Download:
pdf |
pdfNICHD Privacy Impact Assessment (PIA)
The following required questions represent the information necessary to complete the PIA Summary for
transmission to the Office of Management and Budget (OMB) and public posting in accordance with OMB
Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If the
system hosts a website, the Website Hosting Practices section is required to be completed regardless of the
presence of personally identifiable information (PII). If no PII is contained in the system, please answer the
related questions accordingly and then promote the PIA to the Senior Official for Privacy who will authorize the
PIA. If this system contains PII, all remaining questions on the PIA Form Tabs must be completed prior to
signature and promotion.
System Information
System Name
NICHD Data and Specimen Hub
System Acronym
DASH
Contract Number
n/a
For Official Use Only (FOUO)
Page 1
Privacy Impact Assessment
1. OPDIV
NICHD
2. PIA Unique Identifier
Click here to enter text.
a. System Name
NICHD Data and Specimen Hub (DASH)
☐
☒
☐
☐
☐
☐
3. The subject of this PIA is
which of the following?
a. Identify the
Enterprise
Performance
Lifecycle Phase of
the system.
b. Is this a FISMAReportable system?
Select One:
General Support System (GSS)
Major Application
Minor Application (stand-alone)
Minor Application (child)
Electronic Information Collection
Unknown
Select One:
☐
☐
☐
☐
☐
Initiation
Concept
Planning
Requirements Analysis
Design
☐
☐
☒
☒
☐
Development
Test
Implementation
Operations and Maintenance
Disposition
☐ Yes
☒ No
4. Does the system include
a Website or online
application available to
and for the use of the
general public?
☒ Yes
☐ No
5. Identify the operator
Select One: ☒ Agency ☐ Contractor
6. Point of Contact (POC)
a. POC Title
NICHD ISSO
b. POC Name
Aubrey Callwood
c. POC Organization
NICHD
d. POC Email
callwooa@mail.nih.gov
e. POC Phone
301-435-6848
7. Is this a new or existing
system?
☐ New
☒ Existing
8. Does the system have
Security Authorization
(SA)?
☒ Yes
☐ No
a. Date of Security
Authorization
11/9/2016
For Official Use Only (FOUO)
Page 2
☒
☐
☐
☐
☐
☐
☐
☐
☐
9. Indicate the following
reason(s) for updating
this PIA. Choose from
the following options.
Select All that Apply:
PIA Validation (PIA Refresh/Annual Review)
Anonymous to Non-Anonymous
New Public Access
Internal Flow or Collection
Commercial Sources
Significant System Management Change
Alteration in Character of Data
New Interagency Uses
Conversion
10. Describe in further detail
any changes to the
PIA review and validation as a result of implementing new
system that have
biospecimen sharing functionality
occurred since the last
PIA.
11. Describe the purpose of
the system.
To enable sharing of study data and biospecimens from NICHDfunded research
12. Describe the type of
information the system
will collect, maintain
(store), or share.
(Subsequent questions
will identify if this
information is PII and
ask about the specific
data elements.)
The system will collect and maintain personal information from
individuals requesting accounts to submit data and request data
and biospecimens.
13. Provide an overview of
the system and describe
The system maintains study research data, study research metadata,
the information it will
and metadata about biospecimens. The system will collect and
collect, maintain (store),
maintain personal information from individuals requesting DASH
or share, either
accounts to submit data and request data and biospecimens.
permanently or
temporarily.
14. Does the system collect,
maintain, use or share
PII?
☒ Yes
☐ No
Select All that Apply:
For Official Use Only (FOUO)
Page 3
15. Indicate the type of PII
that the system will
collect or maintain.
☐
☒
☐
☐
☒
☒
☐
☐
☐
☐
☐
☐
Social Security Number
Name
Driver License Number
Mother Maiden Name
E-Mail Address
Phone Number
Medical Notes
Certificates
Education Records
Military Status
Foreign Activities
Taxpayer ID
☐
☐
☐
☐
☒
☐
☐
☐
☐
☐
☐
Date of Birth
Photographic Identifiers
Biometric Identifiers
Vehicle Identifiers
Mailing Address
Medical Records Number
Financial Account Info
Legal Documents
Device Identifiers
Employment Status
Passport Number
Select All that Apply:
16. Indicate the categories of
individuals about whom
PII is collected,
maintained or shared.
☐ Employees
☐ Vendors/Suppliers/Contractors
☒ Public Citizens
☐ Patients
☒ Business Partners/Contacts
(Federal, State, and Local
Agencies)
Select One:
17. How many individuals'
PII is in the system?
18. For what primary
purpose is the PII used?
☐
☐
☒
☐
Less than 100
100-499
500-4,999
5,000-9,999
☐
☐
☐
☐
10,000-49,999
50,000-99,999
100,000-999,999
1,000,000 or more
To identify individuals requesting data, biospecimens, or sharing
data.
19. Describe the secondary
uses for which the PII
The data may be used in support of future initiatives.
will be used (e.g. testing,
training or research)
20. Describe the function of
n/a
the SSN.
a. Cite the legal
authority to use the
SSN.
n/a
21. Identify legal authorities
governing information
use and disclosure
NIH Office of General Council
specific to the system
and program.
For Official Use Only (FOUO)
Page 4
22. Are records on the
system retrieved by one
or more PII data
elements?
☒ Yes
☐ No
a. Identify the number and title of the Privacy Act System of Records Notice (SORN) that is
being used to cover the system or identify if a SORN is being developed.
Published:
09-25-0200 Clinical, Basic and Population-based Research Studies of
the National Institutes of Health (NIH)
Published:
Click here to enter text.
Published:
Click here to enter text.
In Progress
☒ Yes
☐ No
Select All that Apply:
Directly from
Individual:
23. Identify the sources of
PII in the system.
a. Identify the OMB
information
collection approval
number and
expiration date.
24. Is the PII shared with
other organizations?
☐ In-Person
☐ Hard Copy:
Mail/Fax
☐ Email
☒ Online
☐ Other
Government
Sources:
Non-Government
Sources:
☐ Within OPDIV
☐ Other HHS
OPDIV
☐ State/Local/Tribal
☐ Foreign
☐ Other Federal
Entities
☐ Other
☒ Members of the
Public
☐ Commercial Data
Broker
☐ Private Sector
☐ Other
OMB#: 0925-0744
Expiration Date: 06/30/2019
☐ Yes
☒ No
a. Identify with whom the PII is shared or disclosed and for what purpose.
Within HHS
☐ Yes ☒ No
Purpose: Click here to enter text.
Other Federal
Agency/Agencies
☐ Yes ☒ No
State or Local
Agency/Agencies
☐ Yes ☒ No
Private Sector
Purpose: Click here to enter text.
Purpose: Click here to enter text.
☐ Yes ☒ No
Purpose: Click here to enter text.
For Official Use Only (FOUO)
Page 5
b. Describe any
agreements in place
that authorizes the
information sharing
or disclosure (e.g.
Computer Matching
Agreement,
Memorandum of
Understanding
(MOU), or
Information Sharing
Agreement (ISA)).
n/a
c. Describe the
procedures for
accounting for
disclosures.
n/a
25. Describe the process in
place to notify
individuals that their
personal information will Individuals are required to enter the information themselves.
be collected. If no prior
notice is given, explain
the reason.
26. Is the submission of PII
by individuals voluntary
or mandatory?
☐ Voluntary
☒ Mandatory
27. Describe the method for
individuals to opt-out of
the collection or use of
their PII. If there is no
option to object to the
information collection,
provide a reason.
The collection of information is required for the creation of an
account. Individuals may browse or search studies without
creating an account, however, in order to request or submit data,
they must enter their information and create an account.
For Official Use Only (FOUO)
Page 6
28. Describe the process to
notify and obtain consent
from the individuals
whose PII is in the
system when major
changes occur to the
system (e.g., disclosure
and/or data uses have
Email will be used for necessary notifications.
changed since the notice
at the time of original
collection).
Alternatively, describe
why they cannot be
notified or have their
consent obtained.
29. Describe the process in
place to resolve an
individual's concerns
when they believe their
PII has been
Individuals can contact system administrators.
inappropriately obtained,
used, or disclosed, or that
the PII is inaccurate. If
no process exists, explain
why not.
30. Describe the process in
place for periodic
reviews of PII contained
in the system to ensure
Individuals have access to their profile in the system and can make
the data's integrity,
any changes needed to their PII through the profile page.
availability, accuracy
and relevancy. If no
processes are in place,
explain why not.
31. Identify who will have access to the PII in the system and the reason why they require access.
Users
☐ Yes ☒ No
Reason: Click here to enter text.
☒ Yes ☐ No
Administrators
Developers
Contractors
Reason: To resolve account queries or disputes, or to assist with
password resets or updates and email registered users as
necessary.
☐ Yes ☒ No
Reason: Click here to enter text.
☐ Yes ☒ No
For Official Use Only (FOUO)
Page 7
Reason: Click here to enter text.
Others
32. Describe the procedures
in place to determine
which system users
(administrators,
developers, contractors,
etc.) may access PII.
☐ Yes ☒ No
Reason: Click here to enter text.
The principles of least privileged access are applied. The system uses
roles and each role has different access levels. The default role
has least privilege. Approval is needed to change role.
33. Describe the methods in
place to allow those with
access to PII to only
access the minimum
n/a
amount of information
necessary to perform
their job.
34. Identify training and
awareness provided to
personnel (system
owners, managers,
operators, contractors
and/or program
managers) using the
system to make them
aware of their
responsibilities for
protecting the
information being
collected and
maintained.
All system owners, manager, operators, contractors and/or program
managers take annual NIH security and privacy training.
Administrators are required to take role-based training which has
training specific to their responsibilities.
35. Describe training system
users receive (above and
System owners, manager, and operators are also required to take rolebeyond general security
based training.
and privacy awareness
training).
36. Do contracts include
Federal Acquisition
Regulation and other
appropriate clauses
ensuring adherence to
privacy provisions and
practices?
☒ Yes
☐ No
For Official Use Only (FOUO)
Page 8
37. Describe the process and
guidelines in place with
The PII data collected from users are retained in DASH and not
regard to the retention
destroyed since the PII is used to preserve the user’s account in
and destruction of PII.
DASH
Cite specific records
retention schedules.
38. Describe, briefly but
Access to account information is provided only to authorized
with specificity, how the
administrators of the system through a VPN connection using
PII will be secured in the
multi-factor authentication. Transactions are audited and stored.
system using
Administrative, technical and physical security controls follow
administrative, technical,
NIST 800-53 rev4 which requires monthly scanning and annual
and physical controls.
re-accreditation.
39. Identify the publiclyavailable URL.
https://dash.nichd.nih.gov/
40. Does the website have a
posted privacy notice?
☒ Yes
☐ No
a. Is the privacy policy
available in a
machine-readable
format?
☒ Yes
☐ No
41. Does the website use
web measurement and
customization
technology?
☒ Yes
☐ No
a. Select the type of website measurement and customization technologies is in use and if it is
used to collect PII.
Web Beacons
Web Bugs
Session Cookies
Persistent Cookies
Other...
42. Does the website have
any information or pages
directed at children
under the age of thirteen?
In Use: ☒ Yes ☐ No
Collects PII: ☐ Yes ☒ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
In Use: ☐ Yes ☒ No
Collects PII: ☐ Yes ☐ No
☐ Yes
☒ No
For Official Use Only (FOUO)
Page 9
a. Is there a unique
privacy policy for the
website, and does the
unique privacy policy
address the process
for obtaining parental
consent if any
information is
collected?
☐ Yes
☒ No
43. Does the website contain
links to non-federal
government websites
external to HHS?
☐ Yes
☒ No
a. Is a disclaimer notice
provided to users that
follow external links
to websites not
owned or operated by
HHS?
☐ Yes
☒ No
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to
be filled out unless the user is an OPDIV Senior Officer for Privacy.
1. Are the questions on the
PIA answered correctly,
accurately, and
completely?
2. Does the PIA
appropriately
communicate the
purpose of PII in the
system and is the
purpose justified by
appropriate legal
authorities?
3. Do system owners
demonstrate appropriate
understanding of the
impact of the PII in the
system and provide
sufficient oversight to
employees and
contractors?
4. Does the PIA
appropriately describe
the PII quality and
integrity of the data?
For Official Use Only (FOUO)
Page 10
5. Is this a candidate for PII
minimization?
6. Does the PIA accurately
identify data retention
procedures and records
retention schedules?
7. Are the individuals
whose PII is in the
system provided
appropriate
participation?
8. Does the PIA raise any
concerns about the
security of the PII?
9. Is applicability of the
Privacy Act captured
correctly and is a SORN
published or does it need
to be?
10. Is the PII appropriately
limited for use internally
and with third parties?
11. Does the PIA
demonstrate compliance
with all Web privacy
requirements?
12. Were any changes made
to the system because of
the completion of this
PIA?
For Official Use Only (FOUO)
Page 11
Status and Approvals
IC Status
IC Signature
☒ Approved ☐ Rejected
signed by Aubrey G. Callwood -S
Aubrey G. Callwood -S Digitally
Date: 2018.12.20 15:36:52 -05'00'
For Official Use Only (FOUO)
Page 12
File Type | application/pdf |
Author | Crossland, Aaron (NIH/NICHD) [C] |
File Modified | 2018-12-20 |
File Created | 2018-12-20 |