PIA word

Att13 PIA_Form.docx

Promoting Adolescent Health through School-Based HIV Prevention

PIA word

OMB: 0920-1275

Document [docx]
Download: docx | pdf

Save

Shape1

Privacy Impact Assessment Form

v 1.21


Status Form Number 0920-19AUK Form Date 11/21/2019


Question Answer


  1. OPDIV: CDC

  2. PIA Unique Identifier: 0920-19AUK

2a Name: Promoting Adolescent Health through School-Based HIV Preven






  1. The subject of this PIA is which of the following?






3a Identify the Enterprise Performance Lifecycle Phase of the system.


3b Is this a FISMA-Reportable system?


Does the system include a Website or online











Initiation

General Support System (GSS) Major Application

Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown




Yes No

Yes

  1. application available to and for the use of the general

public? No


  1. Agency

    Contractor

    Identify the operator.



POC Title Health Scientist




  1. Point of Contact (POC):

POC Name Diane Orenstein


POC Organization CDC, NCHHSTP, DASH


POC Email dro1@cdc.gov


POC Phone 770.488.8003



  1. Is this a new or existing system?

New Existing


  1. Does the system have Security Authorization (SA)?

Yes No

Shape2

8b Planned Date of Security Authorization

Not Applicable

Shape3

8c Briefly explain why security authorization is not Because this not a system. required

10 Describe in further detail any changes to the system that have occurred since the last PIA.


n/a







11 Describe the purpose of the system.

In September 2018, the Division of Adolescent and School Health (DASH) funded 25 Local Education Agencies (LEAs) under Promoting Adolescent Health through School-Based HIV Prevention (PS18-1807). PS18-1807 supports a multi- component, multi-level effort to support youth reaching adulthood in the healthiest possible way. DASH is developing the Program Evaluation and Reporting System (PERS), a program evaluation and monitoring system for LEAs to report process and outcome measures. PERS will collect data about LEAs and their priority schools related to three strategies, Sexual Health Education (SHE), Sexual Health Services (SHS), and Safe and Supportive Environments (SSE).







Describe the type of information the system will

12 collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask

about the specific data elements.)

LEAs will enter process and outcome data into the PERS system semi-annually, using a set of three questionnaires. The questionnaires ask for programmatic information about the LEAs and their priority schools. Data collection involves collecting programmatic reporting data from the project manager at each of the funded NOFO 1807 Local Education Agencies (LEAs). LEAs are the school districts funded to implement this programmatic initiative.


The data that is collected from the program managers does not involve the collection of sensitive, or personal information.

Although the name and work email address of the program managers at each LEA entering, viewing, and submitting data stored for each responding organization, the system only collects programmatic data about LEAs and priority schools.

Data entry into PERS is structured as a series of questionnaires which are answered by each LEA for their own work and the work of their priority schools. In addition, LEAs can upload relevant curriculum documents into the system. LEAs will have the option for multiple staff members have log-ins. To facilitate the data collection process for LEAs, copies of the

Provide an overview of the system and describe the questionnaires in PDF format are available for download from

13 information it will collect, maintain (store), or share, PERS. either permanently or temporarily.

The data that is collected from the program managers does not involve the collection of sensitive, or personal information.

Although the name and work email address of the program managers at each LEA entering, viewing, and submitting data stored for each responding organization, the system only collects programmatic data about LEAs and priority schools.


14 Does the system collect, maintain, use or share PII?

Yes No

Shape5 Shape6 Shape7 Shape4 Shape8 Shape9 Shape10 Shape11 Shape12











15










Indicate the type of PII that the system will collect or maintain.

Social Security Number Date of Birth

Name Photographic Identifiers Driver's License Number Biometric Identifiers

Mother's Maiden Name Vehicle Identifiers

E-Mail Address Mailing Address

Phone Numbers Medical Records Number

Medical Notes Financial Account Info

Certificates Legal Documents

Education Records Device Identifiers

Military Status Employment Status

Foreign Activities Passport Number Taxpayer ID Other...

Business E-Mail Address Other...

Other... Other...






16




Indicate the categories of individuals about whom PII is collected, maintained or shared.

Employees

Public Citizens

Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors

Patients


Other


17

How many individuals' PII is in the system?


100-499




18



For what primary purpose is the PII used?

Names and email addresses are used to link PERS users to their LEA and to determine which forms they have access to in the system. Professional Email addresses are used as the user log- in.


19

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)


none



20


Describe the function of the SSN.


n/a



20a


Cite the legal authority to use the SSN.


n/a



21

Identify legal authorities governing information use and disclosure specific to the system and program.

Sections 301(a) and 317(k)(2) of the Public Health Service Act [42 U.S.C. Sections 241 and 247(k)(2)], as amended



22

Are records on the system retrieved by one or more PII data elements?

Yes No


Shape13 Shape14 Shape15 Shape16 Shape17 Shape18 Shape19



Identify the number and title of the Privacy Act

22a System of Records Notice (SORN) that is being used to cover the system or identify if a SORN is being

developed.

Published: Published:

Published:


In Progress








23 Identify the sources of PII in the system.

Directly from an individual about whom the information pertains

In-Person Hard Copy: Mail/Fax

Email Online Other Government Sources

Within the OPDIV Other HHS OPDIV State/Local/Tribal

Foreign Other Federal Entities

Other Non-Government Sources

Members of the Public Commercial Data Broker Public Media/Internet

Private Sector

Other


23a Identify the OMB information collection approval number and expiration date.


24 Is the PII shared with other organizations?

Yes No



Within HHS


Other Federal

24a Identify with whom the PII is shared or disclosed and for what purpose.

Agency/Agencies

State or Local


Agency/Agencies


Private Sector

Shape20 Shape21 Shape22 Shape23 Shape24 Shape25 Shape26 Shape27 Shape28

DASH website includes the names of the following: all our funded LEAs from PS18-NOFO1807 and

all project managers for each LEA.

Describe any agreements in place that authorizes the Anyone can google “local education agencies within a information sharing or disclosure (e.g. Computer specified state” and all of the school districts will appear.

24b Matching Agreement, Memorandum of Any person can then see all of the departments within the Understanding (MOU), or Information Sharing specific LEA, e.g. school instruction & curricula, funded Agreement (ISA)). projects, etc.

Once a department or program is opened, a person can then go to “directory” and see a list of names and emails for all persons on staff.


24c Describe the procedures for accounting for disclosures


N/A

Describe the process in place to notify individuals

25 that their personal information will be collected. If no prior notice is given, explain the reason.

Individuals are asked to register in the system using their name, professional email address, and LEA name.


26 Is the submission of PII by individuals voluntary or mandatory?

Voluntary Mandatory

Describe the method for individuals to opt-out of the Individuals can opt-out of providing their name or email collection or use of their PII. If there is no option to address, however, they will not be able to access the system.

27 object to the information collection, provide a The system must be able to identify the user via email address reason. and the user must be linked to their LEA for data collection and

analysis.

Describe the process to notify and obtain consent

from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure

28 and/or data uses have changed since the notice at In the event that a major change occurs, individuals will be

the time of original collection). Alternatively, describe notified via email.

why they cannot be notified or have their consent obtained.

Describe the process in place to resolve an

individual's concerns when they believe their PII has

29 been inappropriately obtained, used, or disclosed, or No process exists as we will only collecting individuals names that the PII is inaccurate. If no process exists, explain and their professional email address.

why not.

Describe the process in place for periodic reviews of

30 PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no

processes are in place, explain why not.

The contract will review the list of registered users at various points in the project to ensure that only active users' PII is stored in the system.






31 Identify who will have access to the PII in the system and the reason why they require access.

Users

Administrators System maintenance Developers System development and

maintenance

Contractors System maintenance and data analysis


Others

Shape29 Shape30

Administrators, developers, and contractors that are

Describe the procedures in place to determine which responsible for maintaining and developing the system and

32 system users (administrators, developers, conducting data analysis will have a "Systems/Database contractors, etc.) may access PII. Administrator" user-type which will allow them to access the

User Names and Email addresses. Other PERS users will only

have access to their own user name, email, and data.

Describe the methods in place to allow those with

33 access to PII to only access the minimum amount of Those with access to PII need to be able to confirm the users' information necessary to perform their job. names, email addresses, and corresponding funded agency.

Identify training and awareness provided to

personnel (system owners, managers, operators, All CDC employees and contractors must complete the Records

34 contractors and/or program managers) using the Management and Security Awareness training. In addition, IT system to make them aware of their responsibilities Administrators must take the Information Security for IT

for protecting the information being collected and Administrators course. maintained.

Describe training system users receive (above and

35 beyond general security and privacy awareness MASO and SAT, both on cdc.gov training).

Do contracts include Federal Acquisition Regulation Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? No

Records are retained and disposed of in accordance with the Describe the process and guidelines in place with CDC Records Control Schedule 04-4-22 Family of HIV Surveys,

37 regard to the retention and destruction of PII. Cite Division of HIV/AIDS Prevention/Surveillance and specific records retention schedules. Epidemiology.

Administrative controls: The information collection involves use of web-based data collection methods. The website does use cookies, and access to the web-based questionnaire, which is password-protected and given only to the staff of the CDC/ DASH-funded LEAs who will complete the questionnaires.

Describe, briefly but with specificity, how the PII will Once the contractor is notified that business partners no

38 be secured in the system using administrative, longer are participating, an Administrator will delete the technical, and physical controls. individuals contact information from the list of users.

Technical controls: CDC will maintain information in secure electronic files that will only be accessible to authorized members of the team. Electronic files will be stored on secure network servers, and access will be restricted to approved team members identified by user ID and password.



REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions Answer

Yes

1 Are the questions on the PIA answered correctly, accurately, and completely?

No

Reviewer

Notes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose Yes

2 justified by appropriate legal authorities? No

Shape31 Shape32 Shape33 Shape34 Shape35 Shape36 Shape37 Shape38 Shape39 Shape40 Shape41


Reviewer Questions

Answer

Reviewer

Notes


3

Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors?

Yes No

Reviewer

Notes


4


Does the PIA appropriately describe the PII quality and integrity of the data?

Yes No

Reviewer

Notes


5


Is this a candidate for PII minimization?

Yes No

Reviewer

Notes


6


Does the PIA accurately identify data retention procedures and records retention schedules?

Yes No

Reviewer

Notes


7


Are the individuals whose PII is in the system provided appropriate participation?

Yes No

Reviewer

Notes


8


Does the PIA raise any concerns about the security of the PII?

Yes No

Reviewer

Notes

9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?

Yes No

Reviewer

Notes


10


Is the PII appropriately limited for use internally and with third parties?

Yes No

Reviewer

Notes


11


Does the PIA demonstrate compliance with all Web privacy requirements?

Yes No

Reviewer

Notes


12


Were any changes made to the system because of the completion of this PIA?

Yes No

Reviewer

Notes


Shape42

Page 3 of 8


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2021-01-15

© 2024 OMB.report | Privacy Policy