OVERVIEW
This PIA is for the Office of the Solicitor (SOL) Time and Management (SOLTAM) system. This system is a Salesforce based system (SaaS). The sponsor of this system is the SOL, and the initiative is managed within the Division of Management and Administrative Legal Services (MALS). This system is part of the Office of the Chief Information Office (OCIO) expired funds. This modernization effort targets the legal services performed by the SOL National, Regional, and Sub-Regional offices. The SOLTAM is a SaaS product.
The SOLTAM tracks all significant legal activities referred by Department of Labor (DOL) client agencies to the various components of SOL. Legal services include undertaking litigation to carry out priority enforcement initiatives and defend the Secretary and the program agencies of the Department; assisting in the development, drafting, and legal review of legislation, regulations, Executive Orders, and other matters affecting Departmental programs; and providing legal opinions/advice for the Secretary, Departmental, and agency officials. Data collected through the SOLTAM is used to analyze the volume, diversity, trends, and impact of the workload in SOL offices. This system provides information to manage SOL resources, monitor operational performance, support budget activities, and provide SOL's client agencies (DOL agencies) with updated information on the work being done in their respective program areas. The system also captures SOL resource time spent providing legal services. The SOLTAM provides these functions throughout SOL national, regional, and sub-regional offices supporting approximately 700 attorneys, docket clerks, and paralegals.
The SOLTAM provides SOL with an improved capability to manage and control legal resources and meet the requirements of recent changes to the Federal Code of Civil Procedures. It improves SOL's capabilities to:
- Provide accurate and timely reporting to DOL, Office of Management and Budget (OMB), Congress, and other federal agencies.
- Provide a basis to demonstrate compliance with program objectives and evaluation recommendations;
- Quantify the resources used to deliver legal services to DOL agencies in order to support reimbursement requests to agencies under the Economy Act;
- Provide a basis to support vetting requests (a review of past legal services rendered to determine if the party in question has been involved in any past or current DOL legal issues); and
- Provide a basis for an attorney to determine whether they should recuse themselves, under the Rules of Ethical Conduct, from working on a particular matter due to a bias, prejudice or conflict of interest.
The Personally Identifiable Information (PII) within the system will be from Members of the Public: Social Security Numbers (SSN), names, addresses, phone numbers, email addresses, and from employees and contractors first/last names and email addresses. The PII collected will be used to communicate with claimant and ensure proper payment of benefits and used to communicate with parties to a litigation case.
A typical transaction in the SOLTAM involves a SOL docket clerk creating a litigation matter (legal services) to support a DOL enforcement agency, updating a matter's status, recording the time spent on a matter, and closing a matter at the completion of the litigation case.
SOLTAM is an internal only system and will have no interconnections or information sharing with other systems. The legal authority to collect the information is from 5 U.S.C. 301, 5 U.S.C. 552 and 5 U.S.C. 552a. The Privacy Act requires that a System of Record Notice (SORN) be published in the Federal Register when PII is maintained by a Federal agency in a system of records and the information is retrieved by a personal identifier. The system can retrieve PII by the specific personal identifier. A Privacy Act SORN will be published in the Federal Register.
CHARACTERIZATION OF THE INFORMATION
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
From whom is information to be collected?
PII is collected from the work files of DOL client agencies that request legal services from SOL.
Why is the Information being collected?
PII is collected to support providing legal services to DOL client agencies.
What is the PII being collected, used, disseminated, or maintained?
Members of the Public
- Name of party to a litigation case and name of FOIA appellant
- Residential address
- Mailing address
- Personal phone number
- Personal email address
- SSN (FEEWC Subrogation and Black Lung matters only)
- Note: Party to a case includes judge, expert witnesses, claimant, opposing counsel, etc.
SOL Federal Employees
- Name of SOL employee
- Network logon credentials (network domain/user ID) of system business users
- Business phone
- Business email
SOL Contractors
- Name of contractor
- Network logon credentials (network domain/user ID) of contractors that maintain the system.
- Business phone
- Business email
How is the PII collected?
PII is collected as the result of performing legal services for the DOL client agencies.
How will the information collected from individuals or derived from the system be checked for accuracy?
PII for a specific matter/case is reviewed by the supervising attorney assigned to the matter/case.
What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?
SOL has the authority to perform legal services under statutes and federal regulations noted in 5 U.S.C. §301. Departmental Regulations. These legal services are recorded in SOLTAM.
SOL adheres to the Privacy Act of 1974 for PII that is contained within the SOLTAM. PII is stored for the exclusive purpose of performing SOL's mission. The mission is to represent the Secretary and the client agencies in all necessary litigation, including both enforcement actions and defensive litigation, and in alternative dispute resolution activities; assist in the development of regulations, standards, and legislative proposals, and provide legal opinions and advice concerning all the Department's activities.
Privacy Impact Analysis
The PII stored in the SOLTAM is subject to minimal risk because it is well protected by implementation of numerous security controls at the network and application level as defined by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Security and Privacy Controls for Federal Systems and Organizations. This system is also on Salesforce which has an authorized FedRAMP package where Salesforce implements numerous security controls on the Salesforce platform.
DESCRIBE THE USES OF THE PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
PII |
Use |
MEMBERS OF THE PUBLIC |
|
SSN of the miner who filed the black lung claim. |
Used to identify the claimants, beneficiaries, survivors, etc., and ensure that the DOL client agency and SOL attorney are communicating concerning the correct individual, and to ensure proper payment of benefits. |
SSN of the DOL employee who filed the workers compensation claim for which DOL will request reimbursement from the third party at fault |
Used to identify the claimants. No longer collected for new cases. |
Name of parties to a litigation case and FOIA appellants (member of the public) |
Used to communicate with the parties involved in the case. |
Residential address and mailing address of parties to a litigation case and FOIA appellants (member of the public) |
Used to communicate with the parties involved in the case. |
Personal phone number and email of parties to a litigation case and FOIA appellants (member of the public) |
Used to communicate with the parties involved in the case. |
Business address, phone, and email of parties to a litigation case and FOIA appellants (member of the public) |
Used to communicate with the parties involved in the case. |
SOL EMPLOYEES AND CONTRACTORS |
|
Name of SOL employees and contractors |
Used for management reporting |
Business phone and email |
Used to communicate within and outside of DOL. |
Network logon credentials |
Used to authenticate the SOL user for authorized use of the SOLTAM. |
What types of tools are used to analyze data and what type of data may be produced?
The information within SOLTAM will not be used in any data analysis and is just collected to perform legal activities for the members of the public.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No, the system will not derive new data, or create previously unavailable data.
If the system uses commercial or publicly available data, please explain why and how it is used.
Not Applicable as the system does not use commercial or publicly available data.
Will the use of PII create or modify a "system of records notification" under the Privacy Act?
Yes, a SORN will be created for SOLTAM. The PIA will be updated after it is published to document the SORN ID.
Privacy Impact Analysis
The operational storage and use of PII can create the risk of unauthorized access and disclosure. The use of PII stored in the SOLTAM is subject to minimal risk because it is well protected by numerous technical security controls, including encryption of data at rest and in transit, and session lock on workstations.
RETENTION
The following questions are intended to outline how long information will be retained after the initial collection.
What is the retention period for the data in the system?
The retention period allows for removal of data that is two years old or no longer needed, whichever is later.
Is a retention period established to minimize privacy risk?
Yes, a retention period is established to minimize privacy risk.
Has the retention schedule been approved National Archives and Records Administration (NARA)?
Yes. National Archive and Records Administration Schedule #DAA-0174-2013-0006-0009, certified 07/03/2013.
Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?
As of March 2010, only the last 4 digits of the SSN are recorded for the Black Lung matters.
As of August 2010, SSN is no longer recorded for the Federal Employees' Compensation Act (FECA) Subrogation.
How is it determined that PII is no longer required?
A determination as to when PII is no longer required within the system is performed as part of the tri-annual review of the Privacy Impact Assessment. Specifically, the MALS Legal Technology Unit will make recommendations for approval by the System Owner. Also, SOL addresses all federal mandates to reduce the storage of PII in the system.
If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.
As of March 2010, only the last 4 digits of the SSN are recorded for the Black Lung matters.
Privacy Impact Analysis
The risk of unauthorized access and unauthorized disclosure is proportionally increased by the length of time in which the data is retained. SOL has created a retention schedule for SOLTAM data and reduced the amount of PII used to mitigate this.
INTERNAL SHARING AND DISCLOSURE
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
Time by attorney name may be shared with DOL client agencies through management reports to provide the legal services accomplished in each DOL client agency.
How is the PII transmitted or disclosed?
PII is transmitted or disclosed through management reporting distributed electronically via email.
Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?
No information is transferred directly from SOLTAM to any other system. Internal sharing of PII from SOLTAM in management reports is a required function of the system.
Privacy Impact Analysis
When information is shared, there is always a risk that the sharing partner does not have the appropriate authorized access level resulting in unauthorized disclosure. Reports from SOLTAM are appropriately labeled to indicate the possible inclusion of PII and proper handling and distribution limitations for the reports.
EXTERNAL SHARING AND DISCLOSURE
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
Not applicable. PII from SOLTAM is not shared outside the Department.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
Not applicable. PII from SOLTAM is not shared outside the Department.
How is the information shared outside the Department and what security measures safeguard its transmission?
Not applicable. PII from SOLTAM is not shared outside the Department.
How is the information transmitted or disclosed?
Not applicable. PII from SOLTAM is not shared outside the Department.
Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.
Not applicable. PII from SOLTAM is not shared outside the Department.
How is the shared information secured by the recipient?
Not applicable. PII from SOLTAM is not shared outside the Department.
What type of training is required for users from agencies outside DOL prior to receiving access to the information?
Not applicable. PII from SOLTAM is not shared outside the Department.
Privacy Impact Analysis
Not applicable. PII from SOLTAM is not shared outside the Department.
NOTICE
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal
Register Notice. If notice was not provided, please explain.
Not applicable. The DOL client agencies are responsible for providing notice at the time of collection, which is prior to SOL's use of the information.
Do individuals have the opportunity and/or right to decline to provide information?
Not applicable. The DOL client agencies are responsible for providing notice at the time of collection, which is prior to SOL's use of the information.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
Not applicable. The DOL client agencies are responsible for providing notice at the time of collection, which is prior to SOL's use of the information.
Privacy Impact Analysis
Not applicable. The DOL client agencies are responsible for providing notice at the time of collection, which is prior to SOL's use of the information.
INDIVIDUAL ACCESS, REDRESS, AND CORRECTION
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their own information?
An individual, or legal representative acting on their behalf, may request access to their record by appearing in person or by writing to the Department of Labor, Associate Solicitor, Office of Management and Administrative Legal Services Office of the Solicitor (SOL), 200 Constitution Avenue, NW, Washington, DC 20210. A requester in need of guidance in defining the request may write to the Assistant Secretary for Administration and Management, U.S. Department of Labor, 200 Constitution Avenue, NW, Washington, DC 20210.
The specific procedures for allowing an individual to gain access to their information are provided in Title 29 CFR Part 71.2.
What are the procedures for correcting inaccurate or erroneous information?
An individual may submit a request for correction or amendment of their record. The request must be in writing and must be addressed to the Department of Labor, Associate Solicitor, Office of Management and Administrative Legal Services Office of the Solicitor (SOL), 200 Constitution Avenue, NW, Washington, DC 20210. The request must identify the particular record in question, state the correction or amendment sought, and set forth the justification for the change. Both the envelope and the request itself must be clearly marked: "Privacy Act Amendment Request."
The specific procedures for correcting inaccurate or erroneous information are provided in Title 29 CFR 71.9.
How are individuals notified of the procedures for correcting their own information?
This information is published in the Federal Register entry for the system.
If no formal redress is provided, what alternatives are available to the individual?
When a request for correction or amendment is denied in whole or in part, the requester may appeal the denial to the Solicitor of Labor within 90 days of the receipt of the notice denying the request.
Privacy Impact Analysis
The predominant risk exists in individuals being unaware of how to correct erroneous information in their records. SOL provides procedures in the SOLTAM SORN for individuals to correct erroneous information in their records. The DOL client agencies are responsible for making corrections upon notification by SOL.
TECHNICAL ACCESS AND SECURITY
The following questions are intended to describe technical safeguards and security measures.
Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)
SOL general and privileged (administrators) users will have access to the system. SOLTAM is not public facing.
Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.
Yes, SOLTAM is accessed by developers and system administrators, who are authorized contractors of the Department of Labor, for the purpose of developing, testing, operating, and maintaining the system.
Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.
Yes, SOLTAM uses role-based access control. Roles include general user and privileged administrator roles that restrict the type of information that can be viewed.
What procedures are in place to determine which users may access the system and are they documented?
SOL has documented access control procedures in place which ensures that only authorized users have access to SOLTAM. Highlights of the SOL procedures include:
- General and privileged user Rules of Behavior acknowledgement
- Access provided strictly on the basis of approved authorizations.
- Automatic removal of inactive accounts
- Least privileges access based on role.
- Separation of duties
How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.
SOLTAM conducts account reviews and semi-annual account verification audits in accordance with DOL guidance to verify if the system users' role is valid. SOL employees and contractors take the annual Information Systems Security and Privacy Awareness Training and acknowledge the Rules of Behavior as part of completing the training.
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
Mandatory DOL Information Systems Security and Privacy Awareness Training is provided to all SOL employees and contractors annually.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Auditing functionality exists within the system to record all business users and system administrator actions in an Audit Log. The Audit Log is protected from viewing by unauthorized users and is reviewed on a monthly basis for unusual or suspicious activity.
Within the system there are specific user roles (groups) defined which provide varying levels of authorized access to data stored in SOLTAM. Critical functions are divided among different individuals based on their user role assignment. Data stored in the system is encrypted at rest and during transmission. Inactive user accounts are automatically deactivated.
Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?
Yes. SOLTAM is built on Salesforce which maintains its own FedRAMP requirements and is assessed annually. SOLTAM will go through an assessment prior to being in production.
Privacy Impact Analysis
The PII stored in SOLTAM is subject to minimal risk because it is well protected by implementation of numerous security controls at the network and application level as defined by NIST SP 800-53 Security and Privacy Controls for Federal Systems and Organizations. SOLTAM users are assigned roles that enforce least privilege for the ability to modify data. SOLTAM audit logs record all changes to data to allow forensic analysis of changes to data if required.
TECHNOLOGY
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.
Was the system built from the ground up or purchased and installed?
SOLTAM is a Salesforce system purchased and installed.
Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.
Salesforce is FedRAMP approved and implements a number of data integrity, privacy, and security controls to protect SOLTAM PII.
What design choices were made to enhance privacy?
Salesforce is FedRAMP approved and implements a number of data integrity, privacy, and security controls to protect SOLTAM PII.
For systems in development, what stage of development is the system in, and what project development life cycle was used?
The system is development and execution phase of the project development life cycle.
For systems in development, does the project employ technology which may raise privacy concerns? If so please discuss their implementation?
No, this system is built on Salesforce which is a FedRAMP approved system.
DETERMINATION
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
- SOL has completed the PIA for SOLTAM which is currently in development.
- SOL has determined that the safeguards and controls for this Moderate system will adequately protect the information and will be referenced in SOLTAM System Security Plan to be completed by May 2023.
- SOL has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.