Privacy Impact Assessment/IT Security ICR Questionnaire
Proposed Project Name: Assessment of Potential Exposure from Private Wells for Drinking Water
CDC Point of Contact: Lorraine Backer
Please answer the following questions:
What mechanism(s) will be used for this ICR? Check all that apply.
☒ |
Contract |
Contract #: TBD Contract Name: Period of Performance: |
☒ |
Cooperative Agreement |
|
☐ |
Grant |
|
☒ |
Internal Project and Funding |
|
If more than one mechanism is selected, please explain the role each plays.
Please provide a data flow diagram beginning with information collection to the end of your process.
Data collection:
Data will be collected by CDC investigators in collaboration with a public health partner (e.g., State Health Department.
Data storage and analysis:
The State Health Department will keep the survey instruments, including PII, according to their applicable rules for data protection.
CDC will receive an Excel file with only de-identified data for analysis.
Data sharing:
Aggregate data will be made public via publications and presentations.
If the sample size is large enough (the journal PLOS recommends a sample size > 100 individuals), individual data will be made public according to CDC’s rules governing public access.
Check the groups below for which you are collecting data:
☒ |
US Citizens |
☐ |
Legal US Residents |
☐ |
Non-US Citizens |
What impact would there be from an unauthorized disclosure of this data?
Personal identifiers could be compromised.
Is the data de-identified or linked? If true, please describe.
Data provided to CDC will be identified by code. Only the public health partner involved in the investigation will have access to the code.
What are the data fields that will be collected?
See questionnaire for a complete list.
Overview of questions types used for data collection
Question Type |
# of Questions Used |
General information (e.g., name, address) |
3 |
Socio-demographics |
7 |
Household water source(s) |
6 |
Household water use |
6 |
Environmental exposures not related to drinking water from private wells (confounders) |
7 |
Perceptions and practices that might affect an individual’s exposure level |
9 |
Most questions are yes/no responses or multiple choice. Twenty-four questions require that the respondent provide specific information (e.g., name, address, GPS of well, number of people in the household in various age ranges).
Will SSN’s be collected?
No.
Will personably identifiable information (PII) be collected? If so, what fields?
Name, address, contact information so the public health partner can provide results to participants.
Will the data collected be processed, stored, or transmitted by an information system? (If no, please proceed to question 8)
No.
Will the data collected be processed, stored in, or transmitted by existing CDC information system(s)? Add multiple system entries if necessary.
System Name:
ESC ID Number:
What will be system do with the data (process, store, transmit)?
Will the data collected be processed, stored in, or transmitted by new CDC information system(s)? Add multiple system entries if necessary.
System Name:
ESC ID Number:
System Phase: <Planning, Development, or Implementation>
What will be system do with the data (process, store, transmit)?
Will the data collected be processed by, stored in, or transmitted by a non-CDC information system(s)?
System Name:
System Owner:
System Phase: <Planning, Development, Implementation, Operations/Maintenance>
What will be system do with the data (process, store, transmit)?
If a system is not involved in the processing of this information, please describe the technical, administrative, and physical controls that will protect this data.
The public health partner involved in the investigation will keep an PII. CDC will receive an Excel file containing de-identified data. CDC will not have access to the code linking data to PII.
The identifiable data will be held according to the controls specified by the public health partner.
CDC will hold the de-identified data set in a password-protected computer file.
Is the data collected covered by an existing Privacy Impact Assessment (PIA)?
System Name -No
___________________________________________________________________________________________
Information Systems Security Officer Recommendations:
No Privacy Impact Assessment (PIA) required. Please contact the NCEH/ATSDR ISSO if any CDC system is created that will store, transmit, or process information described in this ICR.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Nicholson, Brian C. (CDC/OCOO/OCIO) |
File Modified | 0000-00-00 |
File Created | 2021-01-22 |