Breadcrumb

  1. Home
  2. Privacy
  3. FEDSEP PRIVACY IMPACT ASSESSMENT JUNE 22, 2015

FEDSEP PRIVACY IMPACT ASSESSMENT JUNE 22, 2015

The following laws and regulations establish specific requirements for the confidentiality, integrity, and availability of the data processed, stored, and transmitted by the Federal Sector EEO Portal (FedSEP):

  • Computer Fraud and Abuse Act of 1984
  • Federal Information Security Management Act of 2002
  • Paperwork Reduction Act of 1980
  • Title VII of the Civil Rights Act of 1964, as amended
  • Equal Pay Act of 1963, as amended
  • Age Discrimination in Employment Act of 1967, as amended
  • Sections 501 and 505 of the Rehabilitation Act of 1973
  • Title I and Title V of the Americans with Disabilities Act of 1990, as amended
  • The Civil Rights Act of 1991
  • EEOC Order 240.005, EEOC Information Security Program
  • EEOC Order 240.005, Appendix A, Information Security Responsibilities of EEOC Employees
  • EEOC Order 150.003, Privacy Act of 1974, as amended
  • Public laws and regulations applicable to all federal agencies
  • 5 U.S.C. § 552a, Freedom of Information Act of 1996, As Amended By Public Law No. 104-231, 110 Stat. 3048
  • 5 U.S.C. § 552a, Privacy Act of 1974, As Amended
  • Public Law 100-503, Computer Matching and Privacy Act of 1988
  • E-Government Act of 2002 § 208
  • Federal Trade Commission Act § 5
  • 44 U.S.C. Federal Records Act, Chapters 21, 29, 31, 33
  • Title 35, Code of Federal Regulations, Chapter XII, Subchapter B
  • OMB Circular A-130, Management of Federal Information Resources, 1996
  • OMB Memo M-10-23, Guidance for Agency Use of Third-Party Websites
  • OMB Memo M-99-18, Privacy Policies on Federal Web Sites
  • OMB Memo M-03-22, OMB Guidance for Implementing the Privacy Provisions
  • OMB Memo M-07-16, Safeguarding Against and Responding to the Breach of PII
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • State Privacy Laws

The individual's right to privacy must be protected in Federal Government information activities involving personal information. This assessment addresses the privacy impact of the FedSEP.

Data in the System

1. Generally describe the information to be used in the system in each of the following categories: Agency Users & EEOC Employee.

The Federal Sector EEO Portal (FedSEP) facilitates the submission of EEO data and documents by federal agencies to the Equal Employment Opportunity Commission (EEOC), in accordance with management directives (e.g., MD-715), congressional reporting requirements (e.g., Form 462), and the enforcement of anti-discrimination laws in the federal sector (e.g., federal hearings, federal appeals).

In FY 2013, EEOC initiated FedSEP to enable all federal agencies to provide electronic collection and submission of Federal Agency EEO Program Reporting (MD-715) data.

During FY 2014, EEOC expanded FedSEP to include submission and integrated analysis for the Annual Federal Equal Employment Opportunity Statistical Report of Discrimination Complaints (EEOC Form 462) data.

In FY 2015, EEOC further expanded FedSEP to allow agencies to upload their complaint file and check on the status of complaints at the hearing and appellate stages of the EEO process.

The FedSEP portal is built using standard and enterprise Java (JEE) based components, such as Java Server Faces (JSF), to dynamically generate presentation layer User Interface (UI) and Enterprise Java Beans (EJB) to connect to data sources such as relational databases and Enterprise Content Management System (ECM).

2. What are the sources of the information in the system?

Primary sources of information are the federal Agency Users who upload EEO data files (including forms MD715 and 463) and the enforcement of anti-discrimination laws in the federal sector. Federal Agency Users also upload any additional supporting documents which eventually get stored in ECM.

2.1. What EEOC files and databases are used?

Most EEO data is stored within the structure of the separate Oracle DBMS specifically designed for FedSEP application to which administrative access is tightly restricted. Supporting documents for both EEO data and complaint files are stored in Alfresco, which is an Enterprise Content Management System.

2.2. What Federal Agencies are providing data for use in the system?

There are over 350 federal agencies that provide employee demographics and complaint data.

2.3. What State and Local Agencies are providing data for use in the system?

None

2.4. What other third party sources will data be collected from?

None

2.5. What information will be collected from the Agency Users?

EEO data files, complainant data files and supporting documents.

3. How will data collected from sources other than EEOC records and the Agency Users be verified for accuracy?

Only Agency Users provide data in FedSEP.

3.1. How will data be checked for completeness?

There are well defined business rules embedded in FedSEP, which validate and verify data prior to processing for completeness.

3.2. Is the data current? How do you know?

Yes, the data is current. For EEO and complaint data the data is current because agencies are required to complete both annually with the previous year's information. As for hearings and appeals documents, they are current because they are entered only for open cases, or cases that are expected to be open, so the documents need to be current to the case-at-hand.

4. Are the data elements described in detail and documented? If yes, what is the name of the document?

Yes:

  • Status and Dynamic Requirement Document.pdf
  • XML Valid Table Group Row Combination Requirements
  • List of Agency Codes for MD-715
  • XML Schema Definition Requirement Document
  • Hearing Documentation Types.xls
  • Appeal Documentation Types.xlsx

5. Who will have access to the EEO data files and supporting documents in the system (Users, Managers, System Administrators, Developers, Other)?

Agency Users have access to their EEO data and Complaint file which agency users uploads into the system. EEOC employees who have log in credentials have "read only" access to data for all agencies; they cannot make changes to the data submitted by Agency Users.

6. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?

FedSEP has role level security. Each FedSEP application has defined roles that determine a user's access control to the application's features. A user can have a role for each area of the application (EEO Data, Complaint Data or Complaint files). FedSEP users who have a role of "EEO Director" or "User Account Administrator" can approve or deny FedSEP account requests for their agency. A few EEOC employees with FedSEP accounts have a role of "System Administrator" and can access agency EEO data and complainant files..

7. Will users have access to all data on the system or will the users' access be restricted?

Agency Users have access to data that belongs only to his/her agency, and in some cases, access only to that data to which s/he is specifically assigned. EEOC Users have read access to the EEO and complaint data agency data submitted by each Agency Users in FedSEP.

8. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access?

Agency User roles and access are associated with an agency, Agency's EEO Directors review access to approve or deny access to their own agency. All Agency users must login with their userid and passwords. Agency EEO data and complaint data updates are logged into the system by the Agency User who is making the modification.. EEOC Users have ready only access to all agencies EEO and Compliant data files.

9. Do other systems share data or have access to data in this system? If yes, explain. Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?

Yes, this system shares data with the Integrated Mission System (IMS). Please refer to IMS PIA for additional information. Agency Users can view limited data (EEOC Complaint and Appeal docket numbers, agency case number, case status, complainant names, and EEOC Administrative Judge contact information) for Hearings and Appeals cases that have been docketed in IMS, and they can add or modify information about their hearing- and appeal-specific contacts and legal representatives, which is sourced from and stored in IMS. They can also initiate and submit un-docketed cases via FedSEP and if necessary, delete them before the case is docketed. FedSEP provides an interface to access case data submitted by the agencies to registered users associated with that agency. Approved Agency Users can manage contact and legal representative data and submit documents for a Hearing or an Appeals case that they have access to. Additionally, they can review documents that were submitted by other Agency Users for a case they have access to. No case-related data is stored in FedSEP. However, case-related documents stored in Alfresco are accessible from FedSEP as well as from IMSNXG, and case-related contact and legal representative data stored in IMS are accessible from FedSEP as well as from IMS Federal Hearings or IMS Federal Appeals. In the next release of FedSEP, planned for FY 2016, Agency Users will also be able to review documents submitted and published for the agency by EEOC IMS users.

10. Will other agencies share data or have access to data in this system (International, Federal, State, Local, And Other)?

No international, state, or local agency has access to FedSEP. Only registered federal Agency Users who have been approved by their agency EEO Director or Registration Managers have access to FedSEP. Each agency's EEO Director or Registration Manager roles must be approved by a FedSEP System Administrator, a role available only to FedSEP users at EEOC.

11. How will the data be used by the agency? Who is responsible for assuring proper use of the data?

EEOC offices use Hearings and Appeals related data (complaint files) for the purpose of investigating and tracking a case of employment discrimination. EEOC staff members are responsible for assuring proper use of the data, which is prescribed by EEOC policies and laws. EEOC uses EEO data to create statistical reports. The Agency users will utilizes the EEO data to ensure MD-715 and Form 462 reports are accurately submitted to EEOC. They utilize the complaint data to ensure they respond timely to EEOC with the complaint files and to receive status on their Hearing and Appeal cases.

12. How will the system ensure that agencies only get the information they are entitled to under applicable statutes or regulations?

EEO data submitted by Agency Users on FedSEP is not shared with Agency Users of other agencies. All access are controlled and managed through Agency user role level access and is approved by Agency EEO Director. The information submitted by Agency Users to EEOC is required under EEOC Laws and therefore, all agency EEO data and complaint files are accessed by a few EEOC users who need to know this information.

13. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?

Yes, the data is necessary to perform analysis based on Federal Agency EEO Program Reporting (MD-715) data and Statistical Report of Discrimination Complaints (EEOC Form 462) data. In FY-2015, FedSEP started allowing agencies to upload necessary and supporting documents associated with hearing and appellate cases. It also allows agencies to create un-docketed hearing and appellate cases for submission and add/update legal representative information associated with the case. This information is necessary for EEOC to effectively adjudicate a case of discrimination received from a complainant.

14. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?

No. The data is not new because it is a repository for data collected through existing procedures, generally submission by the registered federal Agency Users. Data is not aggregated from numerous sources.

14.1. Will the new data be placed in the individual's record (Agency Users)?

Not applicable.

14.2. Can the system make determinations about Agency Users that would not be possible without the new data?

Not applicable.

15. If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?

The application is hosted in a secure environment protected by the appropriate fire walls, security certificates, encryption, IT infrastructure, and internal operational and managerial controls. Intrusion detection, as well as other security controls, is implemented. The application follows and complies with the specifications and guidelines provided in NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations." Physical security to the room that houses the servers is tightly restricted, as is access to the building itself.

15.1. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.

Access to the data is granted based on business needs. The appropriate security controls are in place to protect the data and prevent unauthorized access. These controls have been verified through a third party risk assessment.

16. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain. What are the potential effects on the due process rights of Agency Users or companies of: consolidation and linkage of files and systems; derivation of data; accelerated information processing and decision making; use of new technologies. How are the effects to be mitigated?

An Agency User can only access data pertaining to his/her agency. For EEOC users, data retrieval is only allowed by authorized EEOC staff following correct entry of the login/password combination.

EEO data cannot be retrieved by personal identifying information, as we do not collection personal identifier information.

Decision-making at an individual or macro level is not controlled by technology tools. Rather, technology tools are utilized to enhance decision-making. Decision-making is controlled by application-wide policy and regulations, as well as applicable laws and statutes through which the agency operates. Programmatic and managerial controls are in place to ensure due process rights for all individuals that belong to federal agencies.

Maintenance of Administrative Controls

17. Explain how the system and its use will ensure equitable treatment of Agency Users. If the system is operated in more than one site, how will consistent use of the system and data be maintained in all sites?

The FedSEP portal uses system-wide business rules based on agency work processes and laws governing discrimination and role level security to ensure equitable treatment of all users. It is a web-based, centrally located system, with functions and rules that are centrally controlled and managed.

17.1. Explain any possibility of disparate treatment of individuals or groups.

To our knowledge, there is no possibility of disparate treatment of individuals or groups due to the use of Agency Users portal information.

18. What are the retention periods of data in this system?

Collected reporting data is retained indefinitely in FedSEP. Agency Users can also view historical reports generated based on previously submitted data. Supporting documents processed through FedSEP are temporarily retained while downloaded to IMS. Once downloaded to IMS they follow EEOC standard records schedules related to retention within IMS.

18.1. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?

Not Applicable.

18.2. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?

Data related to MD-715 and Form 462 submissions is provided by federal agencies on a yearly basis as per the filing deadline provided by EEOC. Upon successful upload, the Agency head and/or EEO Director of the agency certifies the accuracy of the data. FedSEP also performs basic validation and integrity check at the time of data insertion.

Data related to hearings and appeals (documents and contact/legal representative data) may be submitted by agencies who are responsible for ensuring the accuracy of the submitted data. Documents submitted in error by an agency may be "removed" from visibility in FedSEP Hearings and Appeals, provided the agency removing a document enters a reason explaining the document's removal. "Removed" documents are retained in Alfresco but marked as "deleted" and capture the reason for removal to ensure a complete recorded history of submitted documents, including errors. Agency activity that modifies or adds contact and/or legal representative data is captured in a running Activity Log; the modifications update the corresponding data in IMS. Undocketed hearings or appeals created by agencies can be deleted by the agency that created it, provided the undocketed case was not used directly to docket a hearing or appeal by EEOC.

19. Is the system using technologies in ways that the EEOC has not previously employed?

No.

19.1. How does the use of this technology affect taxpayer/employee privacy?

Transmission of information employs secure technologies. Persistent cookies or tracking mechanisms are not employed. Data is handled in accordance with EEOC's policies and laws.

20. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.

No.

20.1. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.

No.

20.2. What controls will be used to prevent unauthorized monitoring?

Access to agency data can be monitored and updated by EEO Directors and Registration Managers. EEO Directors and Registration Manager roles provide full visibility to who accesses data and permit the role holders to update that data at any time.

21. Under which Systems of Record Notice (SORN) does the system operate? Provide number and name.

EEOC-GOVT-1, Employment Opportunity Complaint Records and Appeal Records