Download:
pdf |
pdfSave
Privacy Impact Assessment Form
v 1.47.4
Status Draft
Form Number
F-18342
Form Date
Question
Answer
1
OPDIV:
NIH
2
PIA Unique Identifier:
P-1118564-913650
2a Name:
1/3/2024 9:00:24 AM
NIH Research and Training Opportunities
General Support System (GSS)
Major Application
3
Minor Application (stand-alone)
The subject of this PIA is which of the following?
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Operations and Maintenance
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
No
Yes
No
Agency
Contractor
POC Title
Director
POC Name
Patricia Wagner
POC Organization
Office of Intramural Training &
Education
POC Email
wagnerpa@od.nih.gov
POC Phone
240-476-3619
New
Existing
Yes
No
8a Date of Security Authorization
Dec 14, 2023
Page 1 of 11
Save
9
Indicate the following reason(s) for updating this PIA.
Choose from the following options.
PIA Validation (PIA
Refresh/Annual Review)
Anonymous to NonAnonymous
New Public Access
Internal Flow or Collection
Significant System
Management Change
Alteration in Character of
Data
New Interagency Uses
Conversion
Commercial Sources
The Research and Training Opportunities System (RTO)
requires Multi-Factor Authentication for Users (general public).
10
Describe in further detail any changes to the system
that have occurred since the last PIA.
11 Describe the purpose of the system.
Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask
about the specific data elements.)
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
RTO has a new configuration of the software - one database for
all applications rather than separate databases for each
application.
The Office of Intramural Training & Education (OITE)
administers programs and initiatives to recruit and develop
The Research Training Opportunities (RTO) system collects
information, including Personally Identifiable Information (PII),
necessary (1) to evaluate the qualifications of individuals who
seek intramural research training opportunities at the NIH and
The Office of Intramural Training & Education (OITE)
administers programs and initiatives to recruit and develop
individuals who participate in research training activities on
the NIH's main campus in Bethesda, Maryland, as well as other
NIH facilities around the country. To facilitate its recruitment
Yes
14 Does the system collect, maintain, use or share PII?
15
Indicate the type of PII that the system will collect or
maintain.
No
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
y/n - age 18 by June 15 of the current year
y/n - age 17 by June 15 of current year
optional gender information (FARE)
Page 2 of 11
Save
Employees
Public Citizens
16
Business Partners/Contacts (Federal, state, local agencies)
Indicate the categories of individuals about whom PII
is collected, maintained or shared.
Vendors/Suppliers/Contractors
Patients
Other NIH trainees; NIH fellows
17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
100,000-999,999
The primary use of this information is to evaluate applicants'
qualifications for research training at the NIH, including
periodic updates to their record status.
OITE sometimes uses the email addresses provided by
applicants to send them notices regarding training
opportunities of potential interest to them.
Describe the secondary uses for which the PII will be
19
used (e.g. testing, training or research)
Other secondary uses for system PII include:
(a) Preparing appointment paperwork;
(b) Investigating possible cases of inappropriate use of the
system (e.g., violations of the NIH nepotism policy);
(c) Verifying the identity of users who contact us offline (e.g.,
by telephone) to report technical problems involving the
system;
(d) Administering the annual FARE competition.
20 Describe the function of the SSN.
n/a
20a Cite the legal authority to use the SSN.
n/a
The legal authority granted to NIH to train future biomedical
scientists comes from several sources. Title 42 of the U.S. Code,
Sections 241 and 282(b)(13) authorize the Director, NIH, to
conduct and support research training for which fellowship
Identify legal authorities governing information use support is not provided under Part 487 of the Public Health
21
Service (PHS) Act (i.e., National Research Service Awards), and
and disclosure specific to the system and program.
that is not residency training of physicians or other health
professionals. Sections 405(b)(1)(C) of the PHS Act and 42
U.S.C. Sections 284(b)(1)(C) and 285-287 grant this same
authority to the Director of each of the Institutes/Centers at
NIH.
22
Are records on the system retrieved by one or more
PII data elements?
Yes
No
Page 3 of 11
Save
Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.
Published:
OPM/GOVT-1 - General Personnel Records
OPM/GOVT-5 - Recruiting, Examining, and
Placement Records
Published:
09-25-0014 - Clinical Research: Student Records
09-25-0108 - Personnel: Guest Researchers,
Special Volunteers, and Scientists Emeriti
Published:
09-25-0158 - Administration Records of
Applicants and Awardees of the Intramural
Research Training Awards Program
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
24 Is the PII shared with other organizations?
0925-0299, expiration May 2024
Renewal Started November 2023 (60-day Federal Register
published)
Yes
No
Page 4 of 11
Save
Within HHS
PII may be shared with NIH Investigators and administrators
for admissions and appointment paperwork. Records may
also be disclosed to student volunteers, individuals working
under a personal services contract, and other individuals
performing functions for HHS who do not technically have
the status of agency employees, if they need the records in
the performance of their agency functions.
Other Federal
Agency/Agencies
24a
Identify with whom the PII is shared or disclosed and
for what purpose.
Disclosure may be made to the Department of Justice or to a
court or other tribunal when (a) HHS, or any component
thereof; or (b) any HHS employee in his or her official
capacity; or (c) any HHS employee in his or her individual
capacity where the Department of Justice (or HHS, where it is
authorized to do so) has agreed to represent the employee;
or (d) the United States or any agency thereof where HHS
determines that the litigation is likely to affect HHS or any of
its components, is a party to litigation or has an interest in
such litigation, and HHS determines that the use of such
records by the Department of Justice, court or other tribunal
is relevant and necessary to the litigation and would help in
the effective representation of the governmental party,
provided, however, that in each case HHS determines that
such disclosure is compatible with the purpose for which the
records were collected.
State or Local
Agency/Agencies
Disclosure may be made to a Federal, State or local agency
maintaining civil, criminal or other pertinent records, such as
current licenses, if necessary to obtain a record relevant to
an agency decision concerning the selection or retention of
a fellow.
Private Sector
Disclosure may be made to institutions providing financial
support.
Describe any agreements in place that authorizes the
information sharing or disclosure (e.g. Computer
24b Matching Agreement, Memorandum of
Understanding (MOU), or Information Sharing
Agreement (ISA)).
Each GPP institutional and Individual Partnership has its own
Memorandum of Understanding (MOU) between the NIH and
the university partner. The MOUs vary in content, training
duration, and financial support arrangements. MOUs are
finalized by the NIH OITE and managed by key NIH personnel.
Page 5 of 11
Save
The OITE confers with the key NIH administrators when
information about a trainee/fellow needs to be shared outside
the agency.
Describe the procedures for accounting for
24c
disclosures
Disclosures from RTO are unlikely to be made; however, if
Privacy Act records are disclosed, the disclosing office will
maintain an accounting, and the disclosures will be made in
accordance with the applicable SORN.
The procedures by which GPP administrators share
information with university partners and account for these
disclosures vary from program to program.
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
26
Is the submission of PII by individuals voluntary or
mandatory?
Each collection form used by the OITE has a Privacy Act
Statement notifying individuals that their PII is collected.
Inclusion of the text and/or links ensures those completing the
form are well informed prior to entering data voluntarily.
Voluntary
Mandatory
Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.
There is no way for prospective applicants to opt out of the
collection or use of their PII. The applications and other forms
collect information (including PII) that is needed to evaluate
the qualifications of the individual seeking intramural research
training opportunities at the NIH.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
The OITE will confer with NIH administrators and general
counsel prior to making changes in how PII is used. If there is
a modification from the original intent, then a mail-merge
message to each affected individual will be sent from the
OITE's email address.
Page 6 of 11
Save
The RTO system relies extensively on system-generated email
messages, and applicants and references can contact OITE by
replying to these messages. Also, there is a link to OITE's
"Contact Us" page, https://www.training.nih.gov/contact, in
the page footer of every RTO form. Individuals who have
concerns about their PII can use the information on this page
to notify us.
The OITE will confer with key offices, including but not limited
to NIH administrators, legal counsel, and ethics office, to
ensure the concerns of the individual are addressed in a timely
manner.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or The RTO system also includes a transaction auditing module to
that the PII is inaccurate. If no process exists, explain track record changes and system activity. This module can be
why not.
used by RTO administrators to investigate/confirm
inappropriate or suspicious activity.
RTO system administrators have tools enabling them to modify
system data (e.g., login credentials) when a breach is suspected
and to disable/lock individual RTO users' accounts in cases
where it is determined that the user has accessed, used, or
disclosed applicant data inappropriately. In such cases, OITE
disables and locks the account immediately and notifies the
user, as well as his/her Information Systems Security Officer
(ISS) or Scientific Director (SD), who determines the
appropriate next steps.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
RTO data are managed in accordance with the Federal record
retention and disposal guidelines. Typically, an application
remains in the system for one year, after which time it is
archived. Archiving procedures vary from program to
program; for some, archiving occurs once monthly, while for
others, archiving is handled manually by system
administrators. Archived applications cannot be accessed by
internal RTO users, except for system developers and
authorized OITE staff. Archived applications are generally
retained for two years after being archived (i.e., for three years
total).
System developers monitor the database and online
application processes as a routine matter to ensure the data's
integrity and availability.
Page 7 of 11
Save
Users
Administrators
31
Identify who will have access to the PII in the system
and the reason why they require access.
Developers
Contractors
NIH personnel who are involved in the
recruitment and selection of NIH
trainees. These individuals require
i
l
t
li t d t t
OITE personnel that have view/edit
access to RTO accounts, applications,
reports, and administrative tools.
Th
t li it d i / dit
System developers monitor the
database and online application
processes as a routine matter to ensure
th d t ' i t it
d
il bilit
Direct contractors and NIH IT staff who
are responsible for managing/
maintaining all aspects of the
li ti
t
b dd t b
Others
Describe the procedures in place to determine which Determinations are made based on role-based access controls
32 system users (administrators, developers,
and least privilege. User rights are provisioned based on
contractors, etc.) may access PII.
controls within the system, allowing users only access to the
The only RTO users who can create new RTO accounts are
Program Coordinators and SuperAdmins. Decisions regarding
who at an IC may have access to RTO are (within limits
established by OITE) left up to the Program Coordinator(s) at
that IC. Occasionally OITE will create the account after
verifying from someone appropriately placed at the IC that the
individual requesting access has a legitimate business need to
access system data.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
Program Coordinators can create view-only "Investigator"
accounts; SuperAdmins can create any kind of account. As a
rule, OITE will give a user elevated access within the system
only when the user needs that access to do his/her job.
By default, an Investigator account gives one read-only access
to the SIP and Postbac IRTA application pools. In cases where
it is known that a user does not require access to both
subsystems, a SuperAdmin can remove the user's access to
one, or even both, subsystems. A SuperAdmin might remove a
user's access to both subsystems if the user has agreed to serve
as a mentor to an incoming summer intern and does not
require access to the entire SIP applicant database. Authorized
users can share individual applications with another
authorized user. In these cases, the user's access to the shared
applications expires after 60 days.
According to NIH policy, all personnel who manage or operate
NIH applications must successfully complete annual security
awareness training. There are five categories of mandatory
information technolgoy (IT) training (Information Security,
Counterintelligence, Privacy Awareness, Records Management
and Emergency Preparedness). Training is completed on the
http://irtsectraining.nih.gov site with valid NIH credentials.
Page 8 of 11
Save
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Each RTO user has access to a role-specific RTO User's Guide.
While the guides are primarily focused on how to use the
system tools, some touch on such RTO policies as who may
access the system, etc.
Yes
No
Records are maintained in RTO in accordance with the
following NIH Records Schedules:
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
2.1.051 – Job Vacancy Case Files – Destroy 2 years after
termination of register – DAA-GRS-2014-0002-0007
2.1.090 – Interview Records – Destroy 2 years after case is
closed by hire or non-selection, expiration of right to appeal a
non-selection, or final settlement of any associated litigation,
whichever is later. – DAA-GRS-2014-0002-0008
Administrative Controls: RTO applies role-based security to
ensure access is restricted to the appropriate user groups. All
system users are required to accept the RTO Terms of Use
every time they sign in. The Terms of Use page notes that the
system contains information that is subject to the Privacy Act;
describes the user's responsibilities regarding the safeguarding
of system data; and states that unauthorized access or use of
this system may subject violators to criminal, civil, and/or
administrative action. At any time, Program Coordinators can
disable accounts of individuals at their respective Institutes
and Centers (IC) who leave the NIH or transfer to another IC. In
addition, RTO administrators conduct a comprehensive review
of all system accounts once annually, disabling/locking those
belonging to individuals who are no longer at the NIH and
purging all dormant accounts. Also, RTO administrators
conduct periodic and ongoing monitoring of system audits
and system email traffic to identify cases of inappropriate
access to or use of the system.
Technical Controls: Access to the system is controlled by NIH
Login, which authenticates the user prior to granting access.
Access level and permissions are controlled by the system and
based on user, role, and organizational unit.
Physical Controls: The servers reside in the Office of
Information Technology (OIT) hosting facility, where policies
and procedures are in place to restrict access to the machines.
This includes guards at the front door and entrance to the
machine room.
Page 9 of 11
Save
Summer Internship Program (series of subprograms) https://www2.training.nih.gov/transfer/SIPApp
Undergraduate Scholarship Program https://www2.training.nih.gov/transfer/UGSPApp
39 Identify the publicly-available URL:
Postbaccalaureate IRTA Training Program https://www2.training.nih.gov/transfer/PBTApp
Graduate Partnerships Program https://www2.training.nih.gov/transfer/GPPApp
Fellows Award for Research Excellence (FARE) https://www2.training.nih.gov/transfer/fareapp
Yes
40 Does the website have a posted privacy notice?
No
40a
Is the privacy policy available in a machine-readable
format?
Yes
41
Does the website use web measurement and
customization technology?
Yes
No
No
Technologies
Yes
Web beacons
No
Yes
Web bugs
Select the type of website measurement and
41a customization technologies is in use and if it is used
to collect PII. (Select all that apply)
Collects PII?
No
Session Cookies
Persistent Cookies
Yes
No
Yes
No
Yes
Other...
No
42
Does the website have any information or pages
directed at children under the age of thirteen?
Yes
43
Does the website contain links to non- federal
government websites external to HHS?
Yes
Is a disclaimer notice provided to users that follow
43a external links to websites not owned or operated by
HHS?
Yes
General Comments
No
No
No
This component is under the Office of the Director General Support System (OD GSS), whose Universal
Unique Identifier (UUID) is: 2092B382-A4F2-4FD5-A93E-1857E18B771E.
Page 10 of 11
Save
OPDIV Senior Official
for Privacy Signature
Dustin B.
Close -S
Digitally signed by Dustin
B. Close -S
Date: 2024.01.03 10:39:30
-05'00'
Page 11 of 11
Save
Privacy Impact Assessment Form
v 1.47.4
Status Draft
Form Number
F-97961
Form Date
Question
Answer
1
OPDIV:
NIH
2
PIA Unique Identifier:
P-8646487-112495
2a Name:
1/3/2024 9:00:13 AM
Research Training Programs Web Site
General Support System (GSS)
Major Application
3
Minor Application (stand-alone)
The subject of this PIA is which of the following?
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Operations and Maintenance
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
No
Yes
No
Agency
Contractor
POC Title
Director
POC Name
Patricia Wagner
POC Organization
Office of Intramural Training &
Education
POC Email
wagnerpa@od.nih.gov
POC Phone
240-476-3619
New
Existing
Yes
No
8a Date of Security Authorization
Dec 14, 2023
Page 1 of 11
Save
9
Indicate the following reason(s) for updating this PIA.
Choose from the following options.
PIA Validation (PIA
Refresh/Annual Review)
Anonymous to NonAnonymous
New Public Access
Internal Flow or Collection
Significant System
Management Change
Alteration in Character of
Data
New Interagency Uses
Conversion
Commercial Sources
10
Describe in further detail any changes to the system
that have occurred since the last PIA.
11 Describe the purpose of the system.
Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask
about the specific data elements.)
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
14 Does the system collect, maintain, use or share PII?
15
Indicate the type of PII that the system will collect or
maintain.
There have been no substantive changes to the system since
the last Privacy Impact Assessment (PIA) was submitted.
The purpose of the NIH Research Training Programs (RTP)
website, https://www.training.nih.gov, is to provide access to
Account information: User's name, user credentials (email
address and password), phone numbers, mailing address
(Campus and Institute/Center), education records, NIH
Enterprise Directory (NED) ID and employment status
The purpose of the NIH Research Training Programs (RTP)
website, https://www.training.nih.gov, is to provide access to
the training opportunities and support services provided by
Yes
No
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
NED ID
User Credentials
Page 2 of 11
Save
Employees
Public Citizens
16
Business Partners/Contacts (Federal, state, local agencies)
Indicate the categories of individuals about whom PII
is collected, maintained or shared.
Vendors/Suppliers/Contractors
Patients
Other NIH trainees; NIH fellows
17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
50,000-99,999
To administer Office of Intramural Training and Education
(OITE) events and services, limiting access to restricted
resources (e.g., NIH-only events, appointments with OITE
career counselors), as appropriate.
Track where the NIH-IRP trainees go once they leave the NIH;
Provide networking opportunities for current trainees, NIH
staff, and program alumni;
Identify individuals who are willing to serve as event speakers
or contacts for OITE staff organizing training events;
19
Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)
Collect applicant data, including letters of recommendation, to
supplement information collected via OITE's online application
system (RTO);
Assess the diversity of various user groups (applicants and
current trainees);
Enhance the experience of program participants (e.g., by
creating personalized certificates for children of NIH staff who
participate in Take Your Child to Work Day events).
20 Describe the function of the SSN.
N/A
20a Cite the legal authority to use the SSN.
N/A
The legal authority granted to NIH to train future biomedical
scientists comes from several sources. Title 42 of the U.S. Code,
Sections 241 and 282(b)(13) authorize the Director, NIH, to
conduct and support research training for which fellowship
Identify legal authorities governing information use support is not provided under Part 487 of the Public Health
21
Service (PHS) Act (i.e., National Research Service Awards), and
and disclosure specific to the system and program.
that is not residency training of physicians or other health
professionals. Sections 405(b)(1)(C) of the PHS Act and 42
U.S.C. Sections 284(b)(1)(C) and 285-287 grant this same
authority to the Director of each of the Institutes/Centers at
NIH.
22
Are records on the system retrieved by one or more
PII data elements?
Yes
No
Page 3 of 11
Save
Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.
Published:
OPM/GOVT-1 - General Personnel Records;
OPM/GOVT-5 - Recruiting, Examining, and
Placement Records
Published:
09-90-0020 - Suitability for Employment
Records, HHS/OS/ASPER; 09-25-0014 - Clinical
Research: Student Records, HHS/NIH/OD/OIR/
Published:
09-25-0140 - International Activities:
International Scientific Researchers in Intramural
Laboratories at the National Institutes of Health,
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
24 Is the PII shared with other organizations?
0925-0299 (Expiration Date: May 2024)
Renewal in-progress
Yes
No
Page 4 of 11
Save
Within HHS
PII may be shared with NIH Investigators and administrators
for admissions and appointment paperwork. Records may
also be disclosed to student volunteers, individuals working
under a personal services contract, and other individuals
performing functions for HHS who do not technically have
the status of agency employees, if they need the records in
the performance of their agency functions.
Other Federal
Agency/Agencies
24a
Identify with whom the PII is shared or disclosed and
for what purpose.
Disclosure may be made to the Department of Justice or to a
court or other tribunal when (a) HHS, or any component
thereof; or (b) any HHS employee in his or her official
capacity; or (c) any HHS employee in his or her individual
capacity where the Department of Justice (or HHS, where it is
authorized to do so) has agreed to represent the employee;
or (d) the United States or any agency thereof where HHS
determines that the litigation is likely to affect HHS or any of
its components, is a party to litigation or has an interest in
such litigation, and HHS determines that the use of such
records by the Department of Justice, court or other tribunal
is relevant and necessary to the litigation and would help in
the effective representation of the governmental party,
provided, however, that in each case HHS determines that
such disclosure is compatible with the purpose for which the
records were collected.
State or Local
Agency/Agencies
Disclosure may be made to a Federal, State or local agency
maintaining civil, criminal or other pertinent records, such as
current licenses, if necessary to obtain a record relevant to
an agency decision concerning the selection or retention of
a fellow.
Private Sector
Disclosure may be made to institutions providing financial
support. Also, responses to the "Amgen Scholars Program at
NIH - Supplemental Application" survey are shared with the
corporate sponsor that provides financial support for that
program.
Describe any agreements in place that authorizes the
information sharing or disclosure (e.g. Computer
There are Memorandums of Understanding between NIH and
24b Matching Agreement, Memorandum of
graduate universities for the Institutional Partnerships and
Understanding (MOU), or Information Sharing
Individual Partnerships.
Agreement (ISA)).
Page 5 of 11
Save
24c
Describe the procedures for accounting for
disclosures
Disclosures from RTP are unlikely to be made; however, if
Privacy Act records are disclosed, the disclosing office will
maintain an accounting, and the disclosures will be made in
accordance with the applicable System of Records Notice
(SORN). The OITE will confer with the NIH Senior Official for
Privacy and other key NIH administrators if RTP system data
involving PII need to be disclosed.
The footer of every RTP page includes a link to our Privacy
Notice, which says in part:
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
26
Is the submission of PII by individuals voluntary or
mandatory?
Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.
We maintain and dispose of electronically submitted
information in accordance with the Federal Records Act (44
U.S.C. Chapter 31) and records schedules of the National
Archives and Records Administration. Information may be
subject to disclosure in certain cases (for example, if authorized
by a Privacy Act System of Records Notice).
If you apply to one of our training programs and your
application becomes part of a record system designed to
retrieve PII about you by personal identifier (name, e-mail
address, mailing address, phone number, etc.), we will
safeguard the information you provide to us in accordance
with the Privacy Act of 1974, as amended (5 U.S.C. Section
552a). We prominently display a Privacy Act Notification
Statement on any form which asks you to provide personally
identifiable information.
Voluntary
Mandatory
Submission of personal information is voluntary; however, in
order to access certain information (e.g., the Alumni Database),
services (e.g., making an appointment with a career counselor),
and admission consideration for certain training programs,
users must complete all required fields.
At present, there is no process in place to notify and obtain
consent from individuals whose PII is in the system when major
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when changes occur to the system (e.g., disclosure and/or data uses
have changed since the notice at the time of the original
major changes occur to the system (e.g., disclosure
collection). If there were a modification from the original
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe intent, OITE would confer with key offices, including but not
limited to the NIH Senior Official for Privacy, to determine the
why they cannot be notified or have their consent
appropriate course of action. If deemed appropriate, OITE
obtained.
would notify each affected individual using the email address
on record.
Page 6 of 11
Save
The RTP system relies extensively on system-generated email
messages, and registered users can in many cases contact OITE
by replying to these messages. Also, the page footer of every
RTP page includes a link to OITE's "Contact Us" page, https://
www.training.nih.gov/contact. Individuals who have concerns
about their PII can use the information on this page to notify
us.
The OITE will confer with key offices, including but not limited
to the NIH Senior Official for Privacy, to ensure the concerns of
the individual are addressed in a timely manner.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or The RTP system also includes a transaction auditing module to
that the PII is inaccurate. If no process exists, explain track record changes and system activity. This module can be
used by RTP administrators to investigate/confirm
why not.
inappropriate or suspicious activity.
RTP system administrators have tools enabling them to
monitor system activity when a breach is suspected and to
disable/archive individual RTP users' accounts in cases where it
is determined that an unauthorized person has accessed, used,
or disclosed applicant data.
All system users have access to tools to manage their
passwords if they suspect that someone has accessed their
data through this system.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
The contractor who maintains the RTP system, Symplicity
Corp., monitors the database and system processes as a
routine matter to ensure the data's integrity and availability.
Also, OITE system staff informally monitor this in their day-today use of the system tools. There is no general process in
place to ensure the accuracy and relevancy of the data, as
there is no feasible way to do so. That said, the system does
have business rules in place that ensure the email address
provided by a new user is accurate in the sense of being
accessible by that individual. The system sends an account
activation link to the email address provided when a new user
registers for an account. The user cannot sign in until he/she
activates the account.
Page 7 of 11
Save
Users
Administrators
31
Identify who will have access to the PII in the system
and the reason why they require access.
Developers
To modify/update their profile data
and change their account preferences.
To (1) generate reports for program
evaluation purposes; (2) ensure data
integrity/accuracy/etc.; (3) maintain
l
i t
t l t d
To ensure proper functioning of the
system and assist OITE with technical
issues.
Contractors
Direct and Non-Direct contractors. To
support Administrators and
Developers.
Others
Registered NIH Trainees, NIH Staff, and
Alumni have access to Alumni
Database, for career networking
Describe the procedures in place to determine which Determinations are made based on role-based access controls
32 system users (administrators, developers,
and least privilege. User rights are provisioned based on
contractors, etc.) may access PII.
controls within the system, allowing users only access to the
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
When creating and editing system staff accounts, OITE System
Admins assign roles based on each individual's job duties,
using the principle of least privilege. The system allows
System Admins to assign multiple roles to users when
necessary and appropriate, and to remove individual rights in
most cases. This gives OITE the ability to control staff
members' access to PII in a fine-grained way. OITE occasionally
reviews system staff accounts and adds/removes roles and
rights, as appropriate.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
According to NIH policy, all personnel who manage or operate
NIH applications must successfully complete annual security
awareness training. There are five categories of mandatory
information technolgoy (IT) training (Information Security,
Counterintelligence, Privacy Awareness, Records Management
and Emergency Preparedness). Training is completed on the
http://irtsectraining.nih.gov site with valid NIH credentials.
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
N/A
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Yes
No
Page 8 of 11
Save
Records are maintained within RTP for a time accordance with
NARA record retention schedules:
2.1.060 - Job Application Packages
Destroy 1 year after date of submission
Applications
3.2.030 - System Access Records
Destroy when business use ceases
RTP Accounts - user profiles, login files, password files, audit
trails, etc
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
3.2.031 - System Access Records
Records are maintained within RTP for a time based on the
type or data
Destroy 6 years after password is altered or user account is
terminated, but longer retention is authorized if required for
business use.
RTP Accounts - user profiles, login files, password files, audit
trails, etc
3.2.041 - System Backups and Tape Library Records
Destroy when second subsequent backup is verified as
successful or when no longer needed for the system
restoration, whichever is later.
RTP BackUps
5.1.030 - Records of Non-Mission Related Internal Agency
Committees
Destroy when business use ceases
Alumni Database, Memberships, MyOITE
Page 9 of 11
Save
Administrative Controls: OITE staff access system data via a
password-protected Content Management System. Other
users can access their own account information or other
restricted resources (e.g., the Alumni Database) by providing
valid system login credentials of the proper type. RTP applies
role-based security to ensure access is restricted to the
appropriate user groups. At any time, System Admins can
manually disable accounts of individuals who have left the NIH
or no longer require access to the site.
Technical Controls: Access to the system is controlled by login
name and password. Access level and permissions are
controlled by the system and based on user, role, and account
status. Also, OITE is in the process of implementing strong
password requirements across the site, for both internal and
external users. This update will be complete by late November
2019.
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
Physical Controls: The RTP system is hosted in the cloud,
through Amazon Web Services (AWS). The contractor who
maintains the RTP system, Symplicity Corp., uses Amazon
Aurora for its database needs. Amazon Aurora provides
multiple levels of security at the database level. These include
network isolation using Amazon Virtual Private Cloud (VPC),
encryption at rest using keys created and controlled through
AWS Key Management Service and encryption of data in transit
using Secure Sockets Layer. On an encrypted Amazon Aurora
instance, data in the underlying storage is encrypted, as are the
automated backups, snapshots, and replicas in the same
cluster. Communications between application and database
are limited to the OITE network segment and are never
exposed to a public network.
Connections to the database server are made using accounts
with only the access level necessary for that connection.
Connections needing only read-access to data, such as users
browsing postings, are made using a database account with
only read access to the specific database table they'll be
reading. Similarly, update connections are made through
connections granted write access only to those databases and
tables they need access to.
39 Identify the publicly-available URL:
40 Does the website have a posted privacy notice?
https://www.training.nih.gov/
Yes
No
40a
Is the privacy policy available in a machine-readable
format?
Yes
41
Does the website use web measurement and
customization technology?
Yes
No
No
Page 10 of 11
Save
Technologies
Yes
Web beacons
No
Yes
Web bugs
Select the type of website measurement and
41a customization technologies is in use and if it is used
to collect PII. (Select all that apply)
No
Session Cookies
Persistent Cookies
The 'awstats'
open source log
Other... file analyzer to
parse Apache
access
42
Does the website have any information or pages
directed at children under the age of thirteen?
Yes
43
Does the website contain links to non- federal
government websites external to HHS?
Yes
Is a disclaimer notice provided to users that follow
43a external links to websites not owned or operated by
HHS?
Yes
General Comments
OPDIV Senior Official
for Privacy Signature
Collects PII?
Yes
No
Yes
No
Yes
No
No
No
No
This component is under the OD GSS, whose Universal Unique Identifier (UUID) is: 2092B382-A4F2-4FD5A93E-1857E18B771E.
Dustin B.
Close -S
Digitally signed by Dustin
B. Close -S
Date: 2024.01.03 12:07:47
-05'00'
Page 11 of 11
File Type | application/pdf |
File Title | NIH Research and Training Opportunities 1-3-2024 SOP Approved.pdf |
Author | wangph |
File Modified | 2024-01-03 |
File Created | 2024-01-03 |