06.1 HHS Privacy Impact Assessment (Form) / 01 OpDiv Information Systems (Portfolio) |
ProSight |
|
|||||
|
|
|
|||||
PIA SUMMARY |
|||||||
1 |
|
||||||
The following required questions represent the information necessary to complete the PIA Summary for transmission to the Office of Management and Budget. |
|||||||
Note: If a question or its response is not applicable, please answer “No” to that question. |
|||||||
2 |
Summary of PIA Required Questions |
||||||
*Is this a new PIA? |
Yes |
||||||
If this is an existing PIA, please provide a reason for revision: |
|
||||||
|
|
||||||
*1. Date of this Submission: |
9/10/09 |
||||||
*2. OPDIV Name: |
DHHS/NIH/NIAID |
||||||
*3. Unique Project Identifier (UPI) Number: |
No |
||||||
Note: If the system does not have a UPI, please explain why it does not: |
No |
||||||
*4. Privacy Act System of Records (SOR) Number: |
09-25-0156 |
||||||
*5. OMB Information Collection Approval Number: |
Not received yet |
||||||
OMB Collection Approval Number Expiration Date: |
|
||||||
*6. Other Identifying Number(s): |
#HHSN266200600024T |
||||||
*7. System Name: |
Key Influencer Survey |
||||||
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: |
Katharine Kripke |
||||||
|
|
|
|||||
|
Point of Contact Information |
|
|
||||
|
POC Name |
Katharine Kripke |
|
||||
|
|||||||
*10. Provide an overview of the system: |
This is a Web-based survey that will be used to assess the respondents’ level of awareness, knowledge about, and support for HIV vaccine research. Respondents will also be questioned on their exposure to the NIAID HIV Vaccine Research Education Initiative. Survey respondents are considered key influencers, meaning they are individuals that work with and have an influence on those individuals most at risk for contracting HIV/AIDS. |
||||||
*13. Indicate if the system is new or an existing one being modified: |
New |
||||||
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system? |
Yes |
||||||
Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation |
|
||||||
Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA. |
|
||||||
If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion. |
|
||||||
*21. Is the system subject to the Privacy Act? |
Yes |
||||||
*23. If the system shares or discloses IIF please specify with whom and for what purpose(s): |
The system will not share or disclose PII. |
||||||
*30. Please describe in detail the information the agency will collect, maintain, or disseminate and why and for what purpose the agency will use the information. In this description, indicate whether the information contains IIF and whether submission of personal information is voluntary or mandatory: |
Names and email addresses will be collected to allow for followup. The PII being collected is not required. |
||||||
*31. Please describe in detail any processes in place to: • notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection) • notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: |
Informed consent will be provided on the survey website. System changes are not anticipated and will not require notification of individuals whose PII is in the system. If notification is required, email notification will be performed. |
||||||
*32. Does the system host a website? |
The database system will be a backend to a survey Website. |
||||||
*37. Does the website have any information or pages directed at children under the age of thirteen? |
No |
||||||
*50. Are there policies or guidelines in place with regard to the retention and destruction of IIF? |
Yes |
||||||
*54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls. |
Only individuals working on the project will have administrative access to the files, all files will be kept on secure servers, and computers containing the data are maintained in secure location under lock and key. |
||||||
PIA REQUIRED INFORMATION |
||||||||||
1 |
HHS Privacy Impact Assessment (PIA) |
|||||||||
The PIA determines if information in identifiable form (IIF) is contained within a system, what kind of IIF, what is done with that information, and how that information is protected. Systems with IIF are subject to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act Officer, for issues related to Freedom of Information Act (FOIA) and the Privacy Act, and respective Operating Division (OPDIV) Privacy Contacts, for issues related to the Privacy Act, can all be used as a resource for questions related to the technicalities of privacy law. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system. Please note that answers to questions with an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly available in accordance with OMB Memorandum (M) 03-22. |
||||||||||
Note: If a question or its response is not applicable, please answer “No” to that question. |
||||||||||
2 |
General Information |
|||||||||
*Is this a new PIA? |
Yes |
|||||||||
If this is an existing PIA, please provide a reason for revision: |
|
|||||||||
|
|
|||||||||
*1. Date of this Submission: |
9/21/09 |
|||||||||
*2. OPDIV Name: |
DHHS/NIH/NIAID |
|||||||||
*3. Unique Project Identifier (UPI) Number: |
No |
|||||||||
Note: If the system does not have a UPI, please explain why it does not: |
No |
|||||||||
*4. Privacy Act System of Records (SOR) Number: |
09-25-0156 |
|||||||||
*5. OMB Information Collection Approval Number: |
Not received yet |
|||||||||
OMB Collection Approval Number Expiration Date: |
|
|||||||||
*6. Other Identifying Number(s): |
#HHSN266200600024T |
|||||||||
*7. System Name: |
Key Influencer Survey |
|||||||||
8. System Location: (OPDIV or contractor office building, room, city, and state) |
NOVA Research Company |
|||||||||
|
|
|
||||||||
|
System Location: |
NOVA Research Company |
|
|||||||
|
OPDIV or contractor office building |
4600 East-West Highway |
|
|||||||
|
Room |
Suite 700 |
|
|||||||
|
City |
Bethesda |
|
|||||||
|
State |
Maryland |
|
|||||||
|
||||||||||
*9. System Point of Contact (POC) (name, title, organization, phone, email). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: |
Katharine Kripke |
|||||||||
|
|
|
||||||||
|
Point of Contact Information |
|
|
|||||||
|
POC Name |
Katharine Kripke |
|
|||||||
|
||||||||||
|
The following information will not be made publicly available: |
|
||||||||
|
|
|
||||||||
|
POC Title |
Assistant Director, Vaccine Research Program |
|
|||||||
|
POC Organization |
NIAID |
|
|||||||
|
POC Phone |
301-594-2512 |
|
|||||||
|
POC Email |
kripkek@niaid.nih.gov |
|
|||||||
|
||||||||||
*10. Provide an overview of the system: |
This is a Web-based survey that will be used to assess the respondents’ level of awareness, knowledge about, and support for HIV vaccine research. Respondents will also be questioned on their exposure to the NIAID HIV Vaccine Research Education Initiative. Survey respondents are considered key influencers, meaning they are individuals that work with and have an influence on those individuals most at risk for contracting HIV/AIDS. |
|||||||||
|
||||||||||
SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION |
||||||||||
1 |
System Characterization and Data Configuration |
|||||||||
11. Does HHS own the system? |
Yes |
|||||||||
If no, identify the system owner: |
|
|||||||||
|
|
|||||||||
12. Does HHS operate the system? |
No |
|||||||||
If no, identify the system operator: |
NOVA Research Company |
|||||||||
|
|
|||||||||
*13. Indicate if the system is new or an existing one being modified: |
New |
|||||||||
|
|
|||||||||
14. Identify the life-cycle phase of this system: |
|
|||||||||
|
|
|
||||||||
|
Phase: |
Yes/No |
|
|||||||
|
Initiation |
Yes |
|
|||||||
|
Development/Acquisition |
No |
|
|||||||
|
Implementation |
No |
|
|||||||
|
Operations/Maintenance |
No |
|
|||||||
|
Disposal |
No |
|
|||||||
|
Mixed Life Cycle |
No |
|
|||||||
|
||||||||||
|
|
|||||||||
15. Have any of the following major changes occurred to the system since the PIA was last submitted? |
|
|||||||||
|
|
|
||||||||
|
If yes, please check each major change that has occurred: |
Yes/No |
|
|||||||
|
Conversions |
No |
|
|||||||
|
Anonymous to Non-Anonymous |
No |
|
|||||||
|
Significant System Management Changes |
No |
|
|||||||
|
Significant Merging |
No |
|
|||||||
|
New Public Access |
No |
|
|||||||
|
Commercial Sources |
No |
|
|||||||
|
New Interagency Uses |
No |
|
|||||||
|
Internal Flow or Collection |
No |
|
|||||||
|
Alteration in Character of Data |
No |
|
|||||||
|
||||||||||
|
|
|||||||||
16. Is the system a General Support System (GSS) or a Major Application (MA)? |
GSS |
|||||||||
|
|
|||||||||
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system? |
Yes |
|||||||||
Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or whether it is personal information about business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation. |
|
|||||||||
Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 32, 37, 50 and 54, then promote the PIA to the OPDIV Senior Official for Privacy who will authorize the PIA. |
|
|||||||||
If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion. |
|
|||||||||
|
Please select "Yes" for all applicable IIF categories. If the applicable IIF category is not listed, please use the Other field to identify the appropriate category of IIF: |
|
||||||||
|
|
|
||||||||
|
Check all that Apply: |
Yes/No |
|
|||||||
|
Date of Birth |
No |
|
|||||||
|
Social Security Number (SSN) |
No |
|
|||||||
|
Photographic Identifiers |
No |
|
|||||||
|
Driver’s License |
No |
|
|||||||
|
Biometric Identifiers |
No |
|
|||||||
|
Mother’s Maiden Name |
No |
|
|||||||
|
Vehicle Identifiers |
No |
|
|||||||
|
Mailing Address |
No |
|
|||||||
|
Phone Numbers |
No |
|
|||||||
|
Medical Records Numbers |
No |
|
|||||||
|
Medical Notes |
No |
|
|||||||
|
Financial Account Information |
No |
|
|||||||
|
Certificates |
No |
|
|||||||
|
Legal Documents |
No |
|
|||||||
|
Device Identifiers |
No |
|
|||||||
|
Web Uniform Resource Locator(s) (URL) |
No |
|
|||||||
|
Email Address |
Yes |
|
|||||||
|
Education Records |
No |
|
|||||||
|
Military Status |
No |
|
|||||||
|
Employment Status |
No |
|
|||||||
|
Foreign Activities |
No |
|
|||||||
|
Other |
Yes, Name |
|
|||||||
|
||||||||||
|
|
|||||||||
|
18. Please indicate the categories of individuals about whom IIF is collected, maintained, disseminated and/or passed through. Note: If the applicable IIF category is not listed, please use the Other field to identify the appropriate category of IIF. |
|
||||||||
|
|
|
||||||||
|
Categories: |
Yes/No |
|
|||||||
|
Employees |
No |
|
|||||||
|
Public Citizen |
Yes |
|
|||||||
|
Patients |
No |
|
|||||||
|
Business partners/contacts (Federal, state, local agencies) |
No |
|
|||||||
|
Vendors/Suppliers/Contractors |
No |
|
|||||||
|
Other |
No |
|
|||||||
|
||||||||||
|
|
|||||||||
19. Are records on the system retrieved by one or more data elements? |
Yes |
|||||||||
|
If yes, please select all applicable IIF categories. If the applicable IIF category is not listed, please use the Other field to identify the appropriate category of IIF. |
|
||||||||
|
|
|
||||||||
|
Please specify what data elements are or will be used in retrieving the records: |
Yes/No |
|
|||||||
|
Name |
Yes |
|
|||||||
|
Date of Birth |
No |
|
|||||||
|
SSN |
No |
|
|||||||
|
Photographic Identifiers |
No |
|
|||||||
|
Driver’s License |
No |
|
|||||||
|
Biometric Identifiers |
No |
|
|||||||
|
Mother’s Maiden Name |
No |
|
|||||||
|
Vehicle Identifiers |
No |
|
|||||||
|
Mailing Address |
No |
|
|||||||
|
Phone Numbers |
No |
|
|||||||
|
Medical Records Numbers |
No |
|
|||||||
|
Medical Notes |
No |
|
|||||||
|
Financial Account Information |
No |
|
|||||||
|
Certificates |
No |
|
|||||||
|
Legal Documents |
No |
|
|||||||
|
Device Identifiers |
No |
|
|||||||
|
Web URLs |
No |
|
|||||||
|
Email Address |
Yes |
|
|||||||
|
Education Records |
No |
|
|||||||
|
Military Status |
No |
|
|||||||
|
Employment Status |
No |
|
|||||||
|
Foreign Activities |
No |
|
|||||||
|
Other |
No |
|
|||||||
|
||||||||||
|
|
|||||||||
20. Are 10 or more records containing IIF maintained, stored or transmitted/passed through this system? |
Yes |
|||||||||
|
|
|||||||||
*21. Is the system subject to the Privacy Act? |
Yes |
|||||||||
21 A. If yes, but a SOR has not been created, please provide an explanation: |
|
|||||||||
INFORMATION SHARING PRACTICES |
|||||||||||||||||||
1 |
Information Sharing Practices |
||||||||||||||||||
22. Does the system share or disclose IIF with other divisions within this agency, external agencies, or other people or organizations outside the agency? |
No |
||||||||||||||||||
|
|
|
|||||||||||||||||
|
If yes, please identify the category of IIF shared or disclosed. If the category of personal information is not listed, please check Other and identify the category. |
|
|
||||||||||||||||
|
Name |
|
|
||||||||||||||||
|
Date of Birth |
|
|
||||||||||||||||
|
SSN |
|
|
||||||||||||||||
|
Photographic Identifiers |
|
|
||||||||||||||||
|
Driver’s License |
|
|
||||||||||||||||
|
Biometric Identifiers |
|
|
||||||||||||||||
|
Mother’s Maiden Name |
|
|
||||||||||||||||
|
Vehicle Identifiers |
|
|
||||||||||||||||
|
Mailing Address |
|
|
||||||||||||||||
|
Phone Numbers |
|
|
||||||||||||||||
|
Medical Records Numbers |
|
|
||||||||||||||||
|
Medical Notes |
|
|
||||||||||||||||
|
Financial Account Information |
|
|
||||||||||||||||
|
Certificates |
|
|
||||||||||||||||
|
Legal Documents |
|
|
||||||||||||||||
|
Device Identifiers |
|
|
||||||||||||||||
|
Web URLs |
|
|
||||||||||||||||
|
Email Address |
|
|
||||||||||||||||
|
Education Records |
|
|
||||||||||||||||
|
Military Status |
|
|
||||||||||||||||
|
Employment Status |
|
|
||||||||||||||||
|
Foreign Activities |
|
|
||||||||||||||||
|
Other |
|
|
||||||||||||||||
|
|||||||||||||||||||
|
|
||||||||||||||||||
*23. If the system shares or discloses IIF please specify with whom and for what purpose(s): |
The system will not share or disclose PII. |
||||||||||||||||||
|
|
||||||||||||||||||
24. If the IIF in the system is matched against IIF in one or more other computer systems, are computer data matching agreement(s) in place? |
No |
||||||||||||||||||
|
|
||||||||||||||||||
25. Is there a process in place to notify organizations or systems that are dependent upon the IIF contained in this system when major changes occur (i.e., revisions to IIF, or when the system is replaced)? |
No |
||||||||||||||||||
|
|
||||||||||||||||||
26. Are individuals notified how their IIF is going to be used? |
Yes |
||||||||||||||||||
If yes, please describe the process for allowing individuals to have a choice: |
Within the survey, participants will be allowed to skip the question and not supply contact information. |
||||||||||||||||||
|
|
||||||||||||||||||
27. Is there a complaint process in place for individuals who believe their IIF has been inappropriately obtained, used, or disclosed, or that the IIF is inaccurate? |
Yes |
||||||||||||||||||
If yes, please describe briefly the notification process: |
An email link and name will be supplied for those who wish to contact the survey manager. The individual will need to provide the following information to the survey manager:
The requester must also verify his or her identity by providing either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine. The survey manager will review the complaint and contact the requester with a resolution. |
||||||||||||||||||
|
|
||||||||||||||||||
28. Are there processes in place for periodic reviews of IIF contained in the system to ensure the data’s integrity, availability, accuracy and relevancy? |
No |
||||||||||||||||||
If yes, please describe briefly the review process: |
|
||||||||||||||||||
|
|
||||||||||||||||||
29. Are there rules of conduct in place for access to IIF on the system? |
Yes |
||||||||||||||||||
If yes, identify all users with access to IIF on the system and briefly state the purpose for each user to have access: |
|
||||||||||||||||||
|
|
|
|||||||||||||||||
|
Users with access to IIF |
Yes/No |
Purpose |
|
|||||||||||||||
|
User |
No |
|
|
|||||||||||||||
|
Administrators |
Yes |
Database Administrator will have direct access to the database for the purpose of developing the web-based survey and general server maintenance. |
|
|||||||||||||||
|
Developers |
No |
|
|
|||||||||||||||
|
Contractors |
Yes |
Conduct followup with survey respondents. |
|
|||||||||||||||
|
Other |
|
|
|
|||||||||||||||
|
|||||||||||||||||||
*30. Please describe in detail the information the agency will collect, maintain, or disseminate and why and for what purpose the agency will use the information. In this description, indicate whether the information contains IIF and whether submission of personal information is voluntary or mandatory: |
Information about the respondents’ knowledge, attitudes, and behaviors about HIV vaccines will be collected via this survey of key influencers. Key influencers will be drawn from a database created by NOVA based on organizations doing HIV/AIDS prevention-related work. The data collected in this survey will be used to help determine the level of support for HIV vaccine research among key influencers and make assumptions about the NIAID HIV Vaccine Education Initiative (NHVREI). The PII being obtained will be used to re-contact key influencers and conduct a similar survey in the future for the purpose of comparing time 1 and time 2. The submission of PII will not be mandatory. |
||||||||||||||||||
|
|
||||||||||||||||||
*31. Please describe in detail any processes in place to: • notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection) • notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: |
Notification of the use of PII will be included on the survey website. Tacit consent is provided if the participant completes the survey and includes the PII. System changes are not anticipated and will not require notification of individuals whose PII is in the system. If notification is required, email notification will be performed. |
||||||||||||||||||
Note: Please describe in what format individuals will be given notice of consent (e.g., written notice, electronic notice, etc.). |
|
||||||||||||||||||
WEBSITE HOSTING PRACTICES |
|||||||||||||||||||
1 |
Website Hosting Practices |
||||||||||||||||||
32. Does the system host a website? |
Yes, the system will consist of a survey Web site that stores collected data in a backend relational database. |
||||||||||||||||||
|
|
|
|||||||||||||||||
|
If yes, please indicate what type of site the system hosts: |
Yes/ No |
|
||||||||||||||||
|
Internet |
Yes |
|
||||||||||||||||
|
Intranet |
No |
|
||||||||||||||||
|
Both |
No |
|
||||||||||||||||
|
|||||||||||||||||||
33. Is the website accessible by the public or other entities (i.e., Federal, state, and/or local agencies, contractors, third party administrators, etc.)? |
No |
||||||||||||||||||
|
|
||||||||||||||||||
34. Is a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the E-Government Act) posted on the website? |
Yes, it will be once the site is ready. |
||||||||||||||||||
|
|
||||||||||||||||||
35. Is the website’s privacy policy in machine-readable format, such as Platform for Privacy Preferences (P3P)? |
Yes |
||||||||||||||||||
If no, please indicate when the website will be P3P compliant: |
|
||||||||||||||||||
36. Does the website employ persistent tracking technologies? |
No |
||||||||||||||||||
|
|
|
|||||||||||||||||
|
If yes, identify the type(s) of cookies in use: |
Yes/No |
|
||||||||||||||||
|
Web Bugs |
|
|
||||||||||||||||
|
Web Beacons |
|
|
||||||||||||||||
|
Session Cookies |
Yes |
|
||||||||||||||||
|
Persistent Cookies |
|
|
||||||||||||||||
|
Other |
|
|
||||||||||||||||
|
|||||||||||||||||||
|
|
||||||||||||||||||
*37. Does the website have any information or pages directed at children under the age of thirteen? |
No |
||||||||||||||||||
If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any information is collected? |
|
||||||||||||||||||
|
|
||||||||||||||||||
38. Does the website collect IIF from individuals? |
Yes |
||||||||||||||||||
|
|
|
|||||||||||||||||
|
If yes, please indicate the category of IIF: |
Yes/No |
|
||||||||||||||||
|
Name |
Yes |
|
||||||||||||||||
|
Date of Birth |
No |
|
||||||||||||||||
|
SSN |
No |
|
||||||||||||||||
|
Photographic Identifiers |
No |
|
||||||||||||||||
|
Driver's License |
No |
|
||||||||||||||||
|
Biometric Identifiers |
No |
|
||||||||||||||||
|
Mother's Maiden Name |
No |
|
||||||||||||||||
|
Vehicle Identifiers |
No |
|
||||||||||||||||
|
Mailing Address |
No |
|
||||||||||||||||
|
Phone Numbers |
No |
|
||||||||||||||||
|
Medical Records Numbers |
No |
|
||||||||||||||||
|
Medical Notes |
No |
|
||||||||||||||||
|
Financial Account Information |
No |
|
||||||||||||||||
|
Certificates |
No |
|
||||||||||||||||
|
Legal Documents |
No |
|
||||||||||||||||
|
Device Identifiers |
No |
|
||||||||||||||||
|
Web URLs |
No |
|
||||||||||||||||
|
Email Address |
Yes |
|
||||||||||||||||
|
Education Records |
No |
|
||||||||||||||||
|
Military Status |
No |
|
||||||||||||||||
|
Employment Status |
No |
|
||||||||||||||||
|
Foreign Activities |
No |
|
||||||||||||||||
|
Other |
No |
|
||||||||||||||||
|
|||||||||||||||||||
|
|
||||||||||||||||||
39. Are rules of conduct in place for access to IIF on the website? |
Yes, data handling instructions will be provided within the Administrator’s tool where data containing PII may be downloaded. |
||||||||||||||||||
40. Does the website contain links to sites external to the OPDIV that owns and/or operates the system? |
Yes |
||||||||||||||||||
If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by the OPDIV. |
Yes, a notice will be provided at the end of the survey before linking to the Amazon site to provide the survey incentive. |
||||||||||||||||||
ADMINISTRATIVE CONTROLS |
|||||||||||||||||||
1 |
Administrative Controls |
||||||||||||||||||
Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several Federal laws when referencing security requirements. |
|||||||||||||||||||
2 |
|
||||||||||||||||||
41. Has the system been certified and accredited (C&A)? |
No, C&A is in progress. |
||||||||||||||||||
If the system requires a C&A and one has not been completed, please indicate when the C&A is scheduled for completion. |
|
||||||||||||||||||
42. Is there a system security plan for this system? |
Yes |
||||||||||||||||||
43. Is there a contingency (or backup) plan for the system? |
Yes |
||||||||||||||||||
44. Are files backed up regularly? |
Yes |
||||||||||||||||||
45. Are backup files stored offsite? |
Yes |
||||||||||||||||||
46. Are there user manuals for the system? |
|
||||||||||||||||||
47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of their responsibilities for protecting the information being collected and maintained? |
Yes |
||||||||||||||||||
48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices? |
Yes |
||||||||||||||||||
49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)? |
Yes |
||||||||||||||||||
If yes, please specify method(s). |
End users of the system will only have access to the web-based survey pages provided by the system. Administrative users will have access to collected data, however, only via password-protected web-based download tools. Only system administrators will have direct access to the database or other components of the survey system. |
||||||||||||||||||
*50. Are there policies or guidelines in place with regard to the retention and destruction of IIF? |
Yes |
||||||||||||||||||
If yes, please provide some detail about these policies/practices. |
PII will be maintained until 2 months after the last data collection is performed and the data are no longer necessary. |
||||||||||||||||||
TECHNICAL CONTROLS |
|||||||||||||||||||
1 |
Technical Controls |
||||||||||||||||||
51. Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system? |
Yes |
||||||||||||||||||
|
|
|
|||||||||||||||||
|
If yes, check all technical controls that are currently in place: |
Yes/No |
|
||||||||||||||||
|
User Identification |
Yes |
|
||||||||||||||||
|
Passwords |
Yes |
|
||||||||||||||||
|
Firewall |
Yes |
|
||||||||||||||||
|
Virtual Private Network (VPN) |
No |
|
||||||||||||||||
|
Encryption |
Yes |
|
||||||||||||||||
|
Intrusion Detection System (IDS) |
Yes |
|
||||||||||||||||
|
Common Access Cards (CAC) |
No |
|
||||||||||||||||
|
Smart Cards |
No |
|
||||||||||||||||
|
Biometrics |
No |
|
||||||||||||||||
|
Public Key Infrastructure (PKI) |
No |
|
||||||||||||||||
|
|||||||||||||||||||
52. Is there a process in place to monitor and respond to privacy and/or security incidents? |
Yes |
||||||||||||||||||
If yes, please briefly describe the process: |
System administrators regularly review security logs for suspicious behavior, in addition to intrusion detection tools built into the system that will automatically notify administrators of abnormal server behavior. |
||||||||||||||||||
PHYSICAL ACCESS |
|||||||||||||||||||
1 |
Physical Access |
||||||||||||||||||
53. Are physical access controls in place? |
Yes |
||||||||||||||||||
|
|
|
|||||||||||||||||
|
If yes, check all physical controls that are currently on the system. |
Yes/No |
|
||||||||||||||||
|
Guards |
No |
|
||||||||||||||||
|
Identification Badges |
No |
|
||||||||||||||||
|
Key Cards |
Yes |
|
||||||||||||||||
|
Cipher Locks |
No |
|
||||||||||||||||
|
Biometrics |
No |
|
||||||||||||||||
|
Closed Circuit TV (CCTV) |
No |
|
||||||||||||||||
|
|||||||||||||||||||
|
|
||||||||||||||||||
*54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls. |
Only individuals working on the project will have administrative access to the files, all files will be kept on secure servers, and computers containing the data are maintained in secure location under lock and key. |
||||||||||||||||||
|
|||||||||||||||||||
APPROVAL/DEMOTION |
|||||||||||||||||||
1 |
PIA Reviewer Approval/Promotion or Demotion |
||||||||||||||||||
Promotion/Demotion: |
|
||||||||||||||||||
Comments: |
|
||||||||||||||||||
Approval/Demotion Point of Contact: |
|
||||||||||||||||||
2 |
Senior Official for Privacy Approval/Promotion or Demotion |
||||||||||||||||||
Promotion/Demotion: |
|
||||||||||||||||||
Comments: |
|
||||||||||||||||||
3 |
OPDIV Senior Official for Privacy or Designee Approval |
||||||||||||||||||
Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has endorsed it |
|||||||||||||||||||
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date): |
|||||||||||||||||||
|
|||||||||||||||||||
Name: __________________________________ Date: __________________________________ |
|||||||||||||||||||
|
|
|
|||||||||||||||||
|
Name: |
|
|
||||||||||||||||
|
Date: |
|
|
||||||||||||||||
|
|||||||||||||||||||
4 |
Department Approval to Publish to the Web |
||||||||||||||||||
Approved for web publishing |
|
||||||||||||||||||
Date Published: |
|
||||||||||||||||||
| File Type | application/msword |
| File Title | ProSight Portfolios Report |
| Author | CIT |
| Last Modified By | Daniel Eckstein |
| File Modified | 2009-09-21 |
| File Created | 2009-09-10 |