VA Time and Attendance System - Cloud (VATAS)

Privacy Impact Assessment for the VA IT System called:

VA Time and Attendance System - Cloud (VATAS)

Financial Payroll Services VA Central Office

Date PIA submitted for review: 08/08/2023

System Contacts

Privacy Officer

System Contacts:

Name Mark A. Wilson

E-mail Mark.Wilson@

Phone Number (512) 386-2246

Information System Security Officer (ISSO)

Information System Owner

Rito-Anthony Brisbane Jonathan Lindow

RitoAnthony.Brisbane@

Jonathan.Lindow@

(512) 460-5081 (512) 460-5307

Abstract

The abstract provides the simplest explanation for "what does the system do?" and will be published online to accompany the PIA link. VA Time and Attendance System - Cloud (VATAS) is a Commercial-Off-The-Shelf (COTS) customizable, web-based Time and Attendance System (TAS) that replaced the Enterprise Time and Attendance (ETA) system. VATAS will be used by all VA employees to request leave, and review leave balance data. VATAS transmits time and leave data to Defense Finance Accounting Services' Payroll Syst. VATAS provides payroll processing services.

Overview

The overview is the most important section of the PIA. A thorough and clear overview gives the reader the appropriate context to understand the responses in the PIA. The overview should contain the following elements:

1 General Description A. The IT system name and the name of the program office that owns the IT system. VA Time and Attendance System - Cloud (VATAS); Program Office: Financial Payroll Service (FPS)

B. The business purpose of the program, IT system, or technology and how it relates to the program office and agency mission. Conduct Work Schedule and Leave Management designs, develops, and implements leave and work schedule policies and programs that attract, retain, and meet the work-life needs of employees in accordance with law and regulations. Develops and implements policies to administer leave and work schedules in support of agency missions and goals. Coordinates with organizations to provide for the appropriate conveyance of policies, programs, human resources, payroll, and time and attendance systems supporting accurate and timely benefits for employees. The Financial Services Center (FSC) is the Business Owner of the VATAS application, and it is managed on their behalf by Cognosante.

C. Indicate the ownership or control of the IT system or project. VA owned, Ownership of VATAS Cloud systems fall under the Financial Service Center (FSC); Cognosante personnel work to keep the VATAS Solution up to date with all latest software security patches and new software applications as appropriate.

2. Information Collection and Sharing D. The expected number of individuals whose information is stored in the system and a brief description of the typical client or affected individual. The number of employees estimated to be in the system at full deployment is approximately 400,000 users.

Version Date: October 1, 2022 Page 1 of 31

E. A general description of the information in the IT system and the purpose for collecting this information. VATAS is an enterprise-wide system which tracks time and attendance for the entire VA. Every two weeks the system uses the information gathered on timesheets to run payroll. Veterans Information Systems (IS) are vital to the Department of Veterans Affairs (VA) business processes; theref ore, it is critical that services provided by Veterans Affairs Time and Attendance System, (VATAS) operate effectively without excessive or prolonged interruption The VATAS is hosted by VAEC AWS GovCloud. The Department of Veterans Affairs (VA) Office of Financial Business Operations (OFBO) provides financial systems and operations services to VA administrations and staff offices. Among its responsibilities is enterprise-wide time reporting in support of accounting and personnel benefit services. The time and attendance that supports these f unctions for OFBO is the Veterans Affairs Time and Attendance System (VATAS). Specifically, VATAS performs these functions: 1) Create new employee profile; update and edit current employee information. 2) Configure vario us employee groupings, including duty stations and time and leave (T&L) groups. 3) Configure tours of duty Process employee leave requests, overtime/comp time requests, environmental differential requests and related requests. 4) Process/adjust timecards/prior pay period(s). 5) Process timecards for the current pay periods Adjust timecards from prior pay periods. 6) Validate entered timecard information against VA business rules, both at the time of data entry and when issuing batch feeds to external systems. 7) Provide exception reports to identify data anomalies. 8) Provide standard reports to support management and analysis related to T&A. 9) Reconcile timecard information with DCPS. 10) Reconcile employee configuration with HR information in HRSMART. 11) Manage and configure holidays, tours of duty, duty stations, HRSMART database lookup codes, and Time and Leave (T&L) Group

F. Any information sharing conducted by the IT system. A general description of the modules and subsystems, where relevant, and their functions. VATAS accepts employee profile data from HRSMART, sends time and leave information to DCPS via Systems Automation Data (SDA) interface, receives leave balances from DCPS, and stores data on the VATAS database.

The core VATAS application is a web-based multi-functional time and attendance application that incorporates a multi-tiered architecture. Written in Java, the application uses J2EE compliant technologies such as Java Servlets and Java Server Faces (JSF) and Java Facelets. Users connect to the system through an Apache web server.

G. Whether the system is operated in more than one site, and if so, a description of how use of the system and PII is maintained consistently in all sites and if the same controls are used across sites. This is N/A for VATAS; VATAS is not operated from multiple sites

Version Date: October 1, 2022 Page 2 of 31

3. Legal Authority and SORN H. A citation of the legal authority to operate the IT system. VATAS, under 5 CFR part 4501, Office of Personnel Management, provides a

restricted-membership information interface and the data originates and remains within the financial systems and operations services of the VA. The data is not mined nor collected for any other purpose, in accordance with the system ISA/MOU. ISA/MOUs are used for the connections to/from VA entities, VATAS application provides required reports using restricted membership web interfaces and uses datasets from HRSMART, Defense Civilian Pay System (DCPS) and receives interface from Defense Finance and Accounting Service (DFAS). Personnel and Accounting Integrated Data System - VA (27VA047). The current SORN will be replaced with 208VA0478C, which is under review by VA Privacy Act Service.

I. If the system is in the process of being modified and a SORN exists, will the SORN require amendment or revision and approval? If the system is using cloud technology, does the SORN for the system cover cloud usage or storage? Personnel and Accounting Integrated Data System - VA (27VA047). The current SORN will be replaced with 208VA0478C, which is under review by VA Privacy Act Service.

D. System Changes J. Whether the completion of this PIA will result in circumstances that require changes to business processes No, it cannot result in circumstances that require changes to business processes

K. Whether the completion of this PIA could potentially result in technology changes No, it could not potentially result in technology changes

Section 1. Characterization of the Information

The following questions are intended to define the scope of the information requested and collected as well as the reasons for its collection as part of the program, IT system, or technology being developed.

1.1 What information is collected, used, disseminated, created, or maintained in the system?

Identify and list all Sensitive Personal Information (SPI) that is collected and stored in the system, including Individually Identifiable Information (III), Individually Identifiable Health Information (IIHI), Protected Health Information (PHI), and Privacy- Protected Information. For additional information on these information types and definitions, please see VA Directives and Handbooks in the 6500 series (). If the system creates information (for example, a score, analysis, or report), list the information the system is responsible for creating.

Version Date: October 1, 2022 Page 3 of 31

If a requesting system receives information from another system, such as a response to a background check, describe what information is returned to the requesting system. This question is related to privacy control AP-1, Authority To Collect, and AP-2, Purpose Specification.

The information selected below must match the information provided in question 2.1 as well as the data elements columns in 4.1 and 5.1.

Please check any information listed below that your system collects, uses, disseminates, creates, or

maintains. If additional SPI is collected, used, disseminated, created, or maintained, please list those in

the text box below:

Name

Health Insurance

Integrated Control

Social Security

Beneficiary Numbers

Number (ICN)

Number

Account numbers

Military

Date of Birth

Certificate/License

History/Service

Mother's Maiden Name

numbers*

Connection

Personal Mailing

Vehicle License Plate

Next of Kin

Address Personal Phone

Number Internet Protocol (IP)

Other Data Elements (list below)

Number(s)

Address Numbers

Personal Fax Number

Medications

Personal Email

Medical Records

Address

Race/Ethnicity

Emergency Contact

Tax Identification

Information (Name, Phone

Number

Number, etc. of a different

Medical Record

individual)

Number

Financial Information

Gender

? Work Email Address

*Specify type of Certificate or License Number (e.g. Occupational, Education, Medical)

PII Mapping of Components (Servers/Database)

VATAS consists of 2 database servers' key components (servers/databases). Each component has been analyzed to determine if any elements of that component collect PII. The type of PII collected by VATAS and the reasons for the collection of the PII are in the table below.

Version Date: October 1, 2022 Page 4 of 31

Note: Due to the PIA being a public facing document, please do not include the server names in the table. The first table of 3.9 in the PTA should be used to answer this question.

Internal Database Connections

Database Name of the information system collecting/storing PII

VAPRDP Oracle Database (#1)

VAPRDR Oracle Database (#2)

Does this system collect PII? (Yes/No) Yes

Does this system store PII? (Yes/No) Yes

Type of PII (SSN, DOB, etc.)

Name, Work Email and SSN

Yes

Yes

Name, Work Email and

SSN

Reason for Collection/ Storage of PII

Safeguards

Payroll Processin g

Payroll Processin g

Access control, authentication , conf iguration management, etc. Access control, authentication , conf iguration management, etc.

1.2 What are the sources of the information in the system? These questions are related to privacy controls DI-1, Data Quality, and IP-1, Consent.

1.2a List the individual, entity, or entities providing the specific information identified above. For example, is the information collected directly from the individual as part of an application for a benefit, or is it collected from other sources such as commercial data aggregators?

Restricted membership-web access VATAS application manages all VA employee time and attendance functions, provides required reports using restricted membership web interfaces, and uses datasets from HRSMART, Defense Civilian Pay System (DCPS)and receives interface from Defense Finance and Accounting Service (DFAS).

1.2b Describe why information from sources other than the individual is required. For example, if a program's system is using data from a commercial aggregator of information or data taken from public Web sites, state the fact that this is where the information is coming from and then in question indicate why the system is using this source of data.

This is not applicable

Version Date: October 1, 2022 Page 5 of 31

1.2c If the system creates information (for example, a score, analysis, or report), list the system as a source of information. VATAS has a reporting system

Version Date: October 1, 2022 Page 6 of 31

1.3 How is the information collected? These questions are related to privacy controls DI-1, Data Quality, and IP-1, Consent.

1.3a This question is directed at the means of collection from the sources listed in question 1.2. Information may be collected directly from an individual, received via electronic transmission from another system, or created by the system itself. Specifically, is information collected through technologies or other technologies used in the storage or transmission of information in identifiable form?

Restricted membership web access VATAS application manages all VA employee time and attendance functions, provides required reports using restricted membership web interfaces, and uses datasets from HRSMART, and provides datasets to Defense Civilian Pay System (DCPS) for Defense Finance and Accounting Service (DFAS). We get datasets via FTP from HRSMART. We return datasets via sFTP to DCPS/DFAS for further processing. VATAS does not receive information from individuals.

1.3b If the information is collected on a form and is subject to the Paperwork Reduction Act, give the form's OMB control number and the agency form number.

NA for VATAS

1.4 How will the information be checked for accuracy? How often will it be checked? These questions are related to privacy controls DI-1, Data Quality, and DI-2, Data Integrity and Integrity Board.

1.4a Discuss whether and how often information stored in the system is checked for accuracy. Is information in the system checked against any other source of information (within or outside your organization) before the information is used to make decisions about an individual? For example, is there a computer matching agreement in place with another government agency? For systems that receive data from internal data sources or VA IT systems, describe the system checks to ensure that data corruption has not occurred during transmission.

VATAS provides an information interface. The data originates and remains within the financial systems and operations services of the VA. Accuracy of transmitted and stored data is ensured via the use of checksum and appropriate encryption standards. The use of encryption standards protects the data from unauthorized access, deletion, addition, or modification.

1.4b If the system checks for accuracy by accessing a commercial aggregator of information, describe this process and the levels of accuracy required by the contract.

This is NA for VATAS

Version Date: October 1, 2022 Page 7 of 31

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download