OVERVIEW

The Trade Adjustment Assistance (TAA) Program is a federal entitlement program that assists U.S. workers who have lost, or may lose, their jobs as a result of foreign trade.  TAA includes resources and opportunities for trade-affected workers to obtain the skills, credentials, and support necessary for successful reemployment. Any member of a worker group certified by the Department as trade-affected is potentially eligible to receive TAA Program benefits and services through a local American Job Center (AJC), such as employment services and case management, training, income support in the form of Trade Readjustment Allowances (TRA), job search allowances, relocation allowances, and a Health Coverage Tax Credit (HCTC). The Reemployment TAA (RTAA) benefit is also available and provides wage supplements for eligible reemployed workers, age 50 and over, whose reemployment resulted in lower wages than those earned in their trade-affected employment.

The Petition Automated Workflow System (PAWS) is operated by the Office of Trade Adjustment Assistance (OTAA) to process petitions for worker group certification for benefits under the TAA program.  PAWS received petition information through an interface, direct entry from state users, or internal user entry from This includes collecting data on the worker group and employing firm as well as the customers of firms under the Trade Act of 1974, as amended.  Data includes non-sensitive PII as well as business confidential data.

CHARACTERIZATION OF THE INFORMATION

The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.

Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.

Members of the US public (US Citizens) and US firms.

From whom is information to be collected?

PAWS collects information from the public in the form of a TAA petition that includes information on the petitioner, the worker group and firm, and the company officials at the firm.  The PAWS also collects business information and contact information submitted by the subject firm as well as the firms' contractors and customers.

Why is the Information being collected?

The information is being collected so that worker group eligibility can be determined under the statute and communicate those activities with appropriate stakeholders. 

What is the PII being collected, used, disseminated, or maintained?

  • First Name
  • Last Name
  • Phone Number
  • Alternative Phone Number
  • Fax Number
  • Street Address
  • Email
  • Employer Identification Number (EIN)
  • Business Phone
  • Business Address
  • Business Email

Contact information may be business or personal.  Company information is typical and 80% of petitions filed are by state agencies who provide their business information.  However, groups of workers themselves may file petitions and would provide their personal contact information.

How is the PII collected?

All PII is collected through Forms approved under OMB 1205-0342.  TAA Petition Forms (Form ETA-9042 and ETA-9042a) may be entered directly by external users, entered into a companion system and interfaced into PAWS or directly entered by internal users (if received by mail or similar form).  Similarly, external users can collect information on the Business Data Request (Form ETA-9043) or they can submit it off system and have internal users upload that data.  Customer survey data (ETA-8562A, ETA-8562A-1, ETA-8562A-2, ETA-8562A-3, and ETA-9562) as well as the Business Information Request (ETA-9118) and Application for Reconsideration (ETA-9185) are all submitted to DOL staff and uploaded into the system. 

How will the information collected from individuals or derived from the system be checked for accuracy?

Form information is reviewed by internal staff upon submission.  This includes verification of addresses and follow-up communications.  Petition and Application for reconsideration forms require a two-step verification review by internal staff.  Business Data Requests, Business Information Requests, and Customer Surveys are all reviewed by analysts assigned to the specific case and follow-up for clarifications and corrections.

What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?

Section 221 (a) of Title II, Chapter 2 of the Trade Act of 1974, as amended (19 USC § 2271 et seq.) authorizes the Secretary of Labor and the Governor of each State to accept petitions for certification of eligibility to apply for adjustment assistance.  The remaining forms are undertaken in accordance with Sections 222, 223 and 249 of the Act (19 USC § 2272, 2273 et seq.), which require the Secretary to certify groups of workers for whom petitions have been submitted as eligible to apply for worker trade adjustment assistance (TAA).  All forms are PRA approved collections under the OMB No. 1205-0342.

Privacy Impact Analysis

PAWS collected data does not include any sensitive PII and any data released publicly from the system goes through a two-step review to ensure PII is redacted.  Internal access to PII is controlled through user management.  Both the impact and risk of disclosure are minimal.

DESCRIBE THE USES OF THE PII

The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.

Describe all the uses of the PII

PII allows for the tracking and communication with petitioners, company officials, and related stakeholders.

What types of tools are used to analyze data and what type of data may be produced?

OTAA uses a comprehensive set of analytics tools including tracking of communications statistics and analyzes petition processing information with program indicators in other systems.  However, data on individuals is not combined with any other individual information.

Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?

No.

If the system uses commercial or publicly available data, please explain why and how it is used.

The system uses a commercial address verification vendor to correct and validate postal addresses.

Will the use of PII create or modify a “system of records notification” under the Privacy Act?

No.

Privacy Impact Analysis

PAWS utilizes comprehensive, role-based access to required non-sensitive PII.  The system does not contain any sensitive PII or transmit such PII.

RETENTION

The following questions are intended to outline how long information will be retained after the initial collection.

What is the retention period for the data in the system?

Indefinite.  TAA certifications provide lifetime eligibility and TAA is statutorily required to retain petitions for public inspection.

Is a retention period established to minimize privacy risk?

No

Has the retention schedule been approved National Archives and Records Administration (NARA)?

The current practice is consistent with NARA records schedule approved 08/10/2000.

Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?

None.

How is it determined that PII is no longer required?

Such contact information is retained indefinitely as TAA certifications provide for lifetime eligibility and TAA is statutorily required to retain petitions for public inspection.

If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.

No sensitive PII is contained in the system.

Privacy Impact Analysis

The risks are minimal since it merely contains general contact information that are generally publicly available, and TAA is statutorily required to retain petitions for public inspection.

INTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the scope of sharing within the Department of Labor.

With which internal organization(s) is the PII shared, what information is shared, and for what purpose?

None

How is the PII transmitted or disclosed?

N/A

Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?

N/A

Privacy Impact Analysis

PII is not shared within the Department except in the normal usage of the system.  No impact.

EXTERNAL SHARING AND DISCLOSURE

The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private
sector.

With which external organization(s) is the PII shared, what information is shared, and for what purpose?

Contact information of company officials is shared with state agency partners who need to acquire further information on workers from the company officials consistent with statutory requirements.  A copy of the non-redacted petition information is also provided to state agencies consistent with statutory requirements.

Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.

Yes, it is compatible with the original collection and required under 20 CFR 618.205.

How is the information shared outside the Department and what security measures safeguard its transmission?

State users get user-controlled access to the PAWS system.

How is the information transmitted or disclosed?

State users get user-controlled access to the PAWS system.

Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.

No

How is the shared information secured by the recipient?

N/A

What type of training is required for users from agencies outside DOL prior to receiving access to the information?

N/A

Privacy Impact Analysis

N/A

NOTICE

The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.

Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal

Register Notice. If notice was not provided, please explain.

Privacy notice is included as part of the forms under OMB 1205-0342.

Do individuals have the opportunity and/or right to decline to provide information?

No, this is statutorily required information.  Companies can decline to provide the information on the Customer Survey, which is why an Anonymous Customer Survey option is included.

Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?

No.

Privacy Impact Analysis

Form instructions.  No meaningful impact.

INDIVIDUAL ACCESS, REDRESS, AND CORRECTION

The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.

What are the procedures that allow individuals to gain access to their own information?

Freedom of Information Act (FOIA)

What are the procedures for correcting inaccurate or erroneous information?

Providing any kind of contact update through our normal office means (hotline, email, etc).

How are individuals notified of the procedures for correcting their own information?

All email notices indicate they should reach out to us if they have updated information.

If no formal redress is provided, what alternatives are available to the individual?

N/A

Privacy Impact Analysis

None.

TECHNICAL ACCESS AND SECURITY

The following questions are intended to describe technical safeguards and security measures.

Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)

State program administrators and their agents (limited), company officials (their own firm information only), and internal program users.

Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.

Team members must have access to support Operations and Maintenance (O&M) and troubleshoot production issues per our contract:

5.7 Task 7. Operations and Maintenance (O&M) and Support Services

Operations and Maintenance (O&M) activities focus on routine support required to maintain the availability, reliability, and security of PAWS. The Contractor shall provide the full range of O&M support services including issue identification, tracking, analysis, and resolution; code generation, testing, COTS customization and configuration; documentation; change incorporation; maintenance of tools, custom code, specialized configurations, customizations, and process automation such as scripts, templates, and workflows; performance tuning and monitoring; system administration, and user account administration. The Contractor shall perform O&M activities in accordance with DOL Agile processes for system development lifecycle activities for the PAWS case management system, such as documentation, software upgrades/patching, API and hosting infrastructure, etc. PAWS project work that is included under this category includes all PAWS system components and infrastructure.

Does the system use “roles” to assign privileges to users of the system? If yes, describe the roles.

Yes.  Individual roles for investigators, performance management and data reporting (PMDR), read only for policy staff, state users, and company officials.

What procedures are in place to determine which users may access the system and are they documented?

State users must request access and be reviewed by PMDR users in coordination with the state coordinator.  Company officials are granted access by the individual analyst working on the petition after determining they are the company's agent.  Internal users are granted access as part of onboarding.

How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.

Training is provided as part of onboarding. 

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

Standard DOL privacy training.

What auditing measures and technical safeguards are in place to prevent misuse of data?

Data updates are audited and can be searched.

Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?

Yes – BPMP and is in Ongoing-Authorization which conducts a Security Assessment every year.

Privacy Impact Analysis

N/A

TECHNOLOGY

The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.

Was the system built from the ground up or purchased and installed?

Since PAWS is part of BPMP: The BPMP applications are custom designed applications built on top of a purchased platform-as-a-service instance of Appian's low-code development software.

Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.

Since GPMS is part of BPMP: The Department of Labor (DOL) built the BPMP on top of a FedRAMP-compliant Appian Cloud.  This allowed for the development of applications which leverage the built-in Appian Security Framework without writing any custom code.  Application development was preformed followed DOL Center of Excellence guidelines utilizing an Agile development process which required consistent review of all aspects of the application development.

What design choices were made to enhance privacy?

Since GPMS is part of BPMP and is an Appian application: Applications were developed used Appian best practices making use of the built-in permissions framework using Appian Groups.  Applications are reviewed for alignment with Center of Excellence guidance around least-privileged object configuration for supporting application operations

For systems in development, what stage of development is the system in, and what project development life cycle was used?

N/A

For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?

N/A

DETERMINATION

As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?

  • ETA has completed the PIA for PAWS which is currently in operation.
  • ETA has determined that the safeguards and controls for this moderate system adequately protect the information.
  • ETA has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.