Download:
pdf |
pdfU.S. DEPARTMENT OF
HOUSING AND URBAN DEVELOPMENT
PRIVACY THRESHOLD ANALYSIS (PTA)
National Family Self-Sufficiency
Program Demonstration
Office of Policy Development and Research
September 22, 2017
PRIVACY THRESHOLD ANALYSIS
The Privacy Threshold Analysis (PTA) is a compliance form developed by the Privacy Branch to
identify, across the Department, the use of Personally Identifiable Information (PII). The PTA is
the first step in the PII verification process, which focuses on these areas of inquiry:
•
Purpose for the information
•
Type of information
•
Sensitivity of the information
•
Use of the information
•
The risks to the information
Please use the attached form to determine whether a Privacy Impact Assessment (PIA) is
required under the E-Government Act of 2002 or a System of Records Notice (SORN) is
required under the Privacy Act of 1974, as amended.
Complete the form and send it to your program Privacy Liaison Officer (PLO). If you have no
program Privacy Liaison Officer, please send the PTA to Marcus R. Smallwood, Acting Chief
Privacy Officer, Privacy Branch, U.S. Department of Housing and Urban Development,
451 7th Street, SW, Room 10139, Washington, DC 20410 or privacy@hud.gov.
Upon its receipt from your program PLO, the HUD Privacy Branch will review the completed
form. If it determines that a PIA or SORN is required, the HUD Privacy Branch will send you a
copy of the PIA and SORN templates to complete and return to the Branch.
PRIVACY THRESHOLD ANALYSIS (PTA)
SUMMARY INFORMATION
Project or
Program Name:
National Family Self-Sufficiency Evaluation
Program:
Policy Development and Research (PD&R)
CSAM Name (if
applicable):
Click here to enter text.
CSAM Number
(if applicable):
Click here to enter text.
Type of Project or
Program:
Form or other Information
Collection
Project or
program
status:
Update
Click here to enter a date.
Pilot launch
date:
Click here to enter a date.
Click here to enter a date.
Pilot end date:
Click here to enter a date.
Choose an item.
ATO
expiration date
(if applicable):
Click here to enter a date.
Date first
developed:
Date of last PTA
update:
ATO Status (if
applicable)
PROJECT OR PROGRAM MANAGER
Name:
Regina C. Gray
Office:
PD&R
Title:
Social Science Analyst
Phone:
(202) 402-2876
Email:
regina.c.gray@hud.gov
INFORMATION SYSTEM SECURITY OFFICER (ISSO) (IF APPLICABLE)
Name:
Click here to enter text.
Phone:
Click here to enter text.
Email:
Click here to enter text.
SPECIFIC PTA QUESTIONS
1. Reason for submitting the PTA: Choose an item.
Please provide a general description of the project and its purpose so a nontechnical person could
understand. If this is an updated PTA, please describe the changes and/or upgrades triggering the
update to this PTA. If this is a renewal, please state whether there were any changes to the project,
program, or system since the last version.
HUD awarded the National Family Self-Sufficiency Evaluation to MDRC. The primary goal of the Family
Self-Sufficiency evaluation is to increase our knowledge about the effectiveness of FSS, which is aimed at helping
housing-assisted populations secure and maintain employment and gain independence from public support
programs. The implementation research will allow the research team to learn about the delivery of FSS services and
how different service delivery practices may influence participation and program effectiveness. Information
collected from staff will include data about staffing, program policies and approaches, case management practices,
the goal-setting process, Program Coordinating Committees’ involvement in service delivery, and program costs,
among other topics. Information collected from participants will include motivation for joining FSS, selection of
goals and progress toward goals, views about the escrow component, relationship with case managers, and
reflections on their experience with the program in general. This type of information is only available through field
research visits and interviews with staff and participants and cannot be obtained through administrative records or
surveys.
2. Does this system employ the following
technologies?
If you are using these technologies and want
coverage under the respective PIA for that
technology, please stop here and contact the HUD
Privacy Branch for further guidance.
Social Media
Web portal2 (e.g., SharePoint)
Contact Lists
Public website (e.g., A website operated by
HUD, contractor, or other organization on behalf
of HUD)
None of these; MDRC has its own secure web
portal
3. From whom does the project or
program collect, maintain, use, or
disseminate information?
Please check all that apply.
This program collects no personally identifiable
information3
Members of the public
HUD employees/contractors (list programs)
1
Informational and collaboration-based portals in operation at HUD, and its programs that collect, use, maintain, and share
limited personally identifiable information (PII) about individuals who are “members” of the portal or “potential members” who
seek to gain access to the portal.
2
HUD defines personal information as “personally identifiable information,” or PII, as any information that permits the identity
of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual,
regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to
the Department. “Sensitive PII” is PII, which if lost, compromised, or disclosed without authorization, could result in substantial
harm, embarrassment, inconvenience, or unfairness to an individual. For the purposes of this PTA, SPII and PII are treated the
same.
Contractors working on behalf of HUD
Employees of other Federal agencies
Other (e.g., business entity)
4. What specific information about individuals is collected, generated, or retained?
Please provide a specific description of information collected, generated, or retained (such as full names,
maiden name, mother’s maiden name, alias, Social Security number, passport number, driver’s license
number, taxpayer identification number, patient identification number, financial account, credit card
number, street address, internet protocol, media access control, telephone number, mobile number,
business number, photograph image, x-rays, fingerprints, biometric image, template date (e.g., retain
scan, well-defined group of people),vehicle registration number, title number, and information about an
individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion,
weight, activities, geographical indictors, employment information, medical information, education
information, financial information, etc.
The MDRC research team will be collecting the information below as part of the National Family
Self-Sufficiency Evaluation as part of the four data collection activities: Site Visit Interviews;
Administrative Study; Implementation Analysis, and Cost-Benefit Analysis.
This section provides an overview of the five (four data collection protocols and one
supplemental table) items submitted for clearance: Pre-interview Staff/PCC Table, a table to be
completed by staff before the field visit; Protocol 1 – Supervisor (Site Visit); Protocol 2 – Case Manager;
Protocol 3 – Participants; and Protocol 4 – Supervisor (Phone). FSS staff and participant experiences will
be documented as part of this round of implementation research. During this round, MDRC will conduct
structured in-depth interviews with approximately 36 staff members (3 PHA staff at each of nine PHAs in
person and one PHA staff at each of nine PHAs by phone) and up to 90 participants (10 at each of nine
sites) to learn about their experiences with and perspectives on the FSS program. The proposed interview
protocols are included in this submission in Appendices A-E.
In developing the pre-interview table for staff completion and the interview protocols, we attempted to
balance the need to capture a rich set of data against placing undue burden on the respondents, excluding
items that—while potentially interesting—are not critical to understanding the implementation of the FSS
program. Another goal was to keep the time allotted for each interview to a reasonable duration, thereby
limiting respondent burden. This section provides a brief overview of the pre-interview table and the
interview protocols.
IR3 Pre-interview Staff/PCC Table is a table shell for staff to complete prior to the research team
coming onsite. It asks for basic information about program size, staffing levels and responsibilities, and
the site’s Program Coordinating Committee. The intention is to allow supervisors to complete this table
on their own time, which will save time during the interview.
The following broad topics will be included in the supervisor and case manager interview protocols:
•
•
General Program and Staffing (supervisors only)
o Policy updates
Program Approach
•
Case Management
o Graduation
o Escrow
FSS Goal Setting
PCC and Service Referral Network
Program Costs (supervisors only)
•
•
•
•
The following broad topics will be included in the participant interview protocol:
•
•
•
•
•
•
Motivation for Joining FSS
Goal-Setting and Progress toward Goals
Relationship with Case Manager
Services Used
Escrow
Overall Assessment and Recommendations
A 60-day Federal Register notice was published on Friday, July 14, 2017: “Family Self-Sufficiency
Program Demonstration,” [Docket No. FR–6003–N–06]
No. Please continue to the next question.
Yes. If yes, please list all personal identifiers
used:
Site Visit Interviews: protocols will use full
names, business phone numbers, business email
4(a) Does the project, program, or system
addresses, job titles
retrieve information about U.S. Citizens or
Administrative Study: protocols will use full
lawfully admitted permanent resident
names, business phone numbers, business email
addresses, job titles of FSS coordinators,
aliens using personal identifiers?
managers, PHA Executive Director,
supervisors, case managers
FSS Study Participants: protocols will use full
names, phone numbers, home addresses in
accordance with informed consent.
No. Please continue to the next question.
4(b) Does the project, program, or system
Yes. If yes, provide the system name and
have an existing System of Records Notice
number, and the Federal Register citation(s)
(SORN), that has already been published in
for the most recent complete notice and any
the Federal Register that covers the
subsequent notices reflecting amendment
information collected?
to the system
4(c) Has the project, program, or system
No. Please continue to the next question.
undergone any significant changes since the
Yes. If yes, please describe.
SORN?
4(d) Does the project, program, or system
No.
use Social Security numbers (SSN)?
Yes.
4(e) If yes to 4(d), please provide the
N/A
specific legal authority and purpose for the
collection of SSNs.
4(f) If yes to 4(d), please describe the uses of
the SSNs within the project, program, or
system.
4(g) If this project, program, or system is
an information technology/system, does it
relate solely to infrastructure?
N/A
No. Please continue to next question.
Yes. If a log of communication traffic is kept,
please provide that information here.
For example, is the system a Local Area
Network (LAN) or Wide Area Network
(WAN)?
4(h) If header or payload data4 is stored in the communication traffic log, please detail the data
elements stored.
Click here to enter text.
N/A
5. Does this project, program, or system
connect, receive, or share PII with any
other HUD programs or systems?
6. Does this project, program, or system
connect, receive, or share PII with any
external (non-HUD) partners or
systems?
6(a) Is this external sharing pursuant to a
new or existing information sharing
access agreement (MOU, MOA, etc.)?
7. Does the project, program, or system
provide role-based training for
personnel who have access, in addition
to the annual privacy training required
of all HUD personnel?
3
No.
Yes. If yes, please list:
Click here to enter text.
No.
Yes. If yes, please list:
Click here to enter text.
No.
Yes. If yes, please choose from the dropdown
menu below:
Choose an item.
Please describe applicable information sharing
governance in place:
No.
Yes. If yes, please list: All MDRC personnel
are required to complete an online IRB course,
which, other topics, covers the handling of PII in a
Header: Information that is placed before the actual data. The header normally contains a small number of bytes of
control information, which is used to communicate important facts about the data that the message contains and how
it is to be interpreted and used. It serves as the communication and control link between protocol elements on
different devices.
Payload data: The actual data to be transmitted, often called the payload of the message (metaphorically borrowing a
term from the space industry!). Most messages contain some data of one form or another, but some actually contain
none: they are used only for control and communication purposes. For example, these may be used to set up or
terminate a logical connection before data is sent.
research context. Any researcher that will handle
any data containing PII will also have to sign our
staff confidentiality pledge and the HUD-MDRC
Non-Disclosure Agreement.
For the site visit data collection exercise, all
individuals involved in data collection (including
subcontracting personnel) will complete the MDRC
human subject research certification, sign our staff
confidentiality pledge, participate in our site visit
training, and ensure data are stored on appropriately
encrypted devices and transferred via SFTP to
MDRC.
For the survey data collection, the data will be
collected via Qualtrics (an online survey software
platform), so no direct contact with individuals will
occur and no PII will be collected. Hence, the
questionnaire protocols will not require role-based
training for its administration. However, all
individuals involved with analysis are required to
sign our confidentiality pledge and ensure data are
stored on appropriately encrypted devices.
8. Per NIST SP 800-53 Rev. 4, Appendix
J, does the project, program, or system
maintain an accounting of disclosures
of PII to individuals/agencies who have
requested access to their PII?
9. Is there a FIPS 199 determination?5
5
No. What steps will be taken to develop and
maintain the accounting:
Yes. In what format is the accounting
maintained:
Unknown.
No.
Yes. Please indicate the determinations for each
of the following:
Confidentiality:
Low
Moderate
High
Integrity:
Low
Moderate
High
Availability:
Low
Moderate
High
FIPS 199 (Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal
Information and Information Systems) is used to establish security categories of information systems.
PRIVACY THRESHOLD ANALYSIS REVIEW
(TO BE COMPLETED BY PROGRAM PLO)
Program Privacy Liaison Reviewer:
Ronald M. Hill
Date submitted to Program Privacy
Office:
Click here to enter a date.
Date submitted to HUD Privacy Branch:
Click here to enter a date.
Program Privacy Liaison Officer Recommendation:
Please include recommendation below, including what new privacy compliance documentation is needed.
Click here to enter text.
(TO BE COMPLETED BY THE HUD PRIVACY BRANCH)
HUD Privacy Branch Reviewer:
Click here to enter text.
Date approved by HUD Privacy Branch:
Click here to enter a date.
PTA Expiration Date:
Click here to enter a date.
DESIGNATION
Privacy Sensitive System:
Choose an item.
Category of System:
Choose an item.
If “other” is selected, please describe: Click here to enter text.
Determination:
If “no” PTA adjudication is complete.
PTA sufficient at this time.
Privacy compliance documentation determination in progress.
New information-sharing arrangement is required.
HUD Policy for Computer-Readable Extracts Containing Sensitive PII
applies.
Privacy Act Statement required.
Privacy Impact Assessment (PIA) required.
System of Records Notice (SORN) required.
Paperwork Reduction Act (PRA) Clearance may be required. Contact
your program PRA Officer.
A Records Schedule may be required. Contact your program Records
Officer.
PIA:
SORN:
Choose an item.
If covered by existing PIA, please list: Click here to enter text.
Choose an item.
If covered by existing SORN, please list: Click here to enter text.
HUD Privacy Branch Comments:
Please describe rationale for privacy compliance determination above.
Click here to enter text.
DOCUMENT ENDORSEMENT
DATE REVIEWED:11/20/2017
PRIVACY REVIEWING OFFICIAL’S NAME: Conique Key
By signing below, you attest that the content captured in this document is accurate and complete
and meet the requirements of applicable Federal regulations and HUD internal policies.
SYSTEM OWNER
Regina Gray, Social Science Analyst, Affordable
Housing Research and Technology Division
Office of Policy Development and Research
HELEN
FOSTER
CHIEF PRIVACY OFFICER
Helen Goff Foster
OFFICE OF ADMINISTRATION
11/20/2017
Date
Digitally signed by HELEN
FOSTER
Date: 2017.11.20 13:59:43
-05'00'
Date
File Type | application/pdf |
File Title | Microsoft Word - PTA_FSS Evaluation_Impact Analysis (v.3).docx |
File Modified | 2017-11-20 |
File Created | 2017-11-20 |