Privacy Impact Assessment - OSHA - Business Information Systems

• Obtained from individuals or business entities.
• Complainant provides information by filing a complaint.
• Users voluntarily submit non-sensitive PII in order to use specific services.

• Non-Sensitive PII — First and/or Last Name; Business Address, Telephone Number, Email Address; Home Address, Telephone Number, Email Address; DOL Employee Name, Work Contact Telephone Number, and Work Email Address.

• System updates by CSHO from inspections and investigations.
• Complainants provide the information either orally or in writing, and then the information is entered into the OBIS Application.
• Web-based forms.

• Edit checks are in place within the application to ensure accuracy of data input. In addition, information may be verified by the investigator of the case.
• Technical controls are in place as data is checked during submission on the form. The contact information is verified or rejected as the minor applications attempt to provide the requested services, some applications use automated means and some require human intervention.

• Occupational Safety and Health Act of 1970, 29 U.S.C. 651, et seq.
• Surface Transportation Assistance Act of 1982, 49 U.S.C. 31105
• Asbestos Hazard Emergency
  Response Act of 1986, 15 U.S.C. 2651
• International Safe Container Act, 46 U.S.C. 80507
• Safe Drinking Water Act, 42 U.S.C. 300j — 9(i)
• Energy Reorganization Act of 1974, as amended, 42 U.S.C. 5851 Comprehensive Environmental Response, Compensation and Liability Act of 1980, 42 U.S.C. 9610(a) — (d)
• Federal Water Pollution Control Act, 33 U.S.C. 1367
• Toxic Substances Control Act, 15 U.S.C. 2622
• Solid Waste Disposal Act, 42 U.S.C. 6971
• Clean Air Act, 42 U.S.C. 7622
• Wendell H. Ford Aviation Investment and Reform Act for the 21st Century, 49 U.S.C. 42121
• Sarbanes-Oxley Act of 2002, 18 U.S.C. 1514A
• Pipeline Safety Improvement Act of 2002, 49 U.S.C. 60129
• Federal Rail Safety Act, as amended by §1521 of the 9/11 Act of 2007, 49 USC §20109
• National Transit Security Systems Act, §1413 of the 9/11 Act of 2007, 6 USC §1142
• The standard DOL web privacy policy is posted on the OSHA.gov website; users of OSHA Web Services voluntarily submit non-sensitive PII in order to use specific services.

• Privacy risks are low because of access, physical and logical security controls that are implemented throughout OBIS.

• Used for OSHA investigations, inspections, accidents and fatality reporting.
• Requires contact with complainants and responders during the course of investigations.
• Non-sensitive PII is used for contacting users for mailing of OSHA publications and responding to online complaints.

• Basic automated data checking during submission. No data is reused, produced in another form, or displayed.

No

• Postal Zip Code data; A table is used to validate all zip codes that are entered.
• Data is used only for the purpose of contacting the requesting web users.

No

Yes

• Adheres to all federally mandated, DOL, and OSHA controls. Access, authentication and authorization controls are built into the applications.

• Indefinitely. Information and emails are retained in accordance with OSHA and Minor application owner policies.

No

No

• Review business retention requirements

• Business Functionality determines when PII is no longer required.

• There is a low level of risk with misuse of private data, primarily due to inadvertent use of protocol sharing of the data that does not conform to the standards.

• The PII data is used by authorized OSHA area, regional and national office employees.
• Information is shared within OSHA and other internal agencies as required.

• Transmitted via network resources.
• OBIS applications use SSL for encryption, LDAP for user authentication and application authorization through database roles and privileges.
• Automated emails are directed only to system owners or a gatekeeper.

• If information is provided under FOIA, critical data is redacted in the data file; data is encrypted. Possible low level risk include emails which are not encrypted could be intercepted; however these are only sent to specific system owners or gatekeepers all internal to DOL. Exception to this process is the online complaint form in which emails are sent externally to OSHA state gatekeepers. PII contained in these emails are non-sensitive and publicly available.

• Additionally, a database administrator, (DBA) could access the information using SQL statements. However, DBAs are governed by DOL and OSHA policy regarding disclosure and separation of duties.

• PII information is occasionally shared with other government agencies, on a need-to-know basis, with adequate safeguards against public disclosure. The cases which include the PII data may be reported to Congress. Aggregated data such as numbers of complaints received annually under each of the laws, the number of complaints dismissed or found in favor of complainants, etc., are publicly disclosed in a variety of ways.
• Complaints submitted in the jurisdiction of a state Occupational Safety and Health ( OSH) plan are sent to the state's gatekeeper via email.

Yes

• External information requests are processed by the department and transmission modes are compliant with the request securely. OBIS system employs NIST 800-53 Security Controls for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.

• PII information is occasionally shared with other government agencies, on a need-to-know basis. NIST 800-53 Security Controls are implemented for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.

Yes

Yes

• The individual is protected under the Privacy Act. The data is used only as part of an investigation and individuals waive the right to consent to particular uses of the information, once they submit a complaint. An individual has the right not to provide PII and by submitting their information they automatically consent to its use according to the DOL web Privacy and Security Statement.

• Individuals are notified of the fact that OSHA electronically manages the data they have voluntarily submitted; however, as this data is for internal and exclusively government use, and very limited disclosures (to respondents, other agencies, and Congress) are mandated by law, there is minimal risk. This risk is mitigated by controlling access to the system.

• The "Privacy and Security Statement" link is on the bottom of all OWS pages. It's possible that users won't click on the link and view the policy. However, the individuals are fully aware of the information collection since they are specifically entering their information in the minor applications.

• Requests may be submitted by fax, courier services, mail, or to foiarequest@dol.gov. In order to protect your privacy, when you make a written request for information about yourself you must provide either a notarized statement or a statement signed under penalty of perjury stating that you are the person you claim to be. You may fulfill this requirement by: (1) having your signature on your request letter witnessed by a notary, or (2) pursuant to 29 U.S.C. 1746 (2) including the following statement just before the signature on your request letter: "I declare under penalty of perjury that the foregoing is true and correct. Executed on [date]." If you request information about yourself and do not provide one of these statements, your request cannot be processed under the Privacy Act.

• OSHA application support is available by contacting the OSHA Application Support team at OSHAapplications@dol.gov.

What are the procedures for correcting inaccurate or erroneous information?

• In the case of inspections and investigations, the user notifies the Regional Office that performed the inspection or investigation.
• For some minor applications, if an individual enters incorrect information they will not receive the services of the minor application collecting it. They will have to reenter their information again to obtain access to those services.

• Individuals are notified verbally and are provided a written statement for their review. If their contact information is entered incorrectly there is no way to contact them.

• The user may contact an OSHA office.
• User will have to re-enter their information again to obtain access to services.

• There are no risks associated with the redress information.
• Correction is accomplished by the individual submitting correct information to access the specific service.

• Users are granted access only after completing and signing an account request form and it is received from an authorizing security manager indicating the user's role and assigned reporting office(s).
• System administrators and database administrators are required to sign Rules of Behavior and are officially appointed with a Letter of Appointment. This process is documented in an OWS Standard Operating Procedure.
• Authorization Procedures are outlined in the OBIS SOPs and SSP.

Yes

Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?

• DOL-wide Information Systems Security and Privacy Awareness Training is mandatory for all personnel connecting to the network or has access to OSHA data. Additionally, personnel with security responsibilities are required to complete role-based training.

• NIST 800-53 Security Controls, Homeland Security Presidential Directive 12 (HSPD-12) and Identity Verification which is used for personnel security.
• Database auditing is implemented.

• OSHA Controlled Unclassified Information (CUI) are protected utilizing best security practices and redaction is employed for hard copies. NIST 800-53 Security Controls are implemented for risk mitigation, security safeguards against risks, unauthorized access or use, destruction, modification and unintended or inappropriate disclosure.

• Operations and Maintenance Phase per the DOL System Development Life Cycle Manual (SDLCM).

No