HHS_PIA_Form_KI

HHS_PIA_Form_KI.DOC

Evaluation of the NIAID HIV Vaccine Research Education Initiative (NHVREI)

HHS_PIA_Form_KI

OMB: 0925-0611

Document [doc]
Download: doc | pdf

06.1 HHS Privacy Impact Assessment (Form) / 01 OpDiv Information Systems (Portfolio)

ProSight





PIA SUMMARY

1

 

The following required questions represent the information necessary to complete the PIA Summary for transmission to the Office of Management and Budget.

Note: If a question or its response is not applicable, please answer “No” to that question.

2

Summary of PIA Required Questions

*Is this a new PIA?

 Yes

If this is an existing PIA, please provide a reason for revision:

 

 

 

*1. Date of this Submission:

 9/10/09

*2. OPDIV Name:

DHHS/NIH/NIAID

*3. Unique Project Identifier (UPI) Number:

No 

      Note: If the system does not have a UPI, please explain why it does not:

No

*4. Privacy Act System of Records (SOR) Number:

09-25-0156

*5. OMB Information Collection Approval Number:

Not received yet 

      OMB Collection Approval Number Expiration Date:

 

*6. Other Identifying Number(s):

#HHSN266200600024T

*7. System Name:

Key Influencer Survey

*9. System Point of Contact (POC).  The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:

Katharine Kripke





Point of Contact Information

 



POC Name

Katharine Kripke



*10. Provide an overview of the system:

This is a Web-based survey that will be used to assess the respondents’ level of awareness, knowledge about, and support for HIV vaccine research. Respondents will also be questioned on their exposure to the NIAID HIV Vaccine Research Education Initiative. Survey respondents are considered key influencers, meaning they are individuals that work with and have an influence on those individuals most at risk for contracting HIV/AIDS.

*13. Indicate if the system is new or an existing one being modified:

 New

*17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?

 Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

 

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

 

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

 

*21. Is the system subject to the Privacy Act?

 Yes

*23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

The system will not share or disclose PII.

*30. Please describe in detail the information the agency will collect, maintain, or disseminate and why and for what purpose the agency will use the information.  In this description, indicate whether the information contains IIF and whether submission of personal information is voluntary or mandatory:

Names and email addresses will be collected to allow for followup. The PII being collected is not required.

*31. Please describe in detail any processes in place to:                                     

•    notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection)                 

•    notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

Informed consent will be provided on the survey website. System changes are not anticipated and will not require notification of individuals whose PII is in the system. If notification is required, email notification will be performed.

*32. Does the system host a website?

The database system will be a backend to a survey Website.

*37. Does the website have any information or pages directed at children under the age of thirteen?

No 

*50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?

Yes

*54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.

Only individuals working on the project will have administrative access to the files, all files will be kept on secure servers, and computers containing the data are maintained in secure location under lock and key.

 

PIA REQUIRED INFORMATION

1

HHS Privacy Impact Assessment (PIA)

The PIA determines if information in identifiable form (IIF) is contained within a system, what kind of IIF, what is done with that information, and how that information is protected. Systems with IIF are subject to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy Act Officer, for issues related to Freedom of Information Act (FOIA) and the Privacy Act, and respective Operating Division (OPDIV) Privacy Contacts, for issues related to the Privacy Act, can all be used as a resource for questions related to the technicalities of privacy law. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions related to the administrative, technical, and physical controls of the system.  Please note that answers to questions with an asterisk (*) will be submitted to the Office of Management and Budget (OMB) and made publicly available in accordance with OMB Memorandum (M) 03-22.

Note: If a question or its response is not applicable, please answer “No” to that question.

2

General Information

*Is this a new PIA?

 Yes

If this is an existing PIA, please provide a reason for revision:

 

 

 

*1. Date of this Submission:

 9/21/09

*2. OPDIV Name:

DHHS/NIH/NIAID

*3. Unique Project Identifier (UPI) Number:

No 

      Note: If the system does not have a UPI, please explain why it does not:

No

*4. Privacy Act System of Records (SOR) Number:

09-25-0156

*5. OMB Information Collection Approval Number:

Not received yet 

      OMB Collection Approval Number Expiration Date:

 

*6. Other Identifying Number(s):

#HHSN266200600024T

*7. System Name:

 Key Influencer Survey

8. System Location:  (OPDIV or contractor office building, room, city, and state)

 NOVA Research Company





System Location:

 NOVA Research Company



OPDIV or contractor office building

 4600 East-West Highway



Room

 Suite 700



City

 Bethesda



State

 Maryland



*9. System Point of Contact (POC) (name, title, organization, phone, email). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:

 Katharine Kripke





Point of Contact Information

 



POC Name

Katharine Kripke 




The following information will not be made publicly available:






POC Title

Assistant Director, Vaccine Research Program



POC Organization

NIAID



POC Phone

301-594-2512



POC Email

kripkek@niaid.nih.gov



*10. Provide an overview of the system:

This is a Web-based survey that will be used to assess the respondents’ level of awareness, knowledge about, and support for HIV vaccine research. Respondents will also be questioned on their exposure to the NIAID HIV Vaccine Research Education Initiative. Survey respondents are considered key influencers, meaning they are individuals that work with and have an influence on those individuals most at risk for contracting HIV/AIDS.


SYSTEM CHARACTERIZATION­ AND DATA CATEGORIZATION

1

System Characterization­ and Data Configuration

11. Does HHS own the system?

 Yes

       If no, identify the system owner:

 

 

 

12. Does HHS operate the system?

 No

       If no, identify the system operator:

 NOVA Research Company

 

 

*13. Indicate if the system is new or an existing one being modified:

 New

 

 

14. Identify the life-cycle phase of this system:

 





Phase:

Yes/No



Initiation

Yes



Development/Acquisition

No



Implementation

No



Operations/Maintenance

No



Disposal

No



Mixed Life Cycle

No



 

 

15. Have any of the following major changes occurred to the system since the PIA was last submitted?

 





If yes, please check each major change that has occurred:

Yes/No



Conversions

No



Anonymous to Non-Anonymous

No



Significant System Management Changes

No



Significant Merging

No



New Public Access

No



Commercial Sources

No



New Interagency Uses

No



Internal Flow or Collection

No



Alteration in Character of Data

No



 

 

16. Is the system a General Support System (GSS) or a Major Application (MA)?

 GSS

 

 

*17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?

 Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or whether it is personal information about business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation.

 

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 32, 37, 50 and 54, then promote the PIA to the OPDIV Senior Official for Privacy who will authorize the PIA.

 

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

 


Please select "Yes" for all applicable IIF categories.  If the applicable IIF category is not listed, please use the Other field to identify the appropriate category of IIF:






Check all that Apply:

Yes/No



Date of Birth

No



Social Security Number (SSN)

No



Photographic Identifiers

No



Driver’s License

No



Biometric Identifiers

No



Mother’s Maiden Name

No



Vehicle Identifiers

No



Mailing Address

No



Phone Numbers

No



Medical Records Numbers

No



Medical Notes

No



Financial Account Information

No



Certificates

No



Legal Documents

No



Device Identifiers

No



Web Uniform Resource Locator(s) (URL)

No



Email Address

Yes



Education Records

No



Military Status

No



Employment Status

No



Foreign Activities

No



Other

Yes, Name



 

 


18. Please indicate the categories of individuals about whom IIF is collected, maintained, disseminated and/or passed through.  Note:  If the applicable IIF category is not listed, please use the Other field to identify the appropriate category of IIF.






Categories:

Yes/No



Employees

No



Public Citizen

Yes



Patients

No



Business partners/contact­s (Federal, state, local agencies)

No



Vendors/Supplier­s/Contractors

No



Other

No



 

 

19. Are records on the system retrieved by one or more data elements?

 Yes


If yes, please select all applicable IIF categories.  If the applicable IIF category is not listed, please use the Other field to identify the appropriate category of IIF.






Please specify what data elements are or will be used in retrieving the records:

Yes/No



Name

Yes



Date of Birth

No



SSN

No



Photographic Identifiers

No



Driver’s License

No



Biometric Identifiers

No



Mother’s Maiden Name

No



Vehicle Identifiers

No



Mailing Address

No



Phone Numbers

No



Medical Records Numbers

No



Medical Notes

No



Financial Account Information

No



Certificates

No



Legal Documents

No



Device Identifiers

No



Web URLs

No



Email Address

Yes



Education Records

No



Military Status

No



Employment Status

No



Foreign Activities

No



Other

No



 

 

20. Are 10 or more records containing IIF maintained, stored or transmitted/pass­ed through this system?

 Yes

 

 

*21. Is the system subject to the Privacy Act?

 Yes

 21 A.   If yes, but a SOR has not been created, please provide an explanation:

 

 

 INFORMATION SHARING PRACTICES

1

Information Sharing Practices

22. Does the system share or disclose IIF with other divisions within this agency, external agencies, or other people or organizations outside the agency?

 No





 If yes, please identify the category of IIF shared or disclosed.  If the category of personal information is not listed, please check Other and identify the category.

 



Name

 



Date of Birth

 



SSN

 



Photographic Identifiers

 



Driver’s License

 



Biometric Identifiers

 



Mother’s Maiden Name

 



Vehicle Identifiers

 



Mailing Address

 



Phone Numbers

 



Medical Records Numbers

 



Medical Notes

 



Financial Account Information

 



Certificates

 



Legal Documents

 



Device Identifiers

 



Web URLs

 



Email Address

 



Education Records

 



Military Status

 



Employment Status

 



Foreign Activities

 



Other

 



 

 

*23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

 The system will not share or disclose PII.

 

 

24. If the IIF in the system is matched against IIF in one or more other computer systems, are computer data matching agreement(s) in place?

 No

 

 

25. Is there a process in place to notify organizations or systems that are dependent upon the IIF contained in this system when major changes occur (i.e., revisions to IIF, or when the system is replaced)?

 No

 

 

26. Are individuals notified how their IIF is going to be used?

 Yes

If yes, please describe the process for allowing individuals to have a choice:

Within the survey, participants will be allowed to skip the question and not supply contact information.

 

 

27. Is there a complaint process in place for individuals who believe their IIF has been inappropriately obtained, used, or disclosed, or that the IIF is inaccurate?

Yes

If yes, please describe briefly the notification process:

An email link and name will be supplied for those who wish to contact the survey manager. The individual will need to provide the following information to the survey manager:

  1. Full name used while completing the survey;

  2. Name and location (i.e., online or telephone) of the evaluation study in which the requester participated;

  3. Approximate date of participation;

  4. Their complaint and information supporting that complaint.

The requester must also verify his or her identity by providing either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine.

The survey manager will review the complaint and contact the requester with a resolution.

 

 

28. Are there processes in place for periodic reviews of IIF contained in the system to ensure the data’s integrity, availability, accuracy and relevancy?

 No

If yes, please describe briefly the review process:

 

 

 

29. Are there rules of conduct in place for access to IIF on the system?

 Yes

If yes, identify all users with access to IIF on the system and briefly state the purpose for each user to have access:

 





Users with access to IIF

Yes/No

Purpose



User

No



Administrators

Yes

Database Administrator will have direct access to the database for the purpose of developing the web-based survey and general server maintenance.



Developers

No




Contractors

Yes

Conduct followup with survey respondents.



Other





*30. Please describe in detail the information the agency will collect, maintain, or disseminate and why and for what purpose the agency will use the information.  In this description, indicate whether the information contains IIF and whether submission of personal information is voluntary or mandatory:

Information about the respondents’ knowledge, attitudes, and behaviors about HIV vaccines will be collected via this survey of key influencers. Key influencers will be drawn from a database created by NOVA based on organizations doing HIV/AIDS prevention-related work. The data collected in this survey will be used to help determine the level of support for HIV vaccine research among key influencers and make assumptions about the NIAID HIV Vaccine Education Initiative (NHVREI). The PII being obtained will be used to re-contact key influencers and conduct a similar survey in the future for the purpose of comparing time 1 and time 2. The submission of PII will not be mandatory.

 

 

*31. Please describe in detail any processes in place to:                                                                                                   •    notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection)                                                                                    •    notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

Notification of the use of PII will be included on the survey website. Tacit consent is provided if the participant completes the survey and includes the PII. System changes are not anticipated and will not require notification of individuals whose PII is in the system. If notification is required, email notification will be performed.

Note: Please describe in what format individuals will be given notice of consent (e.g., written notice, electronic notice, etc.).

 

WEBSITE HOSTING PRACTICES

1

Website Hosting Practices

32. Does the system host a website?

Yes, the system will consist of a survey Web site that stores collected data in a backend relational database.





If yes, please indicate what type of site the system hosts:

Yes/ No



Internet

 Yes



Intranet

 No



Both

 No



33. Is the website accessible by the public or other entities (i.e., Federal, state, and/or local agencies, contractors, third party administrators, etc.)?

 No

 

 

34. Is a website privacy policy statement (consistent with OMB M-03-22 and Title II and III of the E-Government Act) posted on the website?

 Yes, it will be once the site is ready.

 

 

35. Is the website’s privacy policy in machine-readable­ format, such as Platform for Privacy Preferences (P3P)?

 Yes

 If no, please indicate when the website will be P3P compliant:

 

36. Does the website employ persistent tracking technologies?

 No





 If yes, identify the type(s) of cookies in use:

                      Yes/No



Web Bugs

 



Web Beacons

 



Session Cookies

 Yes



Persistent Cookies

 



Other

 



 

 

*37. Does the website have any information or pages directed at children under the age of thirteen?

 No

 If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any information is collected?

 

 

 

38. Does the website collect IIF from individuals?

 Yes





If yes, please indicate the category of IIF:

Yes/No



Name

 Yes



Date of Birth

 No



SSN

 No



Photographic Identifiers

 No



Driver's License

 No



Biometric Identifiers

 No



Mother's Maiden Name

 No



Vehicle Identifiers

 No



Mailing Address

 No



Phone Numbers

 No



Medical Records Numbers

 No



Medical Notes

 No



Financial Account Information

 No



Certificates

 No



Legal Documents

 No



Device Identifiers

 No



Web URLs

 No



Email Address

 Yes



Education Records

 No



Military Status

No



Employment Status

No



Foreign Activities

No



Other

No



 

 

39. Are rules of conduct in place for access to IIF on the website?

Yes, data handling instructions will be provided within the Administrator’s tool where data containing PII may be downloaded.

40. Does the website contain links to sites external to the OPDIV that owns and/or operates the system?

 Yes

If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by the OPDIV.

Yes, a notice will be provided at the end of the survey before linking to the Amazon site to provide the survey incentive.

ADMINISTRATIVE CONTROLS

1

Administrative Controls

Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several Federal laws when referencing security requirements.

2

 

41. Has the system been certified and accredited (C&A)?

No, C&A is in progress.

If the system requires a C&A and one has not been completed, please indicate when the C&A is scheduled for completion.

 

42. Is there a system security plan for this system?

Yes

43. Is there a contingency (or backup) plan for the system?

Yes

44. Are files backed up regularly?

Yes

45. Are backup files stored offsite?

Yes

46. Are there user manuals for the system?

 

47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of their responsibilities­ for protecting the information being collected and maintained?

Yes

48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices?

Yes

49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?­

Yes

 If yes, please specify method(s).

End users of the system will only have access to the web-based survey pages provided by the system. Administrative users will have access to collected data, however, only via password-protected web-based download tools. Only system administrators will have direct access to the database or other components of the survey system.

*50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?

Yes

If yes, please provide some detail about these policies/practic­es.

PII will be maintained until 2 months after the last data collection is performed and the data are no longer necessary.

TECHNICAL CONTROLS

1

Technical Controls

51.  Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system?

Yes





If yes, check all technical controls that are currently in place:

Yes/No



User Identification

Yes



Passwords

Yes



Firewall

Yes



Virtual Private Network (VPN)

No



Encryption

Yes



Intrusion Detection System (IDS)

Yes



Common Access Cards (CAC)

No



Smart Cards

No



Biometrics

No



Public Key Infrastructure (PKI)

No



52.  Is there a process in place to monitor and respond to privacy and/or security incidents?

Yes

If yes, please briefly describe the process:

System administrators regularly review security logs for suspicious behavior, in addition to intrusion detection tools built into the system that will automatically notify administrators of abnormal server behavior.

PHYSICAL ACCESS

1

Physical Access

53.  Are physical access controls in place?

Yes





If yes, check all physical controls that are currently on the system.

Yes/No



Guards

No



Identification Badges

No



Key Cards

Yes



Cipher Locks

No



Biometrics

No



Closed Circuit TV (CCTV)

No



 

 

*54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.

Only individuals working on the project will have administrative access to the files, all files will be kept on secure servers, and computers containing the data are maintained in secure location under lock and key.


APPROVAL/DEMOTIO­N

1

PIA Reviewer Approval/Promoti­on or Demotion

Promotion/Demoti­on:

 

Comments:

 

Approval/Demotio­n Point of Contact:

 

2

Senior Official for Privacy Approval/Promoti­on or Demotion

Promotion/Demoti­on:

 

Comments:

 

3

OPDIV Senior Official for Privacy or Designee Approval

Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been collected, retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has endorsed it

This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date):

 

Name:  ________________­________________­__        Date:  ________________­__________­________





Name:



Date:

 



4

Department Approval to Publish to the Web

Approved for web publishing

 

Date Published:

 


File Typeapplication/msword
File TitleProSight Portfolios Report
AuthorCIT
Last Modified ByDaniel Eckstein
File Modified2009-09-21
File Created2009-09-10

© 2024 OMB.report | Privacy Policy