The following laws and regulations establish specific requirements for the confidentiality, integrity, and availability of the data processed, stored, and transmitted by the EEOC Document Management System (IMS):
Computer Fraud and Abuse Act of 1984
Federal Information Security Management Act of 2002
OMB February 1996 Circular A-130, Appendix III
Paperwork Reduction Act of 1980
Privacy Act of 1974
Title VII of the Civil Rights Act of 1964
Equal Pay Act of 1963
Age Discrimination in Employment Act of 1967
Sections 501 and 505 of the Rehabilitation Act of 1973
Title I and Title V of the Americans with Disabilities Act of 1990
EEOC Order 240.005, EEOC Information Security Program
Information Security Responsibilities of EEOC Employees
EEOC Order 150.003, Privacy Act of 1974, As Amended
Public laws and regulations applicable to all federal agencies
The individual’s right to privacy must be protected in Federal Government information activities involving personal information. This assessment addresses the privacy impact of the EEOC DMS.
1. Generally describe the information to be used in the system in each of the following categories: Complainant, Company, EEOC Employee, Other.
The DMS contains: correspondence to EEOC, litigation files, and Federal Appeals files, which may include information about a complainant, a company, any Federal employee or Agency, or anyone else in the general public.
2. What are the sources of the information in the system?
The DMS includes any correspondence from an outside source addressed to the Chair of EEOC, plus Congressional and White House inquiries, including internally generated EEOC responses to the correspondence. Federal Appeals documents originate from complainants, representatives, and Federal Agencies. The EEOC Decisions are stored with the Federal Appeals cases. Additionally, correspondence and reports from Federal Agencies are included in the DMS for the Office of Federal Operations. The Notation Vote System of the DMS includes litigation recommendations, and other internally generated documents that are provided to the Chair, Vice Chair and Commissioners.
2.1. What EEOC files and databases are used?
Documents described in section 1 and associated meta data are stored in the document management system maintained at EEOC Headquarters. When applicable, common data elements are shared with the EEOC Integrated Mission System (IMS).
2.2. What Federal Agencies are providing data for use in the system?
All Federal Agencies provide documents that may be stored in the DMS, such as agency files for Federal Appeals, Form 462 and MD 715 reports.
2.3. What State and Local Agencies are providing data for use in the system?
Documents related to a State or Local Agency might be included in the DMS, such as 321 Cases processed by the Office of Federal Operations.
2.4. What other third party sources will data be collected from?
2.5. What information will be collected from the correspondent, complainant, appellant, agency representative, or EEOC Commissioner?
The documents include name and contact information for the individuals, along with particulars of the issue or topic, complaint, the basis for belief that the action was discriminatory, or the reason for the appeal. The Commissioner’s name and vote are recorded for items circulated in the Notation Vote System,
3. How will data collected from sources other than EEOC records and the correspondent, complainant, or company be verified for accuracy?
Data is obtained from the documents provided by the complainant or correspondent. Scanned documents and data are verified by EEOC employees during the scanning validation and indexing process.
3.1. How will data be checked for completeness?
The electronic record can only be submitted if all of the required fields are completed.
3.2. Is the data current? How do you know?
Data relies on the documents provided by the complainant or correspondent. The date of correspondence is entered in the system.
4. Are the data elements described in detail and documented? If yes, what is the name of the document?
The document attributes are described and documented in the Enterprise Document Management System (EDMS) Design Report.
5. How will the data be used by the agency? Who is responsible for assuring proper use of the data?
The information will be used in much the same way as that obtained via traditional printed means. Responses to incoming correspondence and written decisions are reviewed by managers in accordance to internal business practices. EEOC staff are responsible for assuring proper use of the data, which is enforced by EEOC policies and laws.
6. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Other)?
EEOC staff and managers with a login/password to the DMS will have access to the information. System Administrators and Developers under contract with EEOC will also have the necessary access.
7. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?
Access controls are determined by the role of the user and identified by the manager. In addition, each application sponsor approves access requests. The roles are assigned to specific groups as documented in the Enterprise Document Management System (EDMS) Design Report.
8. Will users have access to all data on the system or will the users’ access be restricted?
User access is restricted to a specific group or groups as documented in the Enterprise Document Management System (EDMS) Design Report.
9. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?
Access by EEOC employees is governed by security policies and business requirements. Each user must complete a user access authorization that states their responsibilities.
10. Do other systems share data or have access to data in this system? If yes, explain. Who will be responsible for protecting the privacy rights of the individuals affected by the interface?
Some data related to litigation cases and Federal appeals within the DMS will be shared by EEOC's Integrated Mission System (IMS). Privacy rights are enforced by EEOC policies and laws. No other sharing or access mechanisms are available.
11. Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)?
No other agencies share data or have access to the DMS.
12. How will the system ensure that agencies only get the information they are entitled to under applicable statutes or regulations?
Other agencies do not have access to the DMS.
13. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?
14. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
The DMS does not derive new data about an individual.
14.1. Will the new data be placed in the individual’s record (complainant or company)?
14.2. Can the system make determinations about complainants or companies that would not be possible without the new data?
14.3. How will the new data be verified for relevance and accuracy?
15. If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?
The electronic documents are consolidated into a structured centralized storage environment. The application is hosted in a secure environment protected by the appropriate fire walls, security certificates, encryption, IT infrastructure and internal controls. Intrusion detection, as well as other security controls, is implemented. A third-party IT security risk assessment has been conducted.
15.1. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
16. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain. What are the potential effects on the due process rights of complainants or companies of: consolidation and linkage of files and systems; derivation of data; accelerated information processing and decision making; use of new technologies. How are the effects to be mitigated?
EEOC staff may retrieve DMS data upon access to the system and entry of the correspondent’s name, or address; or the complainant’s name. Additionally, electronic documents can be retrieved by using a full text search.
The DMS and its attendant technologies present no new potential challenges to the due process rights of correspondents and complainants.
17. Explain how the system and its use will ensure equitable treatment of correspondents and complainants. If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites?
The DMS uses standard screens to index documents and stored documents according to type and date, thereby ensuring equitable treatment. It is a server-based, centrally located system.
17.1. Explain any possibility of disparate treatment of individuals or groups.
The DMS requires access to the EEOC network for direct use. The DMS is fully compliant with the standards outlined in Section 508 of the Rehabilitation Act of 1973, thereby ensuring equal access to information for individuals with disabilities. While this system will serve to allow EEOC staff to manage some processes and documents electronically, full agency services will continue to be available through the EEOC headquarters and field office locations via telephone, walk-in, mail-in, and fax. In addition, our NCC will continue to administer to individuals who contact EEOC via our 1-800 telephone number, to include translation and TTY services, as required.
18. What are the retention periods of data in this system?
Retention periods for data and documents are indefinite, but the official record remains the paper-based file.
18.1. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?
18.2. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
Data is obtained from the documents provided by the complainant, agency, representative, or correspondent. The electronic record can only be submitted if all of the required fields are completed. The date of correspondence or files is entered in the system. No determinations are made on complaints after they are closed, and determinations about individuals are not made in EEOC correspondence or in the Notation Vote System.
19. Is the system using technologies in ways that the EEOC has not previously employed?
The DMS utilizes EEOC's standardized technologies for web-based e-government applications. The underlying enterprise document management system is used only by the DMS.
19.1. How does the use of this technology affect individual privacy?
The privacy should not be affected by the technologies. Tracking mechanisms for individual’s information are not employed. Information is handled in accordance with EEOC's policies and laws.
20. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
Correspondence or complaint information contains identifying and contact information. In all other respects, the DMS cannot identify, locate or monitor an individual.
20.1. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.
20.2. What controls will be used to prevent unauthorized monitoring?
Administrative controls are established to insure that monitoring for system performance and other diagnostic purposes will not be abused to monitor user information.