Privacy Impact Assessment - OSHA - OSHA Information System 2.0 (OIS 2.0)

OVERVIEW

The Occupational Safety and Health Information System 2.0 (OIS 2.0) is owned by the Office of the Chief Information Officer (OCIO), Office of the Assistant Secretary for Administration and Management (OASAM).

OIS 2.0 is a single comprehensive system for all program and regulatory practice as identified by OSHA. These areas include capabilities currently contained in the Enforcement Application, Consultation Application, and Compliance Assistance. The OIS 2.0 is a web-based solution that will give OSHA new, powerful analytical tools to help identify injury, illness and fatality trends at local and national levels. It will help support the direction of the agency set forth in OSHA's Strategic Management Plan.

OIS 2.0 is an integrated thin client automated solution for automating OSHA's business processes. OIS 2.0 is a web-based multi-tiered system supported by an Oracle database. OIS 2.0 bridges independent software stove pipes located at Federal and several external organizations that develop information for OSHA under contract. OIS 2.0 will use open-source technology, enabled by XML to eliminate duplicative data entry by end users.

The system will be used by over 4000 Federal and State employees, including 1,100 field investigators; 24 State OSHA programs; consultation program users in each of the 50 states.

CHARACTERIZATION OF THE INFORMATION

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

OIS 2.0 collects and maintain information in identifiable form. OIS 2.0 PII data will not be available or disseminated to the public. All PII data related to Consultation and/or Enforcement data is redacted prior to being made public via the FOIA process.

From whom is information to be collected?

Data is collected from Employers and Employees where the inspection or the consultation visit is being conducted.

Why is the Information being collected?

The information is being collected as part of the inspection and or consultation visit process. This information is a required part of the inspection or consultation visit.

What is the PII being collected, used, disseminated, or maintained?

The PII being collected includes first/last name, date of birth, home addresses, personal phone numbers, mailing addresses and email addresses, EIN/TIN for establishments.

How is the PII collected?

PII is collected during interactions with private business establishments and direct contact with individuals.

How will the information collected from individuals or derived from the system be checked for accuracy?

PII is checked for accuracy at the point of collection. As it has not been specified as a requirement, OIS 2.0 does not have the capability to provide manual or automated accuracy check of PII data.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

The Occupational Safety and Health Act of 1970 and Presidential Document, Executive Order 12196 of February 26, 1980.

Privacy Impact Analysis

Privacy risks in the OIS 2.0 are moderate and will be mitigated by implementation of granular access control to the data within OIS 2.0. Upon careful review of system design documentation, the OIS 2.0 Risk Assessment, Role Categorization and OIS 2.0 Wireframes, user roles were defined based on access privileges, data type accessed and role categorization. By mapping user roles to data accessed and user access rights, we were able to determine the various transactions that might be conducted within the OIS 2.0 System have adequate controls implemented to ensure Privacy risks to the captured OIS 2.0 PII data is minimal.

The PII data captured within OIS 2.0 is primarily business contact information. The OIS 2.0 will implement all security requirements as identified by NIST 800-53 and the DOL Computer Security Handbook (CSH) for a moderate system.

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

The use of PII is limited with OIS 2.0. Most PII managed and maintained in OIS 2.0 is contact information for individuals at business establishments. Additional PII, specifically date-of- birth, or alternatively, current age, is collected on victims of workplace accidents within the Enforcement subsystems of OIS 2.0 to create summary reports on workplace accidents.

What types of tools are used to analyze data and what type of data may be produced?

OIS 2.0 will include reporting tools to provide managers essential information to manage their program areas at each organizational level including Consultation programs, State OSHA programs, Federal areas, regions, and national offices.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

OIS 2.0 will not derive new data, or create previously unavailable data, about an individual through aggregation of the collected information.

If the system uses commercial or publicly available data, please explain why and how it is used.

Publicly available data that may be used in OIS 2.0 includes NAICS/SIC codes and Zip Codes.

Any data on a business, i.e. business environment that is publically available can be used to ascertain a complete profile for use in consults or investigations.

Will the use of PII create or modify a "system of records notification" under the Privacy Act?

The use of PII in the OIS 2.0 will not create or modify a "system of records notification" under the Privacy Act.

Privacy Impact Analysis

After reviewing system design documentation, the OIS 2.0 Risk Assessment, Role Categorization and OIS 2.0 Wireframes, user roles were defined based on access privileges, data type accessed and role categorization. By mapping user roles to data accessed and user access rights, we were able to determine the various transactions that might be conducted within the OIS 2.0 System have adequate controls implemented to ensure Privacy risks to the captured OIS 2.0 PII data is minimal. The PII data captured within OIS 2.0 is primarily business contact information. The OIS 2.0 will implement all security requirements as identified by NIST 800-53 and the DOL Computer Security Handbook (CSH) for a moderate system.

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

OIS 2.0 facilitates retention of case files based on approved DOL retention schedule as described in OSHA directives 1474, 1475 and 1476, which can be for up to 30 years, i.e. Health Sampling. OIS 2.0 requirements state that the system shall retain OIS 2.0 user data at an offsite tape storage facility for a period of three years.

Is a retention period established to minimize privacy risk?

The retention period will be established by approval from NARA when the OIS 2.0 has received an approved schedule.

Has the retention schedule been approved National Archives and Records Administration (NARA)? No

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?

The retention period will be established by approval from NARA when the OIS 2.0 has received an approved schedule.

Have you implemented the DOL PII Data Extract Guide for the purpose of eliminating or reducing PII?

The retention period will be established by approval from NARA when the OIS 2.0 has received an approved schedule.

How is it determined that PII is no longer required?

The retention period will be established by approval from NARA when the OIS 2.0 has received an approved schedule.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

As we have no approval from NARA, the information cannot be eliminated.

Privacy Impact Analysis

Privacy risks related to captured OIS 2.0 PII is minimal i.e. "moderate" due to OIS 2.0 security controls in accordance with DOL CSH moderate security control implementation as well as the nature of the captured PII. Captured PII within OIS 2.0 is primarily business contact information.

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

PII information may be shared with the DOL Solicitor's office to support legal action taken against an establishment. The OIS 2.0 information to be provided would enable the solicitor's office to obtain a warrant, prepare for a contested case, and/or reviewing case files specifically related to a case.

How is the PII transmitted or disclosed?

The information is transmitted via a secure socket layer (SSL), i.e. HTTP/S transmission or Secure FTP (SFTP) implementation compliant with FIPS 140-2 standards.

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

Yes

Privacy Impact Analysis

After reviewing OIS 2.0 documentation, Risk Assessment, Role Categorization and Wireframes, user roles were defined based on access privileges, data type accessed and role categorization. By mapping user roles to data accessed and user access rights, we were able to determine the various transactions that might be conducted within the OIS 2.0 System have adequate controls implemented to ensure Privacy risks to the captured OIS 2.0 PII data is minimal. The PII data captured within OIS 2.0 is primarily business contact information. The OIS 2.0 will implement all security requirements as identified by NIST 800-53 and the DOL Computer Security Handbook (CSH) for a moderate system.

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Certain PII such as business information, victim and next of kin personal information are entered into OIS 2.0 by OSHA's State Plan States (States that are approved by OSHA to enforce safety and health regulations in their respective states),and Consultation Projects (state organizations that have an approved OSHA plan to provide free consultation services to small businesses). In addition, OIS 2.0 exchanges information with Department of Treasury. PII information includes EIN/TIN, Email, Contact First Name, Contact Last Name, Address and Phone Number.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, provide the SORN ID in use for this system. . If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes, as OSHA only shares this data with its approved state plan partners. The OSHA Act of 1970 authorizing OSHA also authorizes the approval process for State Plan and Consultation Projects.

How is the information shared outside the Department and what security measures safeguard its transmission?

Only authorized users in those State Plans and Consultation Projects that have met the security requirements can access the application. The various security measures that are built into the OIS 2.0 application regulate and safeguard the data. All user communications with the OIS 2.0 will be via a secure socket layer (SSL), i.e. HTTP/S transmission or Secure FTP (SFTP) implementation compliant with FIPS 140-2 standards.

How is the information transmitted or disclosed?

The information is transmitted via a secure socket layer (SSL), i.e. HTTP/S transmission or Secure FTP (SFTP) implementation compliant with FIPS 140-2 standards.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.

There are MOUs with the EPA and NIOSH. These MOUS are between the specific OSHA directorates DEP and DCSP and these entities and, therefore, we do not have specifics on the contents of the MOUs.

How is the shared information secured by the recipient?

Information is shared via a secure socket layer (SSL), i.e. HTTP/S transmission or Secure FTP (SFTP) implementation compliant with FIPS 140-2 standards.

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

All OIS 2.0 users have to sign Rules of Behavior and User Account Request Forms to access OIS 2.0.

Privacy Impact Analysis

The OIS 2.0 does not share PII data with an external organization. The PII data captured within OIS 2.0 is primarily business information, victim and next of kin personal information. The OIS 2.0 will implement all security requirements as identified by NIST 800-53 and the DOL Computer Security Handbook (CSH) for a moderate system.

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix or be prepared to provide a copy of the notice during an audit request. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.

PII data is collected as part of the inspection and consultation activities. Company employees are notified prior to an enforcement and/or consultation activity regarding the types of activities and information to be collected. As enforcement and consultation inspections are dependent on the differences of each organization, the OSHA enforcement and consultation officers provide individuals with applicable explanations during the inspection.

Do individuals have the opportunity and/or right to decline to provide information?

Yes, the individual is provided the opportunity to decline providing this information. However, to support OSHA workplace safety objectives, individuals are strongly encouraged to provide this information as it relates to their business contact information and activities.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

OIS 2.0 is bound by the Occupational Safety and Health Act of 1970 which gives employees and their representatives the right to file a complaint and request an OSHA inspection of their workplace if they believe there is a serious hazard or their employer is not following OSHA standards. Further, the Act gives complainants the right to request that their names not be revealed to their employers.

Privacy Impact Analysis

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

Individual information contained within a case will not be searchable in OIS 2.0. Individuals will not be allowed access to their information in OIS 2.0.

What are the procedures for correcting inaccurate or erroneous information?

Individuals have the opportunity to review their information when information is gathered.

How are individuals notified of the procedures for correcting their own information?

No procedures have been established to notify individuals of the procedures for correcting their information

If no formal redress is provided, what alternatives are available to the individual?

No alternatives have been established to allow for formal redress.

Privacy Impact Analysis

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

Users of the OSHA Information System, OIS 2.0 Project Staff that includes project managers and subject matter experts and administrators of the OSHA Information System.

There is no public access to OIS 2.0.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA or be prepared to provide copies during an audit request

Yes. The contractors mainly have access to OIS 2.0 as administrators. Contractors will have access to the OIS 2.0 based on their job function. All access to OIS 2.0 will be monitored via OIS 2.0 auditing mechanisms.

Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.

OIS 2.0 users are assigned roles based access to the business area they need access to and role in their organization.

For each module, there are supervisor and CSHO/Consultant roles. In addition, there is a user administrator role that has the authority to create users in OIS 2.0.

What procedures are in place to determine which users may access the system and are they documented?

OIS 2.0 access controls are designed to be very granular and flexible. Access to OIS 2.0 data and processing will be provided on a need basis as defined by OSHA federal and state policies and procedures. All OIS 2.0 access policies and procedures will be documented.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided. Provide date of last training.

OIS 2.0 users are required to review and sign the OIS 2.0 Rules of Behavior. Further, all OSHA employees must comply with Departmental Computer Security and Privacy Awareness training. The last training is conducted annually.

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

All OIS 2.0 users are required to review and sign the OIS 2.0 Rules of Behavior. Further, all OSHA employees must comply with Departmental Computer Security and Privacy Awareness training. Security related employees are required to take Role Based Training annually.

What auditing measures and technical safeguards are in place to prevent misuse of data? In addition to granular access controls and tightly controlled access to sensitive data elements, full auditing of data access is planned for the production OIS 2.0 application in accordance with NIST 800-53 and DOL Computer Security Handbook policies and procedures for a "moderate" system.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes. The SAA was completed January 2021.

Privacy Impact Analysis

Privacy risks related to captured OIS 2.0 PII is minimal i.e. "moderate" due to planned OIS 2.0 security controls as well as the nature of the captured PII. Captured PII within OIS 2.0 is primarily business contact information. The OIS 2.0 will implement all security requirements as identified by NIST 800-53 and the DOL Computer Security Handbook (CSH) for moderate systems.

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

The system was built ground up using software that was configured and customized.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

Data integrity, privacy and security were analyzed in accordance procedures outlined in the Computer Security Handbook and FIPS 199.

What design choices were made to enhance privacy?

Design choices were made in accordance with the Computer Security Handbook and NIST 800-53.

For systems in development, what stage of development is the system in, and what project development life cycle was used?

OIS 2.0 is Operational.

For systems in development, does the project employ technology that may raise privacy concerns? If so, please discuss their implementation?

Not applicable.

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

OSHA has completed the PIA for the OIS 2.0, which is currently in operation. OSHA has determined that the safeguards and controls for this moderate system adequately protect the information.
OSHA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.