Download:
pdf |
pdfSave
Privacy Impact Assessment Form
v 1.21
Status
Form Number
Form Date
Question
Answer
1
OPDIV:
CDC
2
PIA Unique Identifier:
TBD
2a Name:
02/23/24
Caring for Individuals with Congenital Heart Defects (CHD), Mus
General Support System (GSS)
Major Application
3
The subject of this PIA is which of the following?
Minor Application (stand-alone)
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Operations and Maintenance
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
No
Yes
No
Agency
Contractor
POC Title
Health Scientist
POC Name
Shannon Moss
POC Organization NCBDDD
POC Email
sez7@gmail.com
POC Phone
404.639.1314
New
Existing
Yes
No
8b Planned Date of Security Authorization
Not Applicable
Page 1 of 9
�Save
8c
9
Briefly explain why security authorization is not
required
PIA Validation (PIA
Refresh/Annual Review)
Anonymous to NonAnonymous
New Public Access
Internal Flow or Collection
Indicate the following reason(s) for updating this PIA.
Choose from the following options.
Significant System
Management Change
Alteration in Character of
Data
New Interagency Uses
Conversion
Commercial Sources
PRA
10
Describe in further detail any changes to the system
that have occurred since the last PIA.
N/A
The National Center on Birth Defects and Developmental
Disabilities (NCBDDD) performs surveillance and research for
birth defects, including congenital heart defects (CHD),
muscular dystrophies (MD), and spina bifida (SB). NCBDDD has
a requirement for the implementation of focus groups to
collect qualitative information on the experiences of persons
with CHD, MD, and SB (and in some instances, their caregivers).
This requirement is needed to address gaps in the literature,
inform future surveillance, research, and data collection, and
gather patient and caregiver perspectives that may be shared
with clinicians and inform clinical care.
11 Describe the purpose of the system.
The objective of this project is to conduct 46 focus groups to
obtain firsthand perspectives on the types of care adults (18
years and older) with MD, SB, and CHD receive with a special
focus on: medical care (including specialist care) and barriers
and facilitators to accessing, receiving, or reengaging in care;
experiences around the transition from pediatric to adult care;
experiences with clinics that provide care according to specific
care considerations; and the journey to diagnosis. Also, for MD
and SB, perspectives will be gathered from caregivers of
children with specific condition types. Each focus group shall
be virtual (i.e., conducted using chat and recording-enabled
videoconferencing software), include a minimum of 5 and
maximum of 8 participants, and last 90 minutes.
A third-party web-based screening surveys tool will be used to
determine the eligibility of adults interested in participating in
the focus groups and invite them to participate in a focus
group. The transcripts from the focus groups will be compiled
by condition type. The data will be analyzed, and results will be
shared in peer-reviewed publications, national and local
meetings, and with public health partners focused on adults
with CHD, MD, or SB. Data from this project will enable federal,
state, and local governments and organizations to understand
the perceived barriers to specialty care for adults with CHD,
MD, and SB, allocate resources, and establish programs
accordingly.
Page 2 of 9
�Save
All data maintained by the contractor will be destroyed at the
end of the project. Project period is 3 years.
1. CHD recruitment list will be provided to contractor by CDC:
will include name and contact information. The contractor will
Describe the type of information the system will
provide updated contact information to the CDC.
collect, maintain (store), or share. (Subsequent
2. CHD, MD, and SB screening/recruitment (collected/
12
questions will identify if this information is PII and ask maintained by contractor): will include demographics,
about the specific data elements.)
healthcare utilization, health status, insurance status/type,
urban/rural status, employment status, annual household
income, defect type, email (only for eligible individuals).
3. Focus Groups (Information collected/maintained by
contractor): will include transcript of 90-minute virtual focus
group and demographics for each virtual focus group.
The contractor will obtain contact information (name, email,
phone, mailing address) during recruitment for MD and SB
focus groups. This information will not be shared with the CDC.
The CDC will provide contact information (name, email,
mailing address) from another system (formerly CH-STRONG)
participants that consented to follow-up. The contractor will
use this CDC provided list of individuals to track and trace
current contact information and then recruit for CHD focus
group participation. The contractor will send CDC the updated
contact information and notify them of those on the list that
will participate in the CHD focus groups.
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
The focus group screening tools will collect the following
information: race/ethnicity, preferred language of
communication, age in years, sex, state of residence, urban/
rural status, employment, annual household income,
education level, insurance status/type, healthcare utilization,
defect type, name, email, phone number. The information
collected on the screening instrument will only be shared with
the CDC in aggregate reports.
The focus group sessions will be recorded, transcribed, and
analyzed by the contractors, and reports will be generated for
each focus group and by overall themes by defect type. All
data from the focus group sessions will be deidentified when
sent to the CDC.
14 Does the system collect, maintain, use or share PII?
Yes
No
Page 3 of 9
�Save
Indicate the type of PII that the system will collect or
15
maintain.
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
Sex/Gender
Race/Ethnicity
Education level
Age
Defect Type
Employees
Public Citizens
16
Indicate the categories of individuals about whom PII
is collected, maintained or shared.
Business Partners/Contacts (Federal, state, local agencies)
Vendors/Suppliers/Contractors
Patients
Other
17 How many individuals' PII is in the system?
18 For what primary purpose is the PII used?
19
Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)
500-4,999
PII will only be used by the contractor to track and trace, and
recruit individuals for participation in the focus groups. Focus
Group responses and demographics will be deidentified and
shared with the CDC in aggregate form. All PII and other data
maintained by the contractor will be destroyed by the
contractor at the end of the project.
Not applicable
20 Describe the function of the SSN.
Not applicable
20a Cite the legal authority to use the SSN.
Not applicable
21
Identify legal authorities governing information use
Not applicable
and disclosure specific to the system and program.
22
Are records on the system retrieved by one or more
PII data elements?
Yes
No
Page 4 of 9
�Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
24 Is the PII shared with other organizations?
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
26
Is the submission of PII by individuals voluntary or
mandatory?
Pending submission of 30-days package
Yes
No
CDC participants listing that have consented are contacted to
participate in a focus group or interview. Participation may
refuse to answer any question for any reason, and may also
stop participating at any time, for any reason, without penalty.
The participants will also be provided a name, email, and
phone number of a project coordinator, if they have additional
questions or wish to opt-out of the project.
Voluntary
Mandatory
The mailer and screening tool states that “Participation in the
Describe the method for individuals to opt-out of the focus group or interview is voluntary and participants may
refuse to answer any question for any reason, and may also
collection or use of their PII. If there is no option to
27
stop participating at any time, for any reason, without penalty”.
object to the information collection, provide a
The participants will also be provided a name, email, and
reason.
phone number of a project coordinator, if they have additional
questions or wish to opt-out of the project.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
The contractor will be responsible for notifying participants of
major changes to the use of participant data, if changes are
made. The contractor may use differing methods to
communicate this information to focus group participants.
Page 5 of 9
�Save
Potential and participating individuals who have concerns
about the use/misuse/inaccuracy of their PII can contact the
Describe the process in place to resolve an
individual's concerns when they believe their PII has contractor and request for the information to be corrected or
29 been inappropriately obtained, used, or disclosed, or withdrawn. A name, email, and phone number of a project
that the PII is inaccurate. If no process exists, explain coordinator will be provided on the screening tool along with
any mailing or email communications. Participants at any point
why not.
in the project and after can request to be removed from the
project.
Integrity: Inaccurate or irrelevant information (e.g., incorrect
email addresses or phone numbers from the CHD list or
screener data) will be removed from the system in year 1 and
will be reviewed again for accuracy and integrity on an annual
basis in years 2 and 3.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
Availability: Aside from the CHD contact list, which will be
provided to the contractor by CDC, the data collected for this
project are based on participant response.
Accuracy: The contractor will perform tracking and tracing to
confirm vital status and contact information for individuals on
the CHD list annually in years 1 and 2. For the focus group
transcripts, the contractor will use transcribing software.
Contract staff will review the final transcripts for accuracy and
removal of any PII prior to submission to CDC annually in years
2 and 3.
Relevancy: Only PII that is needed of study participants will be
maintained in the system. All PII and data maintained by the
contractor will be destroyed at the end of the project.
Users
Administrators
31
Identify who will have access to the PII in the system
and the reason why they require access.
Developers
Contractors
Indirect contractor; is a prime
contractor help perform screening/
Others
All individuals who have access to PII must receive prior
Describe the procedures in place to determine which mandatory ethics training, assurance of confidentiality training,
and any additional CDC training as outlined in the task order.
32 system users (administrators, developers,
Within 30 days of the contract award, the contractor and
contractors, etc.) may access PII.
contractor employees submitted Non-Disclosure Agreements
(NDA) to the CDC Contracting Officer.
Page 6 of 9
�Save
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
Staff from the contract team will only have access to servers
and data files containing information that is relevant to their
tasks. Specifically, demographic information and contact
information will be stored separately and available only to staff
with a legitimate need for that information. Contact
information will only be available to recruitment staff at the
contractor’s vendors, and only in the context of their role in
scheduling focus groups and distribution of incentives to those
who participated in the focus groups. At no point will CDC or
the contractor access or store participants’ contact information.
The contract team is required to complete the following
training:
• HHS/CDC Contractor Information Security Awareness, Privacy,
and Records Management training: To be completed before
performing work on the contract and then annually for the life
of the contract.
• Role-based Training: To be completed by contract staff with
significant security responsibilities, in accordance with HHS
policy and the HHS Role-Based Training of Personnel with
Significant Security Responsibilities Memorandum
The contract team is required to provide documentation of
completed training to the CDC Contracting Officer’s
Representative (COR).
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
In addition to mandatory information security-related training
upon hiring for new staff and annual ‘Code of Conduct’
training on security, privacy, and confidentiality, the contractor
provides on-demand training to team members assigned to
projects that may involve data classified as restricted (i.e.,
personal information, financial information, regulated data,
etc.). Also, software engineers who contribute code to any
project are required to complete training for Secure Software
Delivery (e.g., courses in Foundations of Software Security,
Software Security Testing & Remediation, Network & database
Security, etc.).
Yes
No
As part of contract closeout and at expiration of the contract,
the contractor team must provide documentation to the CDC
COR to certify that all electronic and paper records are
appropriately disposed of and all devices and media are
sanitized in accordance with NIST SP 800-88, Guidelines for
Media Sanitization. The contractor team will destroy all focus
group audio recordings, notes, transcriptions, and data files at
the end of contract. Any physical record will be shredded and
professionally disposed of with a secure disposal company. For
electronic records, the contractor team will execute the record
disposal while observed by their parent company. After
disposal, the parent company will provide a Certificate of Data
Destruction to the CDC COR.
Page 7 of 9
�Save
Administrative: No one outside of the contractor will have
access to the data saved on the contractor’s secure server. All
files containing PII will be secured with a password which will
only be provided to those with a legitimate need to access
these files for use in this project will know the file password.
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
Technical: Any files containing participant PII will be both
password-protected and encrypted for safe storage on the
contractor’s secure cloud-based Microsoft SharePoint server.
Physical: All project files, including but not limited to screening
data, focus group audio recordings, transcriptions, code books,
data files, and summary reports, will be saved on the
contractor’s secure server. In addition, the contractor uses
organizational measures to prevent unauthorized persons
from gaining access to facilities where any sensitive data are
processed (e.g., access control system [ID reader], door locking,
security staff, etc.).
REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV
Senior Officer for Privacy.
Reviewer Questions
1
Are the questions on the PIA answered correctly, accurately, and completely?
Answer
Yes
No
Reviewer
Notes
2
Does the PIA appropriately communicate the purpose of PII in the system and is the purpose
justified by appropriate legal authorities?
Yes
Do system owners demonstrate appropriate understanding of the impact of the PII in the
system and provide sufficient oversight to employees and contractors?
Yes
No
Reviewer
Notes
3
No
Reviewer
Notes
4
Does the PIA appropriately describe the PII quality and integrity of the data?
Yes
No
Reviewer
Notes
5
Is this a candidate for PII minimization?
Yes
No
Reviewer
Notes
6
Does the PIA accurately identify data retention procedures and records retention schedules?
Yes
No
Reviewer
Notes
Page 8 of 9
�Save
Reviewer Questions
7
Answer
Are the individuals whose PII is in the system provided appropriate participation?
Yes
No
Reviewer
Notes
8
Does the PIA raise any concerns about the security of the PII?
Yes
No
Reviewer
Notes
9
Is applicability of the Privacy Act captured correctly and is a SORN published or does it need
to be?
Yes
No
Reviewer
Notes
10
Is the PII appropriately limited for use internally and with third parties?
Yes
No
Reviewer
Notes
11
Does the PIA demonstrate compliance with all Web privacy requirements?
Yes
No
Reviewer
Notes
12
Were any changes made to the system because of the completion of this PIA?
Yes
No
Reviewer
Notes
General Comments
OPDIV Senior Official
for Privacy Signature
Beverly E.
Walker -S
Digitally signed by
Beverly E. Walker -S
Date: 2024.03.12
20:31:36 -04'00'
HHS Senior
Agency Official
for Privacy
Page 9 of 9
�
| File Type | application/pdf |
| File Modified | 2024-03-12 |
| File Created | 2013-03-29 |