Save 
	
Privacy Impact Assessment Form
v 1.43
	
Status Draft Form Number F-54643 Form Date 9/18/2013 10:56:01 AM
	
Question Answer
	
OPDIV:
	
PIA Unique Identifier: 2a Name:
TEST
	
P-5860043-506903 Test 9-18-01
	
	
	
	
	
The subject of this PIA is which of the following?
	
	
	
	
3a Identify the Enterprise Performance Lifecycle Phase of the system.
	
3b Is this a FISMA-Reportable system?
	
Does the system include a Website or online
General Support System (GSS) Major Application
Minor Application (stand-alone) Minor Application (child) Electronic Information Collection Unknown
	
Development
	
Yes No
Yes
application available to and for the use of the general
public? No
	
			Agency Contractor
	
	
POC Title Program Analyst
	
	
	
	
Point of Contact (POC):
POC Name Paris A Watson POC Organization OD/DPCPSI/ODP
POC Email watsonpa@od.nih.gov
	 
	
POC Phone 301.496.6615
			New Existing
			Yes No
8a Date of Security Authorization
| 
				 | 
				 | 
				 | 
| 
				 
 
 
 
 
 
 
 
 
 11 Describe the purpose of the system. | One the Office of Disease Prevention's priorities is to promote the use of the best available methods in prevention research and support the development of better methods. One of our strategies is to help the Center for Scientific Review (CSR) identify experts in prevention science methods to include on their review panels. This will strengthen the panels and improve the quality of the prevention research supported by NIH. To identify experts in prevention science methods, we worked with our contractor, IQ Solutions, Inc., to develop online software which will allow us to collect scientists’ names, contact information, and resumes, as well as to have those scientists identify their level of expertise in a variety of prevention science methods and content areas. The data collected with this software will be used to create a web-based tool that CSR staff can use to identify scientists with expertise in specific prevention science methods and content areas for invitation to serve on one of the CSR review panels. If successful, this system will also be shared with review staff in the other Institutes and Centers at NIH to use in the same way. Given our plans to create an automated system for reviewer information collection, we are now seeking OMB approval. | 
				 | 
| Describe the type of information the system will Prevention scientists that would like to participant in the 12 collect, maintain (store), or share. (Subsequent Expertise in Prevention Science program (EPS) will have an questions will identify if this information is PII and ask opportunity to provide their content, CV, and methodological about the specific data elements.) and prevention science content areas of expertise. | ||
| The NIH Office of Disease Prevention (ODP) Expertise in Prevention Science (EPS) program is being developed to (1) identify experts in methodology who also have an expertise in content areas related to prevention science, (2) identify mid- and senior- level researchers who may have an interest in serving on study sections, and (3) to enrich the existing pool of NIH reviewers coordinated by the Center for Science Research Provide an overview of the system and describe the (CSR) by including scientists with methodological and 13 information it will collect, maintain (store), or share, prevention science expertise that review prevention either permanently or temporarily. applications. Scientists interested in including their information for the EPS program will provide some identifying information, content and methodological areas of expertise, Curriculum Vitae (CV) or professional resumes, and willingness to serve on a study section. They are vetted for inclusion in the EPS program based on their self-reported level of expertise in methodological and prevention science content areas, as well as, the information provided in their CVs. | ||
| Yes 14 Does the system collect, maintain, use or share PII? 
 | ||
| 
				 | ||
 
 
 
 
	
	
	
	
	
	
	
	
	
	
	
Indicate the type of PII that the system will collect or maintain.
Social Security Number Date of Birth
	 Name	Photographic
	Identifiers Driver's License
	Number	Biometric Identifiers Mother's
	Maiden Name	Vehicle
	Identifiers
Name	Photographic
	Identifiers Driver's License
	Number	Biometric Identifiers Mother's
	Maiden Name	Vehicle
	Identifiers
E-Mail Address Mailing Address
Phone Numbers Medical Records Number
Medical Notes Financial Account Info
Certificates Legal Documents
Education Records Device Identifiers
Military Status Employment Status
Foreign Activities Passport Number Taxpayer ID
	
	
	
	
	
	
	
Indicate the categories of individuals about whom PII is collected, maintained or shared.
Employees Public Citizens
Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors
Patients
	
	
Other
	
How many individuals' PII is in the system? 500-4,999
	
	
	
			PII will
			provide information
			to the
			NIH community
			(CSR and
			others) regarding participants' current employment, publication
			history, grants
			received, and
			other professional
			achievements, all of which are very useful in evaluating
			applicants’ eligibility
			to serve
			on study
			sections as
			reviewers.
	
	
	
	
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)
	
Secondarily, PII will provide the ODP with a pool of experts in various methodological areas to provide training for staff.
	
	
			 N/A
			
	
	
	 
		 N/A
		
	
Identify legal authorities governing information use and disclosure specific to the system and program.
	
Are records on the system retrieved by one or more
	
	
	
		legal authority
		of ODP
		within OD/DPCPSI...
		gives us
		permission to operate
		as ODP
PII data elements? No
	
	
	
	
22a
	
Identify the number and title of the Privacy Act System of Records Notice (SORN) that is being used to cover the system or identify if a SORN is being developed.
Published: 09-25-0036 Published:
Published:
	
	
	
	
	
	
In Progress
	
	
Directly from an individual about whom the information pertains
	
	
	
	
	
	
Identify the sources of PII in the system.
	
	
	
	
	
	
Government Sources
	
	
	
	
	
	
	
Non-Government Sources
In-Person Hard Copy: Mail/Fax
Email Online Other
	
Within the OPDIV Other HHS OPDIV State/Local/Tribal
Foreign Other Federal Entities
Other
	
Members of the Public
	
	
	
	
	
	
	
	
23a Identify the OMB information collection approval number and expiration date.
Commercial Data Broker Public Media/Internet
Private Sector
	 
		 in progress
		
	
	
	
	
Is the PII shared with other organizations?
Yes No
Within HHS
	
	
	
	
24a Identify with whom the PII is shared or disclosed and for what purpose.
NIH Center for Scientific Review
	
Other Federal Agency/Agencies
State or Local Agency/Agencies
	
	
Private Sector
	
	
	
	
24b
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).
	 
	
	 
		 N/A
		
		
| 
				 | 
				 | 
				 | 
| 
				 
 
 
 
 
 Describe the process in place to notify individuals 25 that their personal information will be collected. If no prior notice is given, explain the reason. | Individuals are notified at two points that their personal information will be collected. On the landing page, the potential ESP participant is notified "If you chose to share your information, you may be asked to review applications, either on an ad hoc basis or as part of a study section." After the creation of a username/password, a potential participant must chose a disclosure: 
 
 
 If a potential participant chooses not to share their information, they receive a thank you message and the system doesn't allow them to enter PII. | 
				 | 
| Is the submission of PII by individuals voluntary or Voluntary 26 mandatory? Mandatory | ||
| Describe the method for individuals to opt-out of the 27 collection or use of their PII. If there is no option to Participation in the EPS program is entirely voluntary. They object to the information collection, provide a have an opportunity to opt out prior to entering PII (see #25). reason. | ||
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure EPS participants will receive an email: 28 and/or data uses have changed since the notice at 1. when major changes to the system requires them to update the time of original collection). Alternatively, describe their information why they cannot be notified or have their consent 2. each year asking them to update their information obtained. | ||
| Describe the process in place to resolve an individual's concerns when they believe their PII has The EPS website will have the ODP point of contact's 29 been inappropriately obtained, used, or disclosed, or information in case their are changes or concerns by that the PII is inaccurate. If no process exists, explain participants. The ODP POC will have administrator privileges why not. and will be able to make changes to or freeze an account. | ||
| 
				 
 Describe the process in place for periodic reviews of 30 PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Data from the EPS Tool and Software (ESTS) will be reviewed regularly by the ODP POC and CSR Scientific Review Officers for accuracy. If a participant's information is incorrect, the ODP POC will be notified and the EPS participant will be notified by email and asked to update their information to ensure data maintained is accurate and relevant. | 
				 | 
| 
				 | 
				 | 
				 | 
 
 
 
 
 
 
| 
				 | 
				 | 
				 | 
				 | 
| 
				 
 
 
 
 
 
 
 31 Identify who will have access to the PII in the system and the reason why they require access. | 
				 Users | CSR Scientific Review Officers will use the ESTS to identify potential grant reviewers with expertise in methodology. | 
				 | 
| 
				 
 Administrators | ODP Administrators will use the ESTS to ensure participants data is accurate and make any necessary modifications to records or the system. | ||
| 
				 | 
				 
 | ||
| 
				 Contractors | ODP contractors will have access to the system as back-up to the ODP Administrators and site developers. | ||
| 
				 | 
				 
 | ||
| Due to the nature of the EPS program, those deemed "system Describe the procedures in place to determine which users" by the ODP Director, or their designee, will have access 32 system users (administrators, developers, to PII. Users will be able to view and download reports, but not contractors, etc.) may access PII. modify information. Administrators and Contractors will be able to view and download information, as well as, modify and delete records. | |||
| Describe the methods in place to allow those with All users will be granted access via PIV cards. CSR will submit a 33 access to PII to only access the minimum amount of list of SROs that will utilize the system and the ODP information necessary to perform their job. Administrator and Contractor will work together to grant individual permissions. | |||
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the A standard operating procedure will be developed to make 34 system to make them aware of their responsibilities users aware of the ESTS, its function, and their responsibilities for protecting the information being collected and for protecting PII. maintained. | |||
| Describe training system users receive (above and 35 beyond general security and privacy awareness N/A training). | |||
| 
				Do
				contracts include Federal
				Acquisition
				Regulation	 36 and other appropriate clauses ensuring adherence to privacy
				provisions
				and
				practices?	 | |||
| Describe the process and guidelines in place with 37 regard to the retention and destruction of PII. Cite specific records retention schedules. | |||
| The ESTS data will be housed on the CIT/OIT server and only Describe, briefly but with specificity, how the PII will accessible through PIV card log in. Only those identified by the 38 be secured in the system using administrative, ODP and CSR Director, or their designees, will receive access. technical, and physical controls. EPS administrators and contractors are the only people allowed full access to the system. | |||
| 39 Identify the publicly-available URL: under development, but will be housed on the ODP website (prevention.nih.gov) | |||
| Yes 40 Does the website have a posted privacy notice? 
 | |||
| 
				 | |||
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
	
	
40a
	
	
41
	
	
42
	
	
43
	
Is the privacy policy available in a machine-readable format?
	
Does the website use web measurement and customization technology?
	
Does the website have any information or pages directed at children under the age of thirteen?
	
Does the website contain links to non- federal government websites external to HHS?
Yes No Yes No
Yes No
Yes No
	
	
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.
	
	
Reviewer Questions Answer
Yes
1 Are the questions on the PIA answered correctly, accurately, and completely?
No
Reviewer
Notes
	
	
2
	
Reviewer
Notes
	
3
	
Reviewer
Notes
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose justified by appropriate legal authorities?
	
	
	
Do system owners demonstrate appropriate understanding of the impact of the PII in the system and provide sufficient oversight to employees and contractors?
Yes No
	
	
Yes No
	
	
Yes
 Does
		the
		PIA
		appropriately
		describe
		the
		PII
		quality
		and
		integrity
		of
		the
		data?
Does
		the
		PIA
		appropriately
		describe
		the
		PII
		quality
		and
		integrity
		of
		the
		data?
	
Reviewer
Notes
	
Is this a candidate for PII minimization?
	
Reviewer
Notes
	
Does the PIA accurately identify data retention procedures and records retention schedules?
	
Reviewer
Notes
	
Are the individuals whose PII is in the system provided appropriate participation?
	
Reviewer
Notes
No
	
	
	
Yes No
	
	
Yes No
	
	
Yes No
 Reviewer
Questions	Answer
Reviewer
Questions	Answer
Yes
Does the PIA raise any concerns about the security of the PII?
No
Reviewer
Notes
	
	
9
	
Reviewer
Notes
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?
Yes No
	
	
Yes
Is the PII appropriately limited for use internally and with third parties?
	
Reviewer
Notes
	
Does the PIA demonstrate compliance with all Web privacy requirements?
	
Reviewer
Notes
	
Were any changes made to the system because of the completion of this PIA?
No
	
	
	
Yes No
	
	
	
Yes No
Reviewer
Notes
	
	
	
General Comments
	
	
	
	
	
OPDIV Senior Official for Privacy Signature
	
HHS Senior Agency Official for Privacy
	 
		Page 
	
| File Type | application/zip | 
| File Modified | 0000-00-00 | 
| File Created | 2021-01-13 |