OVERVIEW
Wage and Hour Integrated Services Platform (WHISP) is the overall Wage and Hour investment name for this project. WHISP is the Wage and Hour Division (WHD) Integrated Services Environment comprised of tools and technologies to deliver business functionality for Wage Hour in the areas of Enforcement, Financial Management, Certificate Issuance and Wage Determinations, and promote enterprise data management across the organization." WHISP is being developed on DOL's Case Management Platform (CMP) where it will include a number of applications that will be developed to address the various laws that WHD administers. WHISP includes the following applications:
- Certificate Application Processing System (CAPS) that facilitates the processing and generation of certificates for four of the five certificate programs that WHD administers. Those certificate programs are:
- Section 14(a) of the Fair Labor Standards Act (FLSA) authorizes the payment of subminimum wages – at rates not less than 75 percent of the applicable minimum wage under section 6(a) of the FLSA – to a student-learner after the employer has applied for an authorizing certificate from DOL.
- Section 14(b) of the FLSA authorizes certain types of employers to pay subminimum wages – wages less than the federal minimum wage – to full-time students, but only after applying for and receiving a certificate from DOL.
- Section 14(c) of the FLSA authorizes the payment of subminimum wages to workers with disabilities whose productivity is impaired by their disabilities after the employer has applied for and received an authorizing certificate from DOL.
- Section 11(d) of the FLSA requires that homeworkers must be paid at a rate of not less than the minimum wage provided in the Act for all hours worked unless a lower rate is permitted under a special certificate for an individual homeworker in accordance with Regulations, 29 CFR 525.
- The Electronic Case File (ECF) serves as the document management portion of WHD's case management system. The first release provides users the ability to upload, label, view, and edit documents of many file formats. The ECF will be used by WHD staff to attach and review pertinent records about a business and its employees to substantiate compliance levels with WHD's regulations. Additional features include dashboards for workflow management, a feedback tool that allows users to report bugs or send comments and questions, and a help module which will maintain user manuals and videos for assistance. Record retention rules are built into the ECF that will dispose of records at specific timeframes per WHD policy and procedures.
- Wage and Hour Internal Conformance System (WHICS) serves as the processing and document management system for Davis-Bacon Act and Service Contract Act conformances. Agencies outside of WHD and federal contractors provide wage information to ensure that rates meet requirements for the job type. This system does not contain PII
These applications are the first of many applications that will be developed by utilizing the Appian "low code" approach. WHD anticipates that the Wage and Hour Investigative Support and Reporting Database (WHISARD) legacy application and its sub-systems will be replaced by Appian in addition to a number of manual business processes that are currently in place.
CHARACTERIZATION OF THE INFORMATION
The following questions are intended to define the scope of the information requested and/or collected as well as reasons for its collection as part of the program, system, or technology being developed.
Specify whether the System collects personally identifiable information (PII) on DOL employees, other federal employees, contractors, members of the public (U.S. citizens), foreign citizens, or minor children.
WHISP does not collect personally identifiable information (PII) on DOL employees or other Federal employees. PII is collected from members of the public (U.S citizens), contractors, minor children, and foreign citizens:
From whom is information to be collected?
CAPS: The information is collected from applicants wishing to obtain certification from WHD under the labor laws enforced by the agency.
ECF: The information is collected from employers and employees during the course of investigations conducted by WHD under the labor laws enforced by the agency.
WHICS: The information is collected from other Federal agencies, Federal contractors, and other DOL agencies (Bureau of Labor Statistics).
Why is the Information being collected?
The information is collected to inform certification, enforcement, and conformance decisions made by WHD for the labor laws the agency enforces.
What is the PII being collected, used, disseminated, or maintained?
The collection, dissemination, and maintenance of PII in WHISP consist of the following:
- Name
- Phone numbers
- Social Security Number
- Residential address
- Business address
- Mailing address
- Business phone number
- Business address
- Employer Identification Number (EIN)/Taxpayer Identification Number (TIN).
How is the PII collected?
CAPS: The PII is collected from applicants who have completed the appropriate application(s) for the certificate program in which they are wishing to participate.
- To apply for a section 14(a) certificate, applicants must complete the WH-205: Application for Authorization to Employ a Student-Learner at Subminimum Wages.
- To apply for a section 14(b) certificate, applicants must complete either the WH-200: Application for Authority to Employ Full-Time Students at Subminimum Wages in Retail or Service Establishments or Agriculture Under Regulations 29 C.F.R. Part 519, WH-201: Higher Education to Employ its Full-time Students at Subminimum Wages Under Regulations 29 C.F.R. Part 519, or WH-202: Application for Authority to Employ Six or Fewer Full-Time Students at Subminimum Wages in Retail or Service Establishments or Agriculture Under Regulations 29 C.F.R. Part 519.
- To apply for a section 14(c) certificate, applicants must complete the WH-226: Application for Authority to Employ Workers with Disabilities at Subminimum Wages and the WH-226A: Supplemental Data Sheet(s) for Application for Authority to Employ Workers with Disabilities at Subminimum Wages.
- To apply for a section 11(d) certificate, applicants must complete the WH-2: Application for Special Industrial Homeworker Certificate or the WH-46: Application for Certificate to Employ Homeworkers.
ECF: The PII is collected from employers and employees during the course of investigations and conciliations conducted by the agency.
- During investigations, WHD investigators collect employer and employee PII through records and statements of the individuals relevant to the investigation. These include: o Tax Returns: SSN [if employer uses it], financial information
- IRS Form 10 99: Salary, address, financial information
- Payroll records: SSN, salary, address
- Employee list: SSN, age, salary, address, phone numbers
- Driver's Licenses: Age, address
- Medical records [FMLA cases]: SSN, personnel and medical information
- Visa Applications [H1B, H1A, H2B cases]: Age, salary, address, phone numbers
WHICS: This system, while in contained in WHISP, does not collect PII.
How will the information collected from individuals or derived from the system be checked for accuracy?
PII collected directly from individuals requesting certification and during investigations is assumed to be accurate.
What specific legal authorities, arrangements, and/or agreements defined allow the collection of PII?
The WHISP system supports the following labor laws in the workplace:
- Fair Labor Standards Act
- Family and Medical Leave Act
- Davis-Bacon Act
- Service Contract Act
- SMW14 (FLSA Section 14(c))
- SMWFT (FLSA Section 14(b) - Full-Time Students)
- SMWPW (FLSA Sec.14(c) - Patient Worker)
- SMWSL (FLSA Sec.14(a) - Student Learner)
- MSPA (Migrant and Seasonal Agricultural Worker Protection Act)
- Homeworker (Provisions of the Fair Labor Standards Act)
Privacy Impact Analysis
While PII is collected, only the minimum information necessary to accomplish the mission is recorded and the information is collected directly from affected employees and/or employers.
DESCRIBE THE USES OF THE PII
The following questions are intended to clearly delineate the use of information and the accuracy of the data being used.
Describe all the uses of the PII
CAPS: The information provided within a certificate application, including personally identifiable information (PII), is analyzed in order to determine the appropriate certificate action.
ECF: The information provided by employers and employees is used to ensure the application of the minimum wage, overtime, and Family and Medical Leave Act compliance.
What types of tools are used to analyze data and what type of data may be produced?
WHD uses data analytics tools, such as Business Object and Tableau, to identify trends and analyze the information collected.
Will the system derive new data, or create previously unavailable data, about an individual through aggregation of the collected information?
No, WHISP is not currently designed to derive new information or create previously unavailable data about individuals.
If the system uses commercial or publicly available data, please explain why and how it is used.
The system data is not available for commercial or public use.
Will the use of PII create or modify a "system of records notification" under the Privacy Act?
No, the use of PII will not create or modify a "system of records notification" under the Privacy Act.
Privacy Impact Analysis
The PII collected is used only for a very specific and limited purpose. It is not used for any form of analysis nor is any data derived from PII collected by investigators.
RETENTION
The following questions are intended to outline how long information will be retained after the initial collection.
What is the retention period for the data in the system?
CAPS: In accordance with WHD record retention schedule N1-155-11-3 Item 2, records will be retained for 5 years after the final action.
ECF: In accordance with WHD record retention schedule N1–155-11-3 Item 3A, records will be retained for 12 years from the conclusion date.
WHICS: In accordance with WHD Record retention schedule N1-155-11-3 Item 8, records will be retained for 20 years after final action.
Is a retention period established to minimize privacy risk?
The retention schedules for all applications within WHISP have been designed to balance WHD business needs with privacy risk. The retention periods selected have been vetted and approved by the Archivist of the United States.
Has the retention schedule been approved by the National Archives and Records Administration (NARA)?
WHD record retention schedule N1-155-11-003A has been approved by the DOL agency records officer and the National Archives and Records Administration (NARA).
The records schedule N1-155-2011-0003 was approved 06/26/2013.
Per M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; what efforts are being made to eliminate or reduce PII that is collected, stored, or maintained by the system if it is no longer required?
The PII contained in the system is deleted as soon as the retention requirements of N1-155-2011-0003, item 3a, have been met.
Only the critical PII is collected during investigations or something along those lines. WHD has a policy to stop collecting SSNs.
How is it determined that PII is no longer required?
PII is eliminated from the system in accordance with the WHD record retention schedules items listed in the beginning of section 4.1 of this document. The system provides users document upload functionality and if they don't manually redact PII from a document, then it will be uploaded into the system as is. There is also no data entry or collection of PII in the ECF at this point.
If you are unable to eliminate PII from this system, what efforts are you undertaking to mask, de-identify or anonymize PII.
PII is eliminated from the system in accordance with the WHD record retention schedule items listed in the beginning of section 1.4 of this document.
Privacy Impact Analysis
Data is retained in strict accordance with the WHD record retention schedules N1-155-11-003, Items 2, 3A, and 8. Safeguards are in place for the data stored in the WHISP database as well as the archived data which is maintained off-site in a vendor provided secure storage facility that meets or exceeds federal standards for physical access control.
INTERNAL SHARING AND DISCLOSURE
The following questions are intended to define the scope of sharing within the Department of Labor.
With which internal organization(s) is the PII shared, what information is shared, and for what purpose?
The WHISP system shares PII Information with the Appian subcomponent which is within the DOLCMP boundary. The DOLCMP shares PII information with the DOLCS SharePoint Online site collection under the DOLCS ATO boundary.
How is the PII transmitted or disclosed?
The WHISP system is a subcomponent within DOLCMP and transmits or discloses PII information to the DOLCS SharePoint Online system.
Does the agency review when the sharing of personal information is no longer required to stop the transfer of sensitive information?
Yes, the agency reviews the information when the sharing of personal information is no longer required.
Privacy Impact Analysis
Yes, Privacy Impact Analysis is conducted annually for the WHISP.
EXTERNAL SHARING AND DISCLOSURE
The following questions are intended to define the content, scope, and authority for information sharing external to DOL which includes federal, state, and local government, and the private sector.
With which external organization(s) is the PII shared, what information is shared, and for what purpose?
WHISP does not share PII with any external organization.
Is the sharing of PII outside the Department compatible with the original collection? If so, is it covered by an appropriate routine use in a SORN? If so, please describe. If not, please describe under what legal mechanism the program or system is allowed to share the PII outside of DOL.
WHISP does not share PII with any external organization.
How is the information shared outside the Department and what security measures safeguard its transmission?
WHISP does not share PII with any external organization so no security measures safeguarding transmission of data has been implemented.
How is the information transmitted or disclosed?
WHISP does not share PII with any external organization.
Is a Memorandum of Understanding (MOU), contract, or any agreement in place with any external organizations with whom information is shared, and does the agreement reflect the scope of the information currently shared? If the answer is yes, be prepared to provide a copy of the agreement in the event of an audit as supporting evidence.
WHISP does not share PII with any external organization except the CAPS-USMCA module
DOL-WHD currently have one MOU in place for the exchange of information/data outside of CBP's Automated Commercial Environment (ACE) system (please see attached). This covers CAPS-USMCA.
How is the shared information secured by the recipient?
WHISP does not share PII with any external organization.
What type of training is required for users from agencies outside DOL prior to receiving access to the information?
WHISP does not share PII with any external organization.
Privacy Impact Analysis
There is no Privacy Impact with the WHISP system because it does not transmit, share or disclose PII to any external organization.
NOTICE
The following questions are directed at notice to the individual of the scope of PII collected, the right to consent to uses of said information, and the right to decline to provide information.
Was notice provided to the individual prior to collection of PII? If yes, please provide a copy of the notice as an appendix. A notice may include a posted privacy policy, a Privacy Act notice on forms, or a system of records notice published in the Federal Register Notice. If notice was not provided, please explain.
Not always. In some cases, PII is collected directly from the individual submitting a complaint. In other cases, PII may be collected as a result of a direct investigation that affects one or more individuals. Notice of the collection of PII information on individuals is provided by the publication of SORN DOL/WHD-6 in the Federal Register.
Federal Register Publication
https://www.dol.gov/agencies/sol/privacy/whd-6.
Do individuals have the opportunity and/or right to decline to provide information?
Not always. Information is collected as a result of an investigation. In some cases, this information is collected directly from the individual who at that time has the opportunity to decline to provide information. In other cases, information may be collected from a third party such as the employer and in such cases; the individuals do not have the opportunity to decline to provide information.
Do individuals have the right to consent to particular uses of the information? If so, how does the individual exercise the right?
No. Information is collected as a result of an investigation to determine if an employer has violated any of the labor laws enforced by Wage and Hour. Due to the limited nature of its use, individuals are not provided an option for consenting to this use of the information.
Privacy Impact Analysis
PII is collected as a result of an investigation. In some cases, this information is provided directly by the individual to whom it pertains but in all cases, individuals do not have the right to consent to its use.
INDIVIDUAL ACCESS, REDRESS, AND CORRECTION
The following questions are directed at an individual's ability to ensure the accuracy of the information collected about them.
What are the procedures that allow individuals to gain access to their own information?
Individuals may make requests for their data from the WHISP system by making a Privacy Act request to through the Privacy Act request procedures listed at https://www.dol.gov/general/privacy/instructions.
What are the procedures for correcting inaccurate or erroneous information?
Individuals wishing to contest or amend any records should direct their request to the appropriate regional office. Such inquiries should include the full name of the requester and the date and amount of assessment. Information about district and regional offices for Wage Hour can be found by going to http://www.dol.gov/whd/about/whdabout.htm on the internet or by contacting the disclosure officer at the following address:
Administrator, Wage and Hour Division,
Room S-3502, Frances Perkins Building
200 Constitution Avenue, NW, Washington, DC 20210
How are individuals notified of the procedures for correcting their own information?
Information is collected during the conduct of an investigation and is used only for investigative purposes. The form WH-60 or WH-58 is provided to the individuals involved in the investigation in an effort to ensure that their information is complete and accurate. General information for individuals on correcting their own information is available at https://www.dol.gov/general/privacy/instructions.
If no formal redress is provided, what alternatives are available to the individual?
A formal process exists as described in the bullet above.
Privacy Impact Analysis
The form WH-60 or WH-58 is provided to the individuals involved in the investigation in an effort to ensure that their information is complete and accurate. In addition, the publication of SORN DOL/WHD-2 addresses the procedure for further correction and updating of the information that is gathered.
TECHNICAL ACCESS AND SECURITY
The following questions are intended to describe technical safeguards and security measures.
Which user group(s) will have access to the system? (For example, program managers, IT specialists, and analysts will have general access to the system and registered users from the public will have limited access.)
Approved DOL employees and contractors will have access to the system.
Will contractors to DOL have access to the system? If so, please include a copy of the contract describing their role to the OCIO Security with this PIA.
Yes, contractors will have access to the system if required based on their assigned duties. See Appendix B for a copy of the contract describing their role to privacy requirements.
Does the system use "roles" to assign privileges to users of the system? If yes, describe the roles.
Yes, the system uses "roles" to assign privileges to users of the system. The roles are "None", "Self-Case Manager", "Manager", "Manager Control" and "Application Administrator".
What procedures are in place to determine which users may access the system and are they documented?
Procedures are in place that must be followed before allowing users access to the system. The process is designed to comply with the principles of least privilege and separation of duties as follows.
All DOL employees and contractors must undergo at a minimum a standard DOL background check. Users of the system must first complete the process for requesting and obtaining a DOL network account. Next, they will need to complete and submit the appropriate Wage Hour request form which identifies the system to which access is being requested along with their proposed role and or privileges. All requests for system access must be approved by the user's supervisor and the System Owner (SO) or SO representative. Separation of duties in enforced by requiring actions by both / OASAM-OCIO account managers and WHD account administrators to complete the process before user access to the system is granted.
How are the actual assignments of roles and Rules of Behavior, verified according to established security and auditing procedures? How often training is provided? Provide date of last training.
WHD uses the Wage Hour Program Services and Applications Request Form, which must be approved by a supervisor to assign roles. All users are required to review the Rules of Behavior annually and provide acknowledgment to the Security Team. The last Rules of Behavior was signed and submitted along with the required Information Systems Security and Privacy Awareness training due by July 31, 2023
Describe what privacy training is provided to users, either generally or specifically relevant to the program or system?
WHD employees are trained to protect individual PII as part of the Computer Security Awareness Training (CSAT) and are required to agree to the DOL Rules of Behavior. In addition all new WHD investigators and support staff are trained to safeguard information as part of their Basic Training.
What auditing measures and technical safeguards are in place to prevent misuse of data?
Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those found is NIST Special Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations.
WHD users must first login to the DOL/ OASAM-OCIO-GSS network and only then would it be possible to login to WHISP. A separate ID and password is required for the user to now login to WHISP. Event logs are designed to capture detailed information pertaining to both of these account activities as well as others such as establishing, activating, modifying, reviewing, disabling, and removing accounts. These logs are reviewed monthly by management in an effort to detect any unusual or unauthorized activity.
WHD has an established Incident Response and Reporting procedure that requires users to promptly report known or suspected unauthorized use or disclosure of user-IDs and/or passwords, misuse of computer resources, security violations, or unusual occurrences to appropriate authorities. OASAM-OCIO -GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.
Is the data secured in accordance with FISMA requirements? If yes, when was Security Assessment and Authorization last completed?
Yes, data is secured in accordance with FISMA requirements which are supported by the completion of the most recent Security Assessment and Authorization dated 11/20/2019.
Privacy Impact Analysis
The implementation of security controls as described above represents a defense in depth approach to providing adequate protection of all sensitive information contained in the system including PII. These controls are effective in preventing unauthorized access to the system, detecting if a system has been compromised and responding to incidents in the event that a system compromise has been suspected.
TECHNOLOGY
The following questions are directed at critically analyzing the selection process for any technologies utilized by the system, including system hardware, biometrics, and other technology.
Was the system built from the ground up or purchased and installed?
The system was built from the ground up.
Describe how data integrity, privacy and security were analyzed as part of the decisions made for your system.
Data integrity, privacy and security were analyzed as part of the decisions for the WHISP system to ensure the system's objectives of complying with the labor laws listed in section 1.2 are carried out.
What design choices were made to enhance privacy?
The following design choices were made to enhance privacy:
- WHISP was not designed to derive new information or create previously unavailable data about individuals.
- The system is not available for commercial or public use.
- Event logs are being used to record multiple levels of user activity with the system in compliance with federal guidelines and regulations such as those founding NIST Special Publication 800-53.
- WHD users must first login to the DOL/OWCP-GSS network and only then would it be possible to login to WHISP.
- A separate ID and password are required for the user to now login to WHISP.
- OASAM/OCIO GSS has implemented managed firewall services that include hardware configuration control, firewall server update installation and configuration, and 24x7 monitoring and oversight of the National Office firewall.
For systems in development, what stage of development is the system in, and what project development life cycle was used?
All DOL major information systems are required to follow the computer security life cycle defined in the DOL System Development Life Cycle Management Manual (SDLCMM). Based on the SDLCMM the WHISP system is in the Operations and Maintenance Phase (Phase IV).
For systems in development, does the project employ technology which may raise privacy concerns? If so, please discuss their implementation?
The WHISP system utilizes only standard DOL approved technologies and protocols to allow users access to the system. Technologies which could raise significant privacy concerns such as peer-to-peer file sharing, remote and web access and others are not authorized for use with this system.
DETERMINATION
As a result of performing the PIA, what choices has the agency made regarding the information technology system and collection of information?
Wage and Hour Division (WHD) has completed the PIA for Wage and Hour Integrated Services Platform (WHISP) which is currently in operation.
- WHD has determined that the safeguards and controls for this moderate system adequately protect the information.
- Wage and Hour Division (WHD) has determined that it is collecting the minimum necessary information for the proper performance of a documented agency function.