined that PII is no longer required?

PII is retained indefinitely for the purpose of historical analysis.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

SSNs are obscured except for the last four digits upon being submitted
Only select users have authority to download full data sets that include PII

Privacy Impact Analysis

Risks associated with the length of time data is retained include inadvertent disclosure of confidential information. These risks are mitigated by the implementation of the following controls:

Access to the data is strictly controlled through authenticated user roles
The BPM platform will only decrypt an encrypted text value by using a specialized EncryptedTextField in the browser. The value remains encrypted on the server and is only decrypted when displayed in this specialized field.
An encrypted text value remains encrypted when stored on the disk
The encryption key is unique to each installation of the platform
Data is secured in transit via HTTPS (TLS 1.2)

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII is not shared with internal organizations.

How is the PII transmitted or disclosed?

PII is transmitted to other OA controlled systems via API integrations using encrypted keys

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

PII is retained indefinitely for the purpose of historical analysis both internally and externally.

Privacy Impact Analysis

The internal DOL systems that RAPDS shares PII information with are all within the DOL boundary or are cloud-based instances that are controlled and governed by DOL/OCIO. The risks are minimized by utilizing APIs with encryption keys.

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Information is shared with SAA states that have executed an MOU Agreement with DOL as a means to export their state's apprenticeship program and apprentice data for record keeping, analysis, validation, and import into their states' systems.
Information is shared with the US Census Bureau to allow them to perform analysis.
Information is shared with CRIS through Kansas Department of Commerce. BPMP provides data to Kansas for processing by CRIS. CRIS provides common performance measures for grant programs that do not have the ability to collect common measure outcomes i.e. Entered Employment Rate, Retention Rate, and Average Earnings. Kansas does not return SSNs but rather aggregate data that cannot be attributed to a particular individual.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes. Information collected is not altered prior to transmittal to recipients. ETA has MOU Agreements in place for all entities receiving PII data. In addition, a SORN has been published in the Federal Register.

How is the information shared outside the Department and what security measures safeguard its transmission?

The following controls are in place for sharing information externally:

Recipients must have an executed MOU Agreement.
System user accounts are created for individual recipients that require two-factor authentication using Login.gov.
Unique encryption keys are generated for each file downloaded from the system.

How is the information transmitted or disclosed?

PII is transmitted to authenticated users with MOU Agreements via a secure download feature utilizing unique encryption keys generated for each file.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.

Yes, MOU Agreements are required to be executed to allow the sharing of PII data.

How is the shared information secured by the recipient?

Data is download to the authenticated users targeted device within their boundary and a two-part encryption key comprised on of a unique string of characters and a four-digit pin number is required to access the data files.

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

DOL supplies rigorous hands-on training for SAA states utilizing RAPIDS. System documentation and user guides are also provided in addition to in-person technical assistance when requested.

Privacy Impact Analysis

Given the external sharing of data, ETA/OA identified privacy risks to include inadvertent disclosure of confidential information. For that reason, ETA established an MOU template to be used by state and federal entities requesting PII data.

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

Yes, notice is provided to Sponsors, Employers, and individual Apprentices. PII is collected through OA/SAA ATRs, Sponsors, and Employers, not collected directly from the individual apprentices.

Do individuals have the opportunity and/or right to decline to provide information?

Yes, some data fields are optional.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

Individuals do not have to option to opt-out of how their data is used.

Privacy Impact Analysis

Sponsors, Employers, and individual Apprentices are notified that their data will become part of RAPIDS upon executing Program Sponsor and Apprenticeship Agreements (see Appendix C) and made aware that once their data is entered into RAPIDS it is considered the property of the US DOL. The system does flag optional versus required fields and has some "Participant Did Not Self-Identify" selection options for some select demographic data fields.

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

The following users can access the system via their authenticated account:

OA/SAA Staff and contractors have access to their own profile data.
Sponsor/Employers have access to their own profile data and point of contact data.

Apprentices do not have access to the system directly but can look up their Apprentice Transcript via the publicly accessible VMA Tool.

What are the procedures for correcting inaccurate or erroneous information?

OA/SAA Staff can update their own profiles and the data for Sponsors, Employers, and Apprentices
Sponsors and Employers can update their own profiles, point of contact data and apprentice data

How are individual is notified of the procedures for correcting their own information?

OA/SAA Staff, Sponsors, and Employers are provided hands-on training, user guides, and technical assistance.
Apprentices must contact their Sponsor/Employer.

If no formal redress is provided, what alternatives are available to the individual?

Individuals must contact the Office of Apprenticeship

Privacy Impact Analysis

Depending on a users' access level, they can either correct a data issue themselves or will need to escalate the request to OA/SAA Staff. Apprentices must seek remedy via their Sponsor/Employer or escalate to the OA/SAA Staff. Sponsors/Employers and Apprentices have the ability to decline to provide data for all optional fields.

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

OA/SAA Staff, Sponsors/Employers, DOL contractors, third party users, and entities with MOUs. Public users will be able to search Apprentice records via the VMA Tool.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Yes, Appteon Inc. employees have access to the system under a DOL contract to provide development, O&M, technical assistance, and help desk services. A copy of the Contract Modification executed on November 17, 2022 between Appteon, Inc. and DOL is included in Appendix D.

Do the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

System Admin
OA Admin
Regional Director
State Director OA
State Director SAA
ATR OA
ATR SAA
Sponsor
Employer
RTI Provider
Third Party User
Read Only User
Grants Manager
Grantee
YAI Contractor

(AOR Tool Specific)

Public Submitter
Team Lead
Industry Reviewer
Industry Intermediary
NASTAD
Deputy Director
Director
OA Administrator

What procedures are in place to determine which users may access the system and are they documented?

Account creation is dependent on the particular role:

System Admin accounts are created by the lead solutions architect and must be accompanied by a formal email request and signed rules of behavior document

OA Admin, Regional Director, State Director OA, State Director SAA, ATR OA, ATR SAA, Third Party Users, Read Only Users, and YAI Contract Accounts are created by the OA Admin and a request must be made via email

Sponsors can self-create accounts but cannot access their Program data until an ATR and State Director have approved and created their program. This is a formal process that is initiated via the Standards Builder Tool.

ATRs, SDs, RD, OA Admins can also create Sponsor Accounts upon email request.

ATRs, SDs, RD, OA Admins, and Sponsors can create Employer Accounts (no email request needed for Sponsors).

ATRs, SDs, RD, OA Admins, and Sponsors can create RTI Provider accounts (no email request needed for Sponsors).

System Admins can create Grants Manager accounts upon email request.

Grants Managers can create Grantee accounts (no email request needed).

(AOR Tool Specific)
Public Submitter can self-create accounts as part of the public-facing submission process

System Admin, Team Lead, and Deputy Director can create Team Lead, Industry Reviewer, Industry Intermediary, NASTAD, Deputy Director, Director, and OA Administrator accounts upon email request.

ATRs and Team Lead can create Industry Review accounts based on AOR Tool submission requests.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

User accounts and their associated roles are verified and tracked via the system's User Management panel. Additionally, the Appian platform provides an Admin Console with search capabilities to review and verify users and their role. OCIO also performs a periodic audit of user accounts to determine cost of Appian user licenses.
DOL staff and contractors are required to take annual LearningLink Trainings for security and privacy awareness. Contractors are required to take additional documents and information handling training. Rules of Behavior training is required of all DOL staff and contractors before they can access the site. Trainings happen on a rolling basis based on OCIO's schedule or a user's hire date.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

OA users take the following:

Rules of Behavior training course
Records & Information Management Training
Cybersecurity and Privacy Awareness Training
Information Systems Security and Privacy Awareness Training

All other users take the Cybersecurity and Privacy Awareness Training annually.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Data is encrypted in the database and an audit trail of activities performed on the database is tracked.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

The BPMP is a PaaS/SaaS platform built on Appian cloud-based technology and is hosted within a secure, FedRAMP compliant cloud environment. FISMA compliance and NIST controls are handled at the platform level. However, as part of the change request process, OCIO's Security Team does perform a Security Assessment and Authorization review of the deployment documentation and vulnerability scans prior to each two-week release.

Privacy Impact Analysis

Given the sensitivity and scope of the information collected, as well as any information sharing conducted on the system, privacy risks identified include inadvertent disclosure and misuse of confidential information. These risks are mitigated by the implementation of the following controls:

MOUs between DOL and external entities address key issues.
Encryption is used to transfer data via API or data download.
The page for the file upload has Secure Socket Layer (SSL) enabled but will not have third-party verification.
Files are password protected.
User accounts and their associated roles are verified and tracked via the system's User Management panel.
Appian platform provides an Admin Console with search capabilities to review and verify users and their roles.
OCIO also performs a periodic audit of user accounts to determine cost of Appian user licenses based on roles.
DOL users are required to use SSO to authenticate their account at sign on.
All user account that are inactive for 210 days will be automatically deactivated.
Security Training is required for all users annually
Privacy and Rules of Behavior Training is required for DOL staff and contractors annually

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The system was built from the ground up beginning in 2015.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

The system was built utilizing the best practices and governance guidance from the following:

DOL Office of Information Technology (OIST)
DOL OCIO
DOL Center of Excellence (COE)
DOL Privacy and Security Teams
ETA OA Program Guidance
Appian Inc.

What design choices were made to enhance privacy?

Restricting what roles can download information from the system
Leveraging the Appian platform processes for data encryption and obfuscation
Applying encryption and password protection to MOU downloads and API integrations
Utilizing role-based groups for user accounts
Using two-factor authentication and SSO for logins
Using automatic account deactivation for inactive accounts
Requiring Security and Privacy Training for users

For systems in development, what stage of development is the system in, and what project development life cycle was used?

The system is considered mature and is continuing to expand and adding new features and enhancements based on OA needs using Agile Scrum methodology, while still maintaining existing features and functionality in an O&M phase.

For systems in development, does the project employ technology which may raise privacy concerns? If so, please discuss their implementation?

The system does not employ technology which may raise privacy concerns.

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

ETA has completed the PIA for BPMP which is currently in operation. ETA has determined that the safeguards and controls for this moderate system adequately protect the information and will be referenced in ETA BPMP System Security Plan.
ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.