OJC — Student Pay Allotment and Management Information System (SPAMIS)
Overview
SPAMIS (Student Pay Allotment and Management Information System) is owned by the Office of Job Corps. SPAMIS processes Job Corps student payroll, allotment, transitional allowances, leave, earnings, attendance records, placement, and provides a series of reports to each Job Corps Center allowing them to measure performance of the center and its contractors. SPAMIS supports the Department of Labor's mission by tracking information to support the academic and vocational training that Job Corps provides to students. The primary transactions that occur on the SPAMIS system include student enrollment, student payroll and student job placement. SPAMIS contains modules that are designed to support the distinct functions of student enrollment, student payroll and job placement tracking. These secure modules utilize a single centralized secured database. SPAMIS is authorized to operate under Subtitle C of Title I of the Workforce Investment Act of 1998, 29 U.S.C. 2881 et seq. The SPAMIS system collects personally identifiable information (PII) for members of the public, and therefore this Privacy Impact Assessment is being conducted for the SPAMIS system in order to comply with Section 208 of the E-Government Act of 2002.
Characterization of the Information
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
- Specify whether the system collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
SPAMIS collects PII from members of the public.
- What are the sources of the PII in the information system?
The source of information is from the members of the public who are enrolling in Job Corps. Prospective Job Corps students provide information about themselves to Job Corps staff as part of the process to enroll in Job Corps.
- What is the PII being collected, used, disseminated, or maintained?
PII data collected from Job Corps students includes full name, home address and phone number, SSN, date and place of birth, and medical data.
- How is the PII collected?
Prospective Job Corps students provide information about themselves to Job Corps staff as part of the process to enroll in Job Corps. Prospective students meet with Job Corps Outreach and Admission counselors. The counselors interview the prospective students and enter the data directly into SPAMIS.
- How will the information be checked for accuracy?
Official documents are required such as birth certificate, state issued driver's license, and Social Security card. These official documents are required in order to provide accurate information to enter into SPAMIS.
- What specific legal authorities, arrangements, and/or agreements defined the collection of information?
SPAMIS is authorized under Subtitle C of Title I of the Workforce Investment Act of 1998, 29 U.S.C. 2882 et seq. Job Corps is part of the U. S. Department of Labor. The Department's authority to collect information from Job Corps applicants and the Job Corps students is found in the Job Training Partnership Act. The Department's authority to solicit the Social Security Number is found in the Act. Job Corps is required by the Internal Revenue Code, 26 USC Sec 6051 and 6109, to report Social Security numbers to the Social Security Administration on W-2 forms.
- Privacy Impact Analysis
Privacy risks include the unauthorized release of privacy information outside of the control of SPAMIS. Job Corps has mitigated these risks by implementing tight security controls on the SPAMIS application and limiting access to privacy data to only authorized Job Corps staff. Job Corps also conducts annual security awareness training to ensure that all Job Corps staff members are educated regarding the proper methods to handle privacy information.
Uses of the PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
- Describe all the uses of the PII
Job Corps uses PII data to uniquely identify each Job Corps student for the purposes of educational tracking and student payroll calculation, distribution and reporting. Detailed payroll information is required by the Social Security Administration to report annual W-2 payroll and tax data. Selective Service also solicits information from Job Corps in order to enroll eligible students into Selective Service.
- What types of tools are used to analyze data and what type of data may be produced?
SPAMIS was designed and developed by Job Corps to specifically support Job Corps business requirements. SPAMIS consists of a series of custom computer applications that track student enrollment, payroll, and job placement. The type of data produced includes enrollment reports, student payroll earnings and deductions and job placement reports.
- Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No.
- If the system uses commercial or publicly available data, please explain why and how it is used.
SPAMIS does not use commercial or publicly available data.
- Privacy Impact Analysis
SPAMIS consists of a series of Job Corps developed computer applications that are designed to specifically track student enrollments, student payroll and job placement information. SPAMIS does not contain any functionality to go outside of these boundaries. Job Corps staff is trained on the proper business use of SPAMIS as well as the security considerations that must be adhered to while using SPAMIS. SPAMIS adheres to all required federal security controls as set forth by the Office of Management and Budget (OMB) and the Department. SPAMIS complies with all applicable National Institute of Standards and Technology (NIST) guidelines as well as the Federal Information Security Management Act (FISMA) controls.
Retention
The following questions are intended to outline how long information will be retained after the initial collection.
- How long is information retained in the system
SPAMIS retains Job Corps student information for an indefinite period in order to support historical reporting as required by Congress, Office of Management and Budget and the Office of Inspector General.
- Has the retention schedule been approved by the DOL agency records officer and the National Archives and Records Administration (NARA)?
The SPAMIS record retention schedule has been approved by the Department's agency records officer and the National Archives and Records Administration.
- What efforts are being made to eliminate or reduce PII that is collected, stored or maintained by the system if it is no longer required?
The FY2014 review indicates that the PII that is being collected, stored and maintained in SPAMIS continues to be required.
- How is it determined that PII is no longer required?
Job Corps conducts periodic reviews to determine if the PII that is collected, stored and/or maintained in SPAMIS continues to be required. The FY2014 review indicates that the PII that is being collected, stored and maintained in SPAMIS continues to be required.
- Privacy Impact Analysis
The risks associated with data retention are unauthorized release of information outside of SPAMIS. Job Corps has mitigated these risks by implementing tight security controls on the SPAMIS application and limiting access to privacy data to authorized Job Corps staff only. Job Corps also conducts annual Security Awareness Training to ensure that all Job Corps staff members are educated regarding the proper methods of handling privacy information.
Internal Sharing and Disclosure
The following questions are intended to define the scope of sharing within the Department of Labor.
- With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
Job Corps does not share Job Corps student data with other agencies within the Department of Labor.
- How is the PII transmitted or disclosed?
Not applicable since Job Corps does not share Job Corps student data with other agencies within the Department of Labor.
- Privacy Impact Analysis
Not applicable since Job Corps does not share Job Corps student data with other agencies within the Department of Labor.
External Sharing and Disclosure
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state and local government, and the private sector.
- With which external organization(s) is the PII shared, what information is shared, and for what purpose?
Job Corps is required to provide Job Corps student W-2 payroll and tax deduction information to the Social Security Administration. Job Corps also provides student data to Selective Service for registration into the Selective Service program.
- Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
The sharing of Job Corps student PII outside the Department is compatible with the original collection. Job Corps collects student PII in order to process student payroll. Job Corps is required by the Internal Revenue Code, 26USC Sec 6051 and 6109, to report Social Security numbers on the W-2 forms to the Social Security Administration. Job Corps is also required, under the Selective Service Act, to provide enrollment information to the Selective Service.
- How is the information shared outside the Department and what security measures safeguard its transmission?
The Social Security Administration provides a secure data transmission link to download the Job Corps student W-2 payroll and tax deduction data. The data is transmitted electronically from Job Corps to the Social Security Administration by the Job Corps Data Center Certified Public Accountant who is responsible for maintenance of the W-2 data. Data that is transmitted to Selective Service is first compressed into an encrypted, password-protected file.
- Privacy Impact Analysis
The risks associated with sharing the Job Corps W-2 data with the Social Security Administration and Selective Service are the unauthorized release of the information outside of the control of SPAMIS or the Social Security Administration and Selective Service. The Social Security Administration has developed a secure data transmission link that Job Corps uses to transmit the encrypted data in a safe and protected manner. Job Corps encrypts and password protects the data that is transmitted to the Selective Service.
Notice
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
- Was notice provided to the individual prior to collection of PII?
Yes. Job Corps provides a Privacy Act Statement to each prospective Job Corps student before they provide any privacy data to Job Corps.
- Do individuals have the opportunity and/or right to decline to provide information?
Individuals do have a right to decline to provide information. However, a prospective student must provide the required information in order to enroll in the Job Corps program. The Job Corps Privacy Act Notice provides clear requirements for the collection of the privacy data.
- Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. Information from Job Corps students is used for the same purposes for all students.
- Privacy Impact Analysis
Prospective Job Corps students are provided with a Job Corps Privacy Impact Statement. They are also required to read and sign a consent form for collection of the information prior to enrollment. Job Corps requires that these control measures are in place prior to collecting any student data in order to ensure that all prospective Job Corps students clearly understand the procedures.
Access, Redress, and Correction
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
- What are the procedures that allow individuals to gain access to their information?
Job Corps students can work with the Job Corps staff members whether they are at the Outreach and Admissions office, a Job Corps Center, or a Career Transition Specialist job placement office, to gain access to their information. The authorized Job Corps staff members at these offices will work with a student if they have any concerns about the accuracy of the data, or if a change needs to be made.
- What are the procedures for correcting inaccurate or erroneous information?
If a Job Corps student needs to make a correction to his/her information, they can work with a local Job Corps staff member. The student may need to provide updated documents such as a birth certificate, state-issued driver's license or Social Security Card to make the corrections. SPAMIS provides a mechanism in the system for Job Corps staff members to make data corrections after they have been verified.
- How are individuals notified of the procedures for correcting their information?
Job Corps students are notified verbally of the data correction procedures by Job Corps staff members.
- If no formal redress is provided, what alternatives are available to the individual?
Job Corps procedures are in place to provide redress.
- Privacy Impact Analysis
The risks associated with redress include proper identification of the individual student making the request as well as accuracy of the data. Job Corps requires proper identification such as birth certificates, state-issued driver's license, and Social Security Cards. The Job Corps staff members are trained on the proper usage of SPAMIS and documentation requirements for data entry and corrections.
Technical Access and Security
The following questions are intended to describe technical safeguards and security measures.
- What procedures are in place to determine which users may access the system and are they documented?
SPAMIS operates under documented access control policies and procedures. This includes management-approved, documented requests for access to SPAMIS. An approved manager who knows the business need for the user will fill out an access request form that specifically details the SPAMIS modules that the user can access. The new user account is then setup according to documented policies and procedures.
- Will Department contractors have access to the system?
Yes. Federal staff and department contractors abide by the same sets of rules, policies and procedures for the proper handling of privacy data.
- Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
All new Job Corps employees are required to take Security Awareness Training, which includes the appropriate measures to address the proper handling of privacy data. All employees are required to re-take the training each calendar year.
- What auditing measures and technical safeguards are in place to prevent misuse of data?
Job Corps has implemented multiple automated auditing features including network and database auditing. Job Corps also has manual auditing processes in place including tracking of all data change requests in the Remedy software tracking system. Other auditing processes include separation of duties within Job Corps and the Job Corps Data Center to prevent fraud or misuse of data.
- Privacy Impact Analysis
The primary risks associated with the handling of privacy data include fraud and the unauthorized release of data outside of the controls of SPAMIS. Job Corps has implemented a required Security Awareness Training program, which includes the proper handling of privacy data. All staff members must complete the training, which includes a written exam at the end of the training session. All SPAMIS users must also read and sign a Rules of Behavior document that outlines the expectations that Job Corps has for all staff members who handle privacy data. Job Corps has also implemented various auditing functions to track changes to the data. A Separation of Duties policy has also been implemented to ensure the proper handling of privacy data according to job function.
Technology
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, RFID, biometrics, and other technology.
- What stage of development is the system in, and what project development life cycle was used?
SPAMIS is in the Operations and Maintenance phase of the Department's System Development Life Cycle (SDLCM).
- Does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
The Job Corps SPAMIS employs the latest in computer security technology to mitigate the risks associated with the unauthorized release of privacy information outside of the boundaries of SPAMIS. SPAMIS has stringent user identification and password controls, as well as role-based access to the privacy data, based on job function. SPAMIS also receives secure protection from the Job Corps LAN/WAN General Support System which supplies the electronic transportation of data between the Job Corps staff and the SPAMIS database. The LAN/WAN is composed of Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Anti-Virus systems and data encryption.
Determination
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- The Office of Job Corps has completed the PIA for SPAMIS which is currently in operation. Office of Job Corps has determined that the safeguards and controls for this moderate system adequately protect the information.
- Office of Job Corps has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.