Human Resources Enterprise Systems
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 6/7/2023
PIA Questions | PIA Answers |
---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-8691640-411821 |
Name: | Human Resources Enterprise Systems |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 4/20/2023 |
Describe the purpose of the system | Networking People with Enterprise Systems and Information Link (NEIL) is a Human Resources (HR) workflow tracking system that is used to initiate, store, and track a variety of HR action requests. The system facilitates communication between CMS HR and other CMS components through online action initiation, approvals, and automated status and reminder emails. It is primarily used by HR staffing and classification personnel, hiring managers, and administrative staff in CMS components. It provides management officials with a tool to identify, monitor and manage workload and performance related to hiring and Employee/Labor Relations processes. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | NEIL captures information provided by HR staff related to the process of developing job postings, such as job title, full or part time position, and grade level. The system tracks the dates that various steps in the process are completed and names of approvers, with the goal of improving the efficiency of the hiring process. NEIL also provides tracking and information capture for hiring requests for individuals under special hiring authorities, such as veteran programs or programs for individuals with disabilities. The system stores the information required to allow HR staff to verify that the individuals under consideration are eligible for the hiring authorities, or specific positions, and may include veterans' forms, disability documentation, proof of licensing or education, contact information, date of birth and social security number. PII may also appear in Employee/Labor relations case files, within required legal documents. Information in NEIL is not shared with other systems. CMS staff who access NEIL do not use any personal identifiers to retrieve records held in the system. NEIL stores information for CMS staff who have access to the system, including name, login and password information, email addresses, and the level of access that those individuals have within the system. The only individuals who can access the system are CMS employees and contractors who have been approved as NEIL users. Once approved, NEIL users access the system using a unique CMS-issued ID and password. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | NEIL captures information provided by HR staff related to the process of developing job postings, such as job title, full or part time position, and grade level. The system tracks the dates that various steps in the process are completed and approved with the goal of improving the efficiency of the hiring process. NEIL also provides tracking and information capture for hiring requests for individuals under special hiring authorities, such as veteran programs or programs for individuals with disabilities. The system stores the information required to allow HR staff to verify that the individuals under consideration are eligible for the hiring authorities, such as veterans' forms or disability letters, and qualified for a position. NEIL also provides a case management system for CMS Labor/Employee Relations, tracking the steps in their processes and documents required from parties involved. Information in NEIL is not shared with other systems. CMS staff who access NEIL do not use any personal identifiers to retrieve records held in the system. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 500-4,999 |
For what primary purpose is the PII used? | The system stores the information required to allow HR staff to verify that the individuals under consideration are eligible for the hiring authorities, or specific positions, and may include veterans' forms, disability documentation, proof of licensing or education, contact information, date of birth and social security number. NEIL also provides a case management system for CMS Labor/Employee Relations, tracking the steps in their processes and legal documents required from parties involved. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
Describe the function of the SSN. | SSN may appear within documents attached to hiring requests or Employee /Labor relations cases. It is used only to differentiate individuals with the same name. |
Cite the legal authority to use the SSN. | Executive Orders 9397, as amended by 13478, 9830, and 12107 |
Identify legal authoritiesā governing information use and disclosure specific to the system and program. | 5 U.S.C. 1302, 2951, 3301, 3372, 4118, 8347, and Executive Orders 9397, as amended by 13478, 9830, and 12107 |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - Information is voluntarily provided by individuals to CMS Human Resources. Individuals to not enter their information directly into the NEIL system. |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - Individuals may request that other sources provide information to support Employee Relations/Labor Relations (ER/LR) cases. |
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Individuals voluntarily provide documents that may contain PII as part of applying for employment. This information may be collected through the USA Staffing System (maintained by OPM) or to a CMS recruiter. NEIL does not collect PII directly from individuals. The information is obtained by HR staff or CMS component staff who have access to enter the information into the NEIL system. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Individuals provide their PII voluntarily as part of the standard process of applying for employment or initiating or participating in an Employee/Labor Relations case. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | No such major changes are planned or anticipated for the NEIL system. In the event of an unanticipated change, all methods of notification would be considered, based on contact information provided by the individual. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals voluntarily provide their information in order to have the ability to apply for employment, or participate in an Employee/Labor relations case. NEIL data is not disclosed or used for other purposes. If an individual believes that the information they provided is inaccurate, they have the option of contacting CMS HR to correct the information. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | No process exists. Individuals voluntarily provide accurate information in order to have the ability to apply for employment, or participate in an Employee/Labor relations case. NEIL data is not disclosed or used for other purposes. In applying for employment the individual certifies that the information they are providing is accurate. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to the NEIL system, and the level of access, is approved by the user's, administrator's, or developer's leadership, in coordination with the Business Owner. CMS users complete a NEIL access form, signed by their manager; that supplies the "role" or access level approved for that user. NEIL system administrators build user accounts based on permissions that have been approved. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | HR and CMS component staff are assigned to a workload for a particular CMS component or components. When a hiring request is initiated in NEIL, the appropriate HR and component staff are listed in the request. Individuals not listed in the request, with the exception of system administrators and developers, are not able to access the request. For Employee/Labor Relations cases, NEIL access is limited to ER/LR staff and managers. System administrators and Developers also have access to ER/LR data for troubleshooting purposes. Account access is monitored and logged. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | System personnel participate in CMS Annual Security Awareness and Privacy training. Training on account management policies and procedures are provided for administrative, account management personnel. |
Describe training system users receive (above and beyond general security and privacy awareness training) | System specific training is offered to all users when their NEIL accounts are created, and with all communications related to the NEIL system. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Records retention policies for the NEIL system follow General Records Schedules GRS02-1 and GRS04-1. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The NEIL system is internal to CMS, only accessed by approved HR and certain administrative staff and managers. Administrative controls include user training, system documentation, implementation of need to know and minimum necessary principles when awarding access, and others. Technical controls include firewalls, network monitoring and intrusion detection. NEIL is implemented in the managed AWS cloud environment. Other appropriate controls have been selected from the National Institute of Standards and Technology (NIST) guidance and Acceptable Risk Safeguards (ARS). |